1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
documentation_complete: true
title: 'Enable Kernel Parameter to Enforce DAC on FIFOs'
description: '{{{ describe_sysctl_option_value(sysctl="fs.protected_fifos", value="2") }}}'
rationale: |-
This parameter is available since Linux Kernel 4.19 and allows to prohibit opening
FIFOs that are not owned by the user in world and group writeable sticky directories.
It avoids unintentional writes to an attacker-controlled FIFO where a program expects
to create the regular file.
severity: medium
identifiers:
cce@rhel9: CCE-85884-5
cce@rhel10: CCE-87125-1
references:
nist: CM-6(a),AC-6(1)
{{{ complete_ocil_entry_sysctl_option_value(sysctl="fs.protected_fifos", value="2") }}}
template:
name: sysctl
vars:
sysctlvar: fs.protected_fifos
sysctlval: '2'
datatype: int
platform: system_with_kernel
|
