TOSS 5 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time (JIT) compiler.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-282677TOSS-05-000199SV-282677r1201330_ruleCCI-000366medium
Description
When hardened, the extended BPF JIT compiler will randomize any kernel addresses in the BPF programs and maps and will not expose the JIT addresses in "/proc/kallsyms".
STIGDate
Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide2026-04-01

Details

Check Text (C-282677r1201330_chk)

Verify TOSS 5 enables hardening for the BPF JIT with the following commands: $ sudo sysctl net.core.bpf_jit_harden net.core.bpf_jit_harden = 2 If the returned line does not have a value of "2", or a line is not returned, this is a finding. Check that the configuration files are present to enable this kernel parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.core.bpf_jit_harden | tail -1 net.core.bpf_jit_harden = 2 If the network parameter "net.core.bpf_jit_harden" is not equal to "2" or nothing is returned, this is a finding.

Fix Text (F-87143r1201329_fix)

Configure TOSS 5 to enable hardening for the BPF JIT compiler by adding the following line to a file, in the "/etc/sysctl.d" directory: net.core.bpf_jit_harden = 2 Reload the system configuration files for the changes to take effect. $ sudo sysctl --system