Failed to reload sysctl: `unprivileged_bpf_disabled`: Operation not permitted

[comps]

Description of problem:

Discovered when trying to remediate an ospp profile Ansible playbook:

TASK [Ensure sysctl kernel.unprivileged_bpf_disabled is set] *******************
fatal: [192.168.121.140]: FAILED! => {"changed": false, "msg": "Failed to reload sysctl: kernel.core_pattern = \nkernel.core_uses_pid = 0\nkernel.perf_event_paranoid = 2\nsysctl: setting key \"kernel.unprivileged_bpf_disabled\": Operation not permitted\n"}

My guess is that, if it is indeed unprivileged_bpf_disabled, something earlier in the list of remediations set a different value to it.

From the Linux kernel documentation:

Writing 1 to this entry will disable unprivileged calls to ``bpf()``;
once disabled, calling ``bpf()`` without ``CAP_SYS_ADMIN`` or ``CAP_BPF``
will return ``-EPERM``. Once set to 1, this can't be cleared from the
running kernel anymore. 

Given that the kernel has unprivileged BPF off by default,

CONFIG_BPF_UNPRIV_DEFAULT_OFF=y

it's quite possible it's treating any writes to the procfs file as "changing it", resulting in the error.

Maybe the check for the rule should check the kernel config and/or the sysctl live value before trying to set it ... ?

SCAP Security Guide Version:

520a19633ce32a75982b16a1af48423c99fe23ce

Operating System Version:

RHEL-10