RHEL 10 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time compiler.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-281337 | RHEL-10-800050 | SV-281337r1167161_rule | CCI-002824 | medium |
| Description | ||||
| When hardened, the extended BPF just-in-time (JIT) compiler will randomize any kernel addresses in the BPF programs and maps, and will not expose the JIT addresses in "/proc/kallsyms". | ||||
| STIG | Date | |||
| Red Hat Enterprise Linux 10 Security Technical Implementation Guide | 2026-03-11 | |||
Details
Check Text (C-281337r1167161_chk)
Verify RHEL 10 enables hardening for the BPF JIT compiler.
Check the status of the "net.core.bpf_jit_harden" parameter with the following command:
$ sudo sysctl net.core.bpf_jit_harden
net.core.bpf_jit_harden = 2
If "net.core.bpf_jit_harden" is not equal to "2" or is missing, this is a finding.
Fix Text (F-85803r1167160_fix)
Configure RHEL 10 to enable hardening for the BPF JIT compiler.
Create the drop-in file if it does not already exist:
$ sudo vi /etc/sysctl.d/99-net_core-bpf_jit_harden.conf
Add the following line to the file:
net.core.bpf_jit_harden = 2
Reload settings from all system configuration files with the following command:
$ sudo sysctl --system