{"description": "To set the runtime status of the <code>fs.protected_symlinks</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.protected_symlinks=1</pre>\nTo make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>fs.protected_symlinks = 1</pre>", "rationale": "By enabling this kernel parameter, symbolic links are permitted to be followed\nonly when outside a sticky world-writable directory, or when the UID of the\nlink and follower match, or when the directory owner matches the symlink's owner.\nDisallowing such symlinks helps mitigate vulnerabilities based on insecure file system\naccessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of\n<tt>open()</tt> or <tt>creat()</tt>.", "severity": "medium", "references": {"nerc-cip": ["CIP-003-8 R5.1.1", "CIP-003-8 R5.3", "CIP-004-6 R2.3", "CIP-007-3 R2.1", "CIP-007-3 R2.2", "CIP-007-3 R2.3", "CIP-007-3 R5.1", "CIP-007-3 R5.1.1", "CIP-007-3 R5.1.2"], "nist": ["CM-6(a)", "AC-6(1)"], "srg": ["SRG-OS-000312-GPOS-00122", "SRG-OS-000312-GPOS-00123", "SRG-OS-000324-GPOS-00125"], "anssi": ["R14"]}, "control_references": {"anssi": ["R14"]}, "components": [], "identifiers": {}, "ocil_clause": "the correct value is not returned", "ocil": "The runtime status of the <code>fs.protected_symlinks</code> kernel parameter can be queried\nby running the following command:\n<pre>$ sysctl fs.protected_symlinks</pre>\n<code>1</code>.\n", "oval_external_content": null, "fixtext": "Verify the operating system is configured to enable DAC on symlinks with the following commands:\nAdd or edit the following line in a system configuration file in the \"/etc/sysctl.d/\" directory:\nfs.protected_symlinks = 1\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must enable kernel parameters to enforce discretionary access control on symlinks.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must enable kernel parameters to enforce discretionary access control on symlinks.", "vuldiscussion": "By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the user identifier (UID) of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().", "checktext": "Verify Ubuntu 22.04 is configured to enable DAC on symlinks.\n\nCheck the status of the fs.protected_symlinks kernel parameter with the following command:\n\n$ sudo sysctl fs.protected_symlinks\n\nfs.protected_symlinks = 1\n\nIf \"fs.protected_symlinks \" is not set to \"1\" or is missing, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F fs.protected_symlinks | tail -1\n\nfs.protected_symlinks = 1\n\nIf \"fs.protected_symlinks\" is not set to \"1\" or is missing, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to enable DAC on symlinks with the following:\n\nAdd or edit the following line in a system configuration file in the \"/etc/sysctl.d/\" directory:\n\nfs.protected_symlinks = 1\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system"}}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {"check-import": "stdout", "platform": ["multi_platform_all"], "environment": "any", "filename": "sysctl_fs_protected_symlinks.sh", "relative_path": "ubuntu2204/checks/sce/sysctl_fs_protected_symlinks.sh"}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Enable Kernel Parameter to Enforce DAC on Symlinks", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml", "template": {"name": "sysctl", "vars": {"sysctlvar": "fs.protected_symlinks", "sysctlval": "1", "datatype": "int"}, "backends": {}}}