TOSS 5 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time (JIT) compiler.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-282677 | TOSS-05-000199 | SV-282677r1201330_rule | CCI-000366 | medium |
| Description | ||||
| When hardened, the extended BPF JIT compiler will randomize any kernel addresses in the BPF programs and maps and will not expose the JIT addresses in "/proc/kallsyms". | ||||
| STIG | Date | |||
| Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide | 2026-04-01 | |||
Details
Check Text (C-282677r1201330_chk)
Verify TOSS 5 enables hardening for the BPF JIT with the following commands:
$ sudo sysctl net.core.bpf_jit_harden
net.core.bpf_jit_harden = 2
If the returned line does not have a value of "2", or a line is not returned, this is a finding.
Check that the configuration files are present to enable this kernel parameter.
$ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.core.bpf_jit_harden | tail -1
net.core.bpf_jit_harden = 2
If the network parameter "net.core.bpf_jit_harden" is not equal to "2" or nothing is returned, this is a finding.
Fix Text (F-87143r1201329_fix)
Configure TOSS 5 to enable hardening for the BPF JIT compiler by adding the following line to a file, in the "/etc/sysctl.d" directory:
net.core.bpf_jit_harden = 2
Reload the system configuration files for the changes to take effect.
$ sudo sysctl --system