{"description": "To set the runtime status of the <code>fs.protected_regular</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.protected_regular=2</pre>\nTo make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>fs.protected_regular = 2</pre>", "rationale": "This parameter is available since Linux Kernel 4.19 and allows to prohibit opening\n\"regular\" files that are not owned by the user in world and group writeable sticky\ndirectories. It avoids writes to an attacker-controlled regular file, for example,\nwhen a program expects to create the regular file.", "severity": "medium", "references": {"nist": ["CM-6(a)", "AC-6(1)"], "anssi": ["R14"]}, "control_references": {"anssi": ["R14"]}, "components": [], "identifiers": {}, "ocil_clause": "the correct value is not returned", "ocil": "The runtime status of the <code>fs.protected_regular</code> kernel parameter can be queried\nby running the following command:\n<pre>$ sysctl fs.protected_regular</pre>\n<code>2</code>.\n", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {"check-import": "stdout", "platform": ["multi_platform_all"], "environment": "any", "filename": "sysctl_fs_protected_regular.sh", "relative_path": "ubuntu2204/checks/sce/sysctl_fs_protected_regular.sh"}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Enable Kernel Parameter to Enforce DAC on Regular files", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/files/sysctl_fs_protected_regular/rule.yml", "template": {"name": "sysctl", "vars": {"sysctlvar": "fs.protected_regular", "sysctlval": "2", "datatype": "int"}, "backends": {}}}