Blob Blame History Raw
From 2c354a6bfbcedee3f92fd8cbdd42ce0f0861fcaf Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 25 May 2020 14:33:06 +0200
Subject: [PATCH 1/5] Add zIPL bootloader group

---
 linux_os/guide/system/bootloader-zipl/group.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 linux_os/guide/system/bootloader-zipl/group.yml

diff --git a/linux_os/guide/system/bootloader-zipl/group.yml b/linux_os/guide/system/bootloader-zipl/group.yml
new file mode 100644
index 0000000000..36da84530c
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/group.yml
@@ -0,0 +1,11 @@
+documentation_complete: true
+
+title: 'zIPL bootloader configuration'
+
+description: |-
+    During the boot process, the bootloader is
+    responsible for starting the execution of the kernel and passing
+    options to it.
+    The default {{{ full_name }}} boot loader for s390x systems is called zIPL.
+
+platform: machine

From 13c11b539e5c8cc929a5ccbc4b117a98bb35d915 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 25 May 2020 15:26:19 +0200
Subject: [PATCH 2/5] Add zIPL rule for early audit capability

---
 .../zipl_audit_argument/rule.yml              | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
new file mode 100644
index 0000000000..ce2bd60c59
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL'
+
+description: |-
+    To ensure all processes can be audited, even those which start prior to the audit daemon,
+    check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
+    included in its options.
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+    And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+
+    To ensure that new kernels and boot entries continue to enable audit,
+    add <pre>audit=1</pre> to <tt>/etc/kernel/cmdline</tt>.
+
+rationale: |-
+    Each process on the system carries an "auditable" flag which indicates whether
+    its activities can be audited. Although <tt>auditd</tt> takes care of enabling
+    this for all processes which launch after it does, adding the kernel argument
+    ensures it is set for every process during boot.
+
+severity: medium
+
+ocil_clause: 'auditing is not enabled at boot time'
+
+ocil: |-
+  To check that audit is enabled at boot time, check all boot entries with following command:
+  <pre>sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf</pre>
+  No line should be returned, each line returned is a boot entry that doesn't enable audit.
+
+  Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+  <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+  No line should be returned, if a line is returned zipl may load a different kernel than intended.
+
+  And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+  and <tt>/etc/zipl.conf</tt>:
+  <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+  No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.

From 221979b3aebfe6dda39e1a446140454138e231bf Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 26 May 2020 15:06:12 +0200
Subject: [PATCH 3/5] Add few more zIPL kernel option rules

