MEDIUM M2: Kernel Hardening (Sysctl) P3

⚪ On Hold CNF-21196 📦 Compare Branch

Overview

This remediation applies kernel security hardening via sysctl parameters. These settings improve memory protection and restrict potentially dangerous kernel features.

Note: This group is currently On Hold pending further investigation. PR #528 was closed.

Settings

Setting Value Description
kernel.randomize_va_space 2 Full ASLR - randomizes memory layout
kernel.unprivileged_bpf_disabled 1 Prevent BPF-based privilege escalation
kernel.yama.ptrace_scope 1 Restrict ptrace to parent-child processes
net.core.bpf_jit_harden 2 Harden BPF JIT against spraying attacks

Implementation

The remediation applies a MachineConfig with sysctl settings:

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: 75-sysctl-medium
  labels:
    machineconfiguration.openshift.io/role: master
spec:
  config:
    ignition:
      version: 3.2.0
    storage:
      files:
        - path: /etc/sysctl.d/75-security-hardening.conf
          mode: 0644
          overwrite: true
          contents:
            inline: |
              # Memory protection
              kernel.randomize_va_space = 2

              # BPF security
              kernel.unprivileged_bpf_disabled = 1
              net.core.bpf_jit_harden = 2

              # Process tracing restriction
              kernel.yama.ptrace_scope = 1

Compliance Checks Remediated

This group addresses 4 compliance checks:

Check Profile Description Docs
rhcos4-e8-worker-sysctl-kernel-randomize-va-space E8 Enable ASLR 📖
rhcos4-e8-worker-sysctl-kernel-unprivileged-bpf-disabled E8 Disable unprivileged BPF 📖
rhcos4-e8-worker-sysctl-kernel-yama-ptrace-scope E8 Restrict ptrace 📖
rhcos4-e8-worker-sysctl-net-core-bpf-jit-harden E8 Harden BPF JIT 📖

Source Remediation Files

  • medium/rhcos4-e8-worker-sysctl-kernel-randomize-va-space.yaml
  • medium/rhcos4-e8-worker-sysctl-kernel-unprivileged-bpf-disabled.yaml
  • medium/rhcos4-e8-worker-sysctl-kernel-yama-ptrace-scope.yaml
  • medium/rhcos4-e8-worker-sysctl-net-core-bpf-jit-harden.yaml

Verification

After applying, verify sysctl settings:

oc debug node/<node-name> -- chroot /host sysctl kernel.randomize_va_space kernel.unprivileged_bpf_disabled
# Expected:
# kernel.randomize_va_space = 2
# kernel.unprivileged_bpf_disabled = 1

Security Impact

  • ASLR (kernel.randomize_va_space=2): Makes memory-based exploits significantly harder
  • BPF restrictions: Prevents unprivileged users from using eBPF for privilege escalation
  • Ptrace scope: Limits debugging capabilities to parent-child process relationships
← M1 All Groups M3 →
Legend
Status
🔵 In Progress
🟡 Pending
On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only