mediumkernelverified ✓rollback-safe
Enable BPF JIT hardening
sysctl-bpf-jit-harden · RHEL ≥ 8 · 1 impl
Description
The net.core.bpf_jit_harden sysctl parameter must be set to 2 to enable JIT spraying countermeasures for the Berkeley Packet Filter (BPF) JIT compiler. This hardens BPF against JIT spraying attacks.
Rationale
The BPF JIT compiler can be exploited via JIT spraying attacks that use BPF programs to place attacker-controlled values at predictable locations. Setting bpf_jit_harden=2 applies hardening mitigations to prevent this attack vector.
Check → Remediate
Checksysctl_value
- key:
- net.core.bpf_jit_harden
- expected:
- 2
Remediatesysctl_set
- key:
- net.core.bpf_jit_harden
- value:
- 2
- persist_file:
- /etc/sysctl.d/99-kensa-bpf-jit.conf
Framework references
STIG
V-244554V-281337 / RHEL-10-800050V-257942 / RHEL-09-251045
NIST 800-53
CM-6SI-16
Live verification
rhel10:checkrhel8:checkrhel9:check
#kernel#sysctl#bpf#jit#security