{"description": "Detect overflows of buffers in common string and memory functions where the compiler can\ndetermine and validate the buffer sizes.\nThis configuration is available from kernel 4.13, but may be available if backported by distros.\n\nThe configuration that was used to build kernel is available at <tt>/boot/config-*</tt>.\n    To check the configuration value for <tt>CONFIG_FORTIFY_SOURCE</tt>, run the following command:\n    <tt>grep CONFIG_FORTIFY_SOURCE /boot/config-*</tt>\n    \n    For each kernel installed, a line with value \"y\" should be returned.\n    ", "rationale": "This features helps reduce likelihood of memory corruption of kernel structures.", "severity": "medium", "references": {"anssi": ["R15"]}, "control_references": {"anssi": ["R15"]}, "components": [], "identifiers": {}, "ocil_clause": "the kernel was not built with the required value", "ocil": "To determine the config value the kernel was built with, run the following command:\n    <pre>$ grep CONFIG_FORTIFY_SOURCE /boot/config.*</pre>\n    \n    For each kernel installed, a line with value \"y\" should be returned.\n    ", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Harden common str/mem functions against buffer overflows", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/kernel_build_config/kernel_config_fortify_source/rule.yml", "template": {"name": "kernel_build_config", "vars": {"config": "CONFIG_FORTIFY_SOURCE", "value": "y"}, "backends": {}}}