Add rules for following options:
- audit_backlog_limit
- selinux
- audit_backlog_limit
- enable_selinux
- page_poison
- pti
- slub_debug
- vsyscall
---
 .../rule.yml                                  | 41 +++++++++++++++++++
 .../zipl_enable_selinux/rule.yml              | 37 +++++++++++++++++
 .../zipl_page_poison_argument/rule.yml        | 41 +++++++++++++++++++
 .../zipl_pti_argument/rule.yml                | 40 ++++++++++++++++++
 .../zipl_slub_debug_argument/rule.yml         | 41 +++++++++++++++++++
 .../zipl_vsyscall_argument/rule.yml           | 41 +++++++++++++++++++
 6 files changed, 241 insertions(+)
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
new file mode 100644
index 0000000000..08c5b53207
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL'
+
+description: |-
+    To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
+    check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
+    included in its options.
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+    And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+
+    To ensure that new kernels and boot entries continue to extend the audit log events queue,
+    add <pre>audit_backlog_limit=8192</pre> to <tt>/etc/kernel/cmdline</tt>.
+
+rationale: |-
+    audit_backlog_limit sets the queue length for audit events awaiting transfer
+    to the audit daemon. Until the audit daemon is up and running, all log messages
+    are stored in this queue.  If the queue is overrun during boot process, the action
+    defined by audit failure flag is taken.
+
+severity: medium
+
+ocil_clause: 'audit backlog limit is not configured'
+
+ocil: |-
+  To check that all boot entries extend the backlog limit;
+  Check that all boot entries extend the log events queue:
+  <pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
+  No line should be returned, each line returned is a boot entry that does not extend the log events queue.
+
+  Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+  <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+  No line should be returned, if a line is returned zipl may load a different kernel than intended.
+
+  And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+  and <tt>/etc/zipl.conf</tt>:
+  <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+  No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
new file mode 100644
index 0000000000..e7a455b90c
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
@@ -0,0 +1,37 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Ensure SELinux Not Disabled in zIPL'
+
+description: |-
+    To ensure SELinux is not disabled at boot time,
+    check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
+    included in its options.
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+    And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+
+rationale: |-
+    Disabling a major host protection feature, such as SELinux, at boot time prevents
+    it from confining system services at boot time.  Further, it increases
+    the chances that it will remain off during system operation.
+
+severity: medium
+
+ocil_clause: 'SELinux is disabled at boot time'
+
+ocil: |-
+    To check that selinux is not disabled at boot time;
+    Check that no boot entry disables selinux:
+    <pre>sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf</pre>
+    No line should be returned, each line returned is a boot entry that disables SELinux.
+
+    Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+    <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+    No line should be returned, if a line is returned zipl may load a different kernel than intended.
+
+    And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+    and <tt>/etc/zipl.conf</tt>:
+    <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+    No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
new file mode 100644
index 0000000000..b8a2eecee6
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Enable page allocator poisoning in zIPL'
+
+description: |-
+    To enable poisoning of free pages,
+    check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
+    included in its options.
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+    And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+
+    To ensure that new kernels and boot entries continue to enable page poisoning,
+    add <pre>page_poison=1</pre> to <tt>/etc/kernel/cmdline</tt>.
+
+rationale: |-
+    Poisoning writes an arbitrary value to freed pages, so any modification or
+    reference to that page after being freed or before being initialized will be
+    detected and prevented.
+    This prevents many types of use-after-free vulnerabilities at little performance cost.
+    Also prevents leak of data and detection of corrupted memory.
+
+severity: medium
+
+ocil_clause: 'page allocator poisoning is not enabled'
+
+ocil: |-
+  To check that page poisoning is enabled at boot time, check all boot entries with following command:
+  <pre>sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf</pre>
+  No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
+
+  Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+  <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+  No line should be returned, if a line is returned zipl may load a different kernel than intended.
+
+  And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+  and <tt>/etc/zipl.conf</tt>:
+  <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+  No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
new file mode 100644
index 0000000000..4757871a5f
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL'
+
+description: |-
+    To enable Kernel page-table isolation,
+    check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
+    included in its options.
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+    And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+
+    To ensure that new kernels and boot entries continue to enable page-table isolation,
+    add <pre>pti=on</pre> to <tt>/etc/kernel/cmdline</tt>.
+
+rationale: |-
+    Kernel page-table isolation is a kernel feature that mitigates
+    the Meltdown security vulnerability and hardens the kernel
+    against attempts to bypass kernel address space layout
+    randomization (KASLR).
+
+severity: medium
+
+ocil_clause: 'Kernel page-table isolation is not enabled'
+
+ocil: |-
+  To check that page-table isolation is enabled at boot time, check all boot entries with following command:
+  <pre>sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf</pre>
+  No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
+
+  Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+  <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+  No line should be returned, if a line is returned zipl may load a different kernel than intended.
+
+  And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+  and <tt>/etc/zipl.conf</tt>:
+  <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+  No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
new file mode 100644
index 0000000000..166dd41afd
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Enable SLUB/SLAB allocator poisoning in zIPL'
+
+description: |-
+    To enable poisoning of SLUB/SLAB objects,
+    check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
+    included in its options.
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+    And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+
+    To ensure that new kernels and boot entries continue to extend the audit log events queue,
+    add <pre>slub_debug=P</pre> to <tt>/etc/kernel/cmdline</tt>.
+
+rationale: |-
+    Poisoning writes an arbitrary value to freed objects, so any modification or
+    reference to that object after being freed or before being initialized will be
+    detected and prevented.
+    This prevents many types of use-after-free vulnerabilities at little performance cost.
+    Also prevents leak of data and detection of corrupted memory.
+
+severity: medium
+
+ocil_clause: 'SLUB/SLAB poisoning is not enabled'
+
+ocil: |-
+  To check that SLUB/SLAB poisoning is enabled, check all boot entries with following command;
+  <pre>sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf</pre>
+  No line should be returned, each line returned is a boot entry that does not enable poisoning.
+
+  Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+  <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+  No line should be returned, if a line is returned zipl may load a different kernel than intended.
+
+  And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+  and <tt>/etc/zipl.conf</tt>:
+  <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+  No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
new file mode 100644
index 0000000000..6b95d16fb8
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Disable vsyscalls in zIPL'
+
+description: |-
+    To disable use of virtual syscalls,
+    check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
+    included in its options.
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+    And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+
+    To ensure that new kernels and boot entries continue to disable virtual syscalls,
+    add <pre>vsyscall=none</pre> to <tt>/etc/kernel/cmdline</tt>.
+
+rationale: |-
+    Poisoning writes an arbitrary value to freed pages, so any modification or
+    reference to that page after being freed or before being initialized will be
+    detected and prevented.
+    This prevents many types of use-after-free vulnerabilities at little performance cost.
+    Also prevents leak of data and detection of corrupted memory.
+
+severity: medium
+
+ocil_clause: 'vsyscalls are enabled'
+
+ocil: |-
+  To check that virtual syscalls are disabled at boot time, check all boot entries with following command:
+  <pre>sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf</pre>
+  No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
+
+  Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+  <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+  No line should be returned, if a line is returned zipl may load a different kernel than intended.
+
+  And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+  and <tt>/etc/zipl.conf</tt>:
+  <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+  No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.

