Skip to content

1.5.1 Ensure address space layout randomization (ASLR) is enabled

Audit#

Run the following script to verify kernel.randomize_va_space is set to 2: 

#!/usr/bin/env bash
{
 krp="" pafile="" fafile=""
 kpname="kernel.randomize_va_space"
 kpvalue="2"
 searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
 krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
 pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
 fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
 if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
 echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
 else
 echo -e "\nFAIL: "[ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
 [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
 [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
 fi
}

Remediation#

Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file:

Example: 

# printf "kernel.randomize_va_space = 2" >> /etc/sysctl.d/60-kernel_sysctl.conf

Run the following command to set the active kernel parameter: 

# sysctl -w kernel.randomize_va_space=2