{"description": "To set the runtime status of the <code>kernel.kptr_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kptr_restrict=<sub idref=\"sysctl_kernel_kptr_restrict_value\" /></pre>\nTo make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>kernel.kptr_restrict = <sub idref=\"sysctl_kernel_kptr_restrict_value\" /></pre>", "rationale": "Exposing kernel pointers (through procfs or <tt>seq_printf()</tt>) exposes kernel\nwriteable structures which may contain functions pointers. If a write vulnerability\noccurs in the kernel, allowing write access to any of this structure, the kernel can\nbe compromised. This option disallow any program without the CAP_SYSLOG capability\nto get the addresses of kernel pointers by replacing them with 0.", "severity": "medium", "references": {"nerc-cip": ["CIP-002-5 R1.1", "CIP-002-5 R1.2", "CIP-003-8 R5.1.1", "CIP-003-8 R5.3", "CIP-004-6 4.1", "CIP-004-6 4.2", "CIP-004-6 R2.2.3", "CIP-004-6 R2.2.4", "CIP-004-6 R2.3", "CIP-004-6 R4", "CIP-005-6 R1", "CIP-005-6 R1.1", "CIP-005-6 R1.2", "CIP-007-3 R3", "CIP-007-3 R3.1", "CIP-007-3 R5.1", "CIP-007-3 R5.1.2", "CIP-007-3 R5.1.3", "CIP-007-3 R5.2.1", "CIP-007-3 R5.2.3", "CIP-007-3 R8.4", "CIP-009-6 R.1.1", "CIP-009-6 R4"], "nist": ["SC-30", "SC-30(2)", "SC-30(5)", "CM-6(a)"], "ospp": ["FMT_SMF_EXT.1"], "srg": ["SRG-OS-000132-GPOS-00067", "SRG-OS-000433-GPOS-00192", "SRG-OS-000480-GPOS-00227"], "anssi": ["R9"], "ism": ["1409"]}, "control_references": {"anssi": ["R9"], "ism": ["1409"]}, "components": [], "identifiers": {}, "ocil_clause": "the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0", "ocil": "The runtime status of the <code>kernel.kptr_restrict</code> kernel parameter can be queried\nby running the following command:\n<pre>$ sysctl kernel.kptr_restrict</pre>\nThe output of the command should indicate either:\n<code>kernel.kptr_restrict = 1</code>\nor:\n<code>kernel.kptr_restrict = 2</code>\nThe output of the command should not indicate:\n<code>kernel.kptr_restrict = 0</code>\n\nThe preferable way how to assure the runtime compliance is to have\ncorrect persistent configuration, and rebooting the system.\n\nThe persistent kernel parameter configuration is performed by specifying the appropriate\nassignment in any file located in the <pre>/etc/sysctl.d</pre> directory.\nVerify that there is not any existing incorrect configuration by executing the following command:\n<pre>$ grep -r '^\\s*kernel.kptr_restrict\\s*=' /etc/sysctl.conf /etc/sysctl.d</pre>\nThe command should not find any assignments other than:\nkernel.kptr_restrict = 1\nor:\nkernel.kptr_restrict = 2\n\nConflicting assignments are not allowed.", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to restrict exposed kernel pointer addresses access.\nAdd or edit the following line in a system configuration file in the \"/etc/sysctl.d/\" directory:\nkernel.kptr_restrict = <sub idref=\"sysctl_kernel_kptr_restrict_value\" />\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must restrict exposed kernel pointer addresses access.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must restrict exposed kernel pointer addresses access.", "vuldiscussion": "Exposing kernel pointers (through procfs or \"seq_printf()\") exposes kernel writeable structures, which may contain functions pointers. If a write vulnerability occurs in the kernel, allowing write access to any of this structure, the kernel can be compromised. This option disallows any program without the CAP_SYSLOG capability to get the addresses of kernel pointers by replacing them with \"0\".", "checktext": "Verify the runtime status of the kernel.kptr_restrict kernel parameter with the following command:\n\n$ sudo sysctl kernel.kptr_restrict\n\nkernel.kptr_restrict = 1\n\nVerify the configuration of the kernel.kptr_restrict kernel parameter with the following command:\n\n$ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' |  grep -F kernel.kptr_restrict | tail -1\n\nkernel.kptr_restrict =1\n\nIf \"kernel.kptr_restrict\" is not set to \"1\" or is missing, this is a finding.", "fixtext": "Add or edit the following line in a system configuration file in the \"/etc/sysctl.d/\" directory:\n\nkernel.kptr_restrict = 1\n\nReload settings from all system configuration files with the following command:\n\n$ sudo sysctl --system"}}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {"check-import": "stdout", "check-export": ["sysctl_kernel_kptr_restrict_value=xccdf_org.ssgproject.content_value_sysctl_kernel_kptr_restrict_value"], "platform": ["multi_platform_all"], "environment": "any", "filename": "sysctl_kernel_kptr_restrict.sh", "relative_path": "ubuntu2204/checks/sce/sysctl_kernel_kptr_restrict.sh"}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Restrict Exposed Kernel Pointer Addresses Access", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml", "template": {"name": "sysctl", "vars": {"sysctlvar": "kernel.kptr_restrict", "datatype": "int"}, "backends": {}}}