From a45ba0eaa12de63abb43449c6caee4776100005c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 2 Jun 2020 13:29:39 +0200
Subject: [PATCH 4/5] Fix formatting of zIPL rules

<pre> is renderend in a separate line, while <tt> is rendered inline.
Add line breaks for better readability.
---
 .../bootloader-zipl/zipl_audit_argument/rule.yml       | 10 +++++-----
 .../zipl_audit_backlog_limit_argument/rule.yml         | 10 +++++-----
 .../bootloader-zipl/zipl_enable_selinux/rule.yml       |  8 ++++----
 .../bootloader-zipl/zipl_page_poison_argument/rule.yml | 10 +++++-----
 .../system/bootloader-zipl/zipl_pti_argument/rule.yml  | 10 +++++-----
 .../bootloader-zipl/zipl_slub_debug_argument/rule.yml  | 10 +++++-----
 .../bootloader-zipl/zipl_vsyscall_argument/rule.yml    | 10 +++++-----
 7 files changed, 34 insertions(+), 34 deletions(-)

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
index ce2bd60c59..16c0b3f89a 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -7,13 +7,13 @@ title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL'
 description: |-
     To ensure all processes can be audited, even those which start prior to the audit daemon,
     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
-    included in its options.
-    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
-    And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+    included in its options.<br />
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+    And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
 
     To ensure that new kernels and boot entries continue to enable audit,
-    add <pre>audit=1</pre> to <tt>/etc/kernel/cmdline</tt>.
+    add <tt>audit=1</tt> to <tt>/etc/kernel/cmdline</tt>.
 
 rationale: |-
     Each process on the system carries an "auditable" flag which indicates whether
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index 08c5b53207..47a532d50f 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -7,13 +7,13 @@ title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL'
 description: |-
     To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
-    included in its options.
-    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
-    And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+    included in its options.<br />
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+    And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
 
