RHEL 10 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time compiler.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-281337 | SRG-OS-000433-GPOS-00192 | RHEL-10-800050 | SV-281337r1167161_rule | 2026-03-11 | 1 |
Description
When hardened, the extended BPF just-in-time (JIT) compiler will randomize any kernel addresses in the BPF programs and maps, and will not expose the JIT addresses in "/proc/kallsyms".
ℹ️ Check
Verify RHEL 10 enables hardening for the BPF JIT compiler.
Check the status of the "net.core.bpf_jit_harden" parameter with the following command:
$ sudo sysctl net.core.bpf_jit_harden
net.core.bpf_jit_harden = 2
If "net.core.bpf_jit_harden" is not equal to "2" or is missing, this is a finding.
✔️ Fix
Configure RHEL 10 to enable hardening for the BPF JIT compiler.
Create the drop-in file if it does not already exist:
$ sudo vi /etc/sysctl.d/99-net_core-bpf_jit_harden.conf
Add the following line to the file:
net.core.bpf_jit_harden = 2
Reload settings from all system configuration files with the following command:
$ sudo sysctl --system