{"description": "To set the runtime status of the <code>kernel.randomize_va_space</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.randomize_va_space=2</pre>\nTo make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>kernel.randomize_va_space = 2</pre>", "rationale": "Address space layout randomization (ASLR) makes it more difficult for an\nattacker to predict the location of attack code they have introduced into a\nprocess's address space during an attempt at exploitation. Additionally,\nASLR makes it more difficult for an attacker to know the location of\nexisting code in order to re-purpose it using return oriented programming\n(ROP) techniques.", "severity": "medium", "references": {"cui": ["3.1.7"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.308(a)(3)", "164.308(a)(4)", "164.310(b)", "164.310(c)", "164.312(a)", "164.312(e)"], "nerc-cip": ["CIP-002-5 R1.1", "CIP-002-5 R1.2", "CIP-003-8 R5.1.1", "CIP-003-8 R5.3", "CIP-004-6 4.1", "CIP-004-6 4.2", "CIP-004-6 R2.2.3", "CIP-004-6 R2.2.4", "CIP-004-6 R2.3", "CIP-004-6 R4", "CIP-005-6 R1", "CIP-005-6 R1.1", "CIP-005-6 R1.2", "CIP-007-3 R3", "CIP-007-3 R3.1", "CIP-007-3 R5.1", "CIP-007-3 R5.1.2", "CIP-007-3 R5.1.3", "CIP-007-3 R5.2.1", "CIP-007-3 R5.2.3", "CIP-007-3 R8.4", "CIP-009-6 R.1.1", "CIP-009-6 R4"], "nist": ["SC-30", "SC-30(2)", "CM-6(a)"], "pcidss": ["Req-2.2.1"], "srg": ["SRG-OS-000433-GPOS-00193", "SRG-OS-000480-GPOS-00227", "SRG-APP-000450-CTR-001105"], "anssi": ["R9"], "cis": ["1.5.1"], "ism": ["1409"], "pcidss4": ["3.3.1.1", "3.3.1", "3.3"], "stigid": ["UBTU-22-213020"], "stigref": ["SV-260474r958928_rule"]}, "control_references": {"anssi": ["R9"], "cis": ["1.5.1"], "ism": ["1409"], "pcidss4": ["3.3.1.1", "3.3.1", "3.3"], "stigid": ["UBTU-22-213020"]}, "components": [], "identifiers": {}, "ocil_clause": "the correct value is not returned", "ocil": "The runtime status of the <code>kernel.randomize_va_space</code> kernel parameter can be queried\nby running the following command:\n<pre>$ sysctl kernel.randomize_va_space</pre>\n<code>2</code>.\n", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to implement virtual address space randomization.\nAdd or edit the following line in a system configuration file in the \"/etc/sysctl.d/\" directory:\nkernel.randomize_va_space = 2\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.", "vuldiscussion": "Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process' address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return oriented programming (ROP) techniques.", "checktext": "Verify Ubuntu 22.04 is implementing ASLR with the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\nkernel.randomize_va_space = 2\n\nCheck that the configuration files are present to enable this kernel parameter.\nVerify the configuration of the kernel.kptr_restrict kernel parameter with the following command:\n\n$ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' |  grep -F kernel.randomize_va_space | tail -1\n\nkernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" is not set to \"2\" or is missing, this is a finding.", "fixtext": "Add or edit the following line in a system configuration file in the \"/etc/sysctl.d/\" directory:\n\nkernel.randomize_va_space = 2\n\nReload settings from all system configuration files with the following command:\n\n$ sudo sysctl --system"}}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {"check-import": "stdout", "platform": ["multi_platform_all"], "environment": "any", "filename": "sysctl_kernel_randomize_va_space.sh", "relative_path": "ubuntu2204/checks/sce/sysctl_kernel_randomize_va_space.sh"}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Enable Randomized Layout of Virtual Address Space", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml", "template": {"name": "sysctl", "vars": {"sysctlvar": "kernel.randomize_va_space", "sysctlval": "2", "datatype": "int"}, "backends": {}}}