     To ensure that new kernels and boot entries continue to extend the audit log events queue,
-    add <pre>audit_backlog_limit=8192</pre> to <tt>/etc/kernel/cmdline</tt>.
+    add <tt>audit_backlog_limit=8192</tt> to <tt>/etc/kernel/cmdline</tt>.
 
 rationale: |-
     audit_backlog_limit sets the queue length for audit events awaiting transfer
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
index e7a455b90c..5aa91c16aa 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
@@ -7,10 +7,10 @@ title: 'Ensure SELinux Not Disabled in zIPL'
 description: |-
     To ensure SELinux is not disabled at boot time,
     check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
-    included in its options.
-    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
-    And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+    included in its options.<br />
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+    And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
 
 rationale: |-
     Disabling a major host protection feature, such as SELinux, at boot time prevents
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
index b8a2eecee6..8546325752 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -7,13 +7,13 @@ title: 'Enable page allocator poisoning in zIPL'
 description: |-
     To enable poisoning of free pages,
     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
-    included in its options.
-    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
-    And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+    included in its options.<br />
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+    And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br />
 
     To ensure that new kernels and boot entries continue to enable page poisoning,
-    add <pre>page_poison=1</pre> to <tt>/etc/kernel/cmdline</tt>.
+    add <tt>page_poison=1</tt> to <tt>/etc/kernel/cmdline</tt>.
 
 rationale: |-
     Poisoning writes an arbitrary value to freed pages, so any modification or
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
index 4757871a5f..eaef25ce40 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
@@ -7,13 +7,13 @@ title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL'
 description: |-
     To enable Kernel page-table isolation,
     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
-    included in its options.
-    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
-    And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+    included in its options.<br />
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+    And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
 
     To ensure that new kernels and boot entries continue to enable page-table isolation,
-    add <pre>pti=on</pre> to <tt>/etc/kernel/cmdline</tt>.
+    add <tt>pti=on</tt> to <tt>/etc/kernel/cmdline</tt>.
 
 rationale: |-
     Kernel page-table isolation is a kernel feature that mitigates
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index 166dd41afd..68e91a92d6 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -7,13 +7,13 @@ title: 'Enable SLUB/SLAB allocator poisoning in zIPL'
 description: |-
     To enable poisoning of SLUB/SLAB objects,
     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
-    included in its options.
-    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
-    And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+    included in its options.<br />
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+    And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
 
     To ensure that new kernels and boot entries continue to extend the audit log events queue,
-    add <pre>slub_debug=P</pre> to <tt>/etc/kernel/cmdline</tt>.
+    add <tt>slub_debug=P</tt> to <tt>/etc/kernel/cmdline</tt>.
 
 rationale: |-
     Poisoning writes an arbitrary value to freed objects, so any modification or
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index 6b95d16fb8..8d39337f9e 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -7,13 +7,13 @@ title: 'Disable vsyscalls in zIPL'
 description: |-
     To disable use of virtual syscalls,
     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
-    included in its options.
-    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
-    And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+    included in its options.<br />
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+    And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
 
     To ensure that new kernels and boot entries continue to disable virtual syscalls,
-    add <pre>vsyscall=none</pre> to <tt>/etc/kernel/cmdline</tt>.
+    add <tt>vsyscall=none</tt> to <tt>/etc/kernel/cmdline</tt>.
 
 rationale: |-
     Poisoning writes an arbitrary value to freed pages, so any modification or

From ae8f9252c3c5c1d1ac1bed201e0981c0d50168aa Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Jun 2020 13:08:07 +0200
Subject: [PATCH 5/5] zipl_vsyscall_argument: Fix rationale

copy-pasta error
---
 .../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index 8d39337f9e..9624b43349 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -16,11 +16,8 @@ description: |-
     add <tt>vsyscall=none</tt> to <tt>/etc/kernel/cmdline</tt>.
 
 rationale: |-
-    Poisoning writes an arbitrary value to freed pages, so any modification or
-    reference to that page after being freed or before being initialized will be
-    detected and prevented.
-    This prevents many types of use-after-free vulnerabilