{"description": "To prevent unprivileged processes from using the <code>bpf()</code> syscall\nthe <code>kernel.unprivileged_bpf_disabled</code> kernel parameter must\nbe set to <code>1</code> or <code>2</code>.\n\nWriting <code>1</code> to this entry will disable unprivileged calls to <code>bpf()</code>; once\ndisabled, calling <code>bpf()</code> without <code>CAP_SYS_ADMIN</code> or <code>CAP_BPF</code> will return <code>-EPERM</code>.\nOnce set to <code>1</code>, this can't be cleared from the running kernel anymore.\n\nTo set the runtime status of the <code>kernel.unprivileged_bpf_disabled</code> kernel parameter,\nrun the following command:\n<pre>$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1</pre>\n\nTo make sure that the setting is persistent,\nadd the following line to a file in the directory <tt>/etc/sysctl.d</tt>:\n<pre>kernel.unprivileged_bpf_disabled = 1</pre>\n\nWriting <code>2</code> to this entry will also disable unprivileged calls to <code>bpf()</code>,\nhowever, an admin can still change this setting later on, if needed, by\nwriting <code>0</code> or <code>1</code> to this entry.\n\nTo set the runtime status of the <code>kernel.unprivileged_bpf_disabled</code> kernel parameter,\nrun the following command:\n<pre>$ sudo sysctl -w kernel.unprivileged_bpf_disabled=2</pre>\n\nTo make sure that the setting is persistent,\nadd the following line to a file in the directory <tt>/etc/sysctl.d</tt>:\n<pre>kernel.unprivileged_bpf_disabled = 2</pre>", "rationale": "Loading and accessing the packet filters programs and maps using the bpf()\nsyscall has the potential of revealing sensitive information about the kernel state.", "severity": "medium", "references": {"nist": ["AC-6", "SC-7(10)"], "ospp": ["FMT_SMF_EXT.1"], "srg": ["SRG-OS-000132-GPOS-00067", "SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the kernel.unprivileged_bpf_disabled is not set to 1 or 2 or is configured to be 0", "ocil": "The runtime status of the <code>kernel.unprivileged_bpf_disabled</code>\nkernel parameter can be queried by running the following command:\n<pre>$ sysctl kernel.unprivileged_bpf_disabled</pre>\nThe output of the command should indicate either:\nkernel.unprivileged_bpf_disabled = 1\nor:\nkernel.unprivileged_bpf_disabled = 2\nThe output of the command should not indicate:\nkernel.unprivileged_bpf_disabled = 0\n\nThe preferable way how to assure the runtime compliance is to have\ncorrect persistent configuration, and rebooting the system.\n\nThe persistent kernel parameter configuration is performed by specifying the appropriate\nassignment in any file located in the <pre>/etc/sysctl.d</pre> directory.\nVerify that there is not any existing incorrect configuration by executing the following command:\n<pre>$ grep -r '^\\s*\\s*=' /etc/sysctl.conf /etc/sysctl.d</pre>\nThe command should not find any assignments other than:\nkernel.unprivileged_bpf_disabled = 1\nor:\nkernel.unprivileged_bpf_disabled = 2\n\nDuplicate assignments are not allowed. Empty output is allowed, because the system default is 2.", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to prevent privilege escalation through the kernel by disabling access to the bpf syscall.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must disable access to network bpf syscall from unprivileged processes.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {"check-import": "stdout", "platform": ["multi_platform_all"], "environment": "any", "filename": "sysctl_kernel_unprivileged_bpf_disabled_accept_default.sh", "relative_path": "ubuntu2204/checks/sce/sysctl_kernel_unprivileged_bpf_disabled_accept_default.sh"}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Disable Access to Network bpf() Syscall From Unprivileged Processes", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml", "template": {"name": "sysctl", "vars": {"sysctlvar": "kernel.unprivileged_bpf_disabled", "sysctlval": ["1", "2"], "wrong_sysctlval_for_testing": "0", "missing_parameter_pass": "true", "datatype": "int", "no_remediation": "true"}, "backends": {}}}