{"description": "Enabling compatiliby with brk() allows legacy binaries to run (i.e. those linked\nagainst libc5). But this compatibility comes at the cost of not being able to randomize\nthe heap placement (ASLR).\n\nUnless legacy binaries need to run on the system, set CONFIG_COMPAT_BRK to \"n\".\n\nThe configuration that was used to build kernel is available at /boot/config-*.\n To check the configuration value for CONFIG_COMPAT_BRK, run the following command:\n grep CONFIG_COMPAT_BRK /boot/config-*\n \n Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.\n ", "rationale": "Enabling compatibility with brk() disables support for ASLR.", "severity": "medium", "references": {"anssi": ["R17"]}, "control_references": {"anssi": ["R17"]}, "components": [], "identifiers": {}, "ocil_clause": "the kernel was not built with the required value", "ocil": "To determine the config value the kernel was built with, run the following command:\n $ grep CONFIG_COMPAT_BRK /boot/config.*
\n \n Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.\n ", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Disable compatibility with brk()", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/kernel_build_config/kernel_config_compat_brk/rule.yml", "template": {"name": "kernel_build_config", "vars": {"config": "CONFIG_COMPAT_BRK", "value": "n"}, "backends": {}}}