{"description": "To set the runtime status of the <code>fs.protected_hardlinks</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.protected_hardlinks=1</pre>\nTo make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>fs.protected_hardlinks = 1</pre>", "rationale": "By enabling this kernel parameter, users can no longer create soft or hard links to\nfiles which they do not own. Disallowing such hardlinks mitigate vulnerabilities\nbased on insecure file system accessed by privileged programs, avoiding an\nexploitation vector exploiting unsafe use of <tt>open()</tt> or <tt>creat()</tt>.", "severity": "medium", "references": {"nerc-cip": ["CIP-003-8 R5.1.1", "CIP-003-8 R5.3", "CIP-004-6 R2.3", "CIP-007-3 R2.1", "CIP-007-3 R2.2", "CIP-007-3 R2.3", "CIP-007-3 R5.1", "CIP-007-3 R5.1.1", "CIP-007-3 R5.1.2"], "nist": ["CM-6(a)", "AC-6(1)"], "srg": ["SRG-OS-000312-GPOS-00122", "SRG-OS-000312-GPOS-00123", "SRG-OS-000324-GPOS-00125"], "anssi": ["R14"]}, "control_references": {"anssi": ["R14"]}, "components": [], "identifiers": {}, "ocil_clause": "the correct value is not returned", "ocil": "The runtime status of the <code>fs.protected_hardlinks</code> kernel parameter can be queried\nby running the following command:\n<pre>$ sysctl fs.protected_hardlinks</pre>\n<code>1</code>.\n", "oval_external_content": null, "fixtext": "Verify the operating system is configured to enable DAC on hardlinks with the following commands:\nAdd or edit the following line in a system configuration file in the \"/etc/sysctl.d/\" directory:\nfs.protected_hardlinks = 1\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must enable kernel parameters to enforce discretionary access control on hardlinks.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must enable kernel parameters to enforce discretionary access control on hardlinks.", "vuldiscussion": "By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigates vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().", "checktext": "Verify Ubuntu 22.04 is configured to enable DAC on hardlinks.\n\nCheck the status of the fs.protected_hardlinks kernel parameter with the following command:\n\n$ sudo sysctl fs.protected_hardlinks\n\nfs.protected_hardlinks = 1\n\nIf \"fs.protected_hardlinks\" is not set to \"1\" or is missing, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' |  grep -F fs.protected_hardlinks | tail -1\n\nfs.protected_hardlinks = 1\n\nIf \"fs.protected_hardlinks\" is not set to \"1\" or is missing, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to enable DAC on hardlinks with the following:\n\nAdd or edit the following line in a system configuration file in the \"/etc/sysctl.d/\" directory:\n\nfs.protected_hardlinks = 1\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system"}}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {"check-import": "stdout", "platform": ["multi_platform_all"], "environment": "any", "filename": "sysctl_fs_protected_hardlinks.sh", "relative_path": "ubuntu2204/checks/sce/sysctl_fs_protected_hardlinks.sh"}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Enable Kernel Parameter to Enforce DAC on Hardlinks", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml", "template": {"name": "sysctl", "vars": {"sysctlvar": "fs.protected_hardlinks", "sysctlval": "1", "datatype": "int"}, "backends": {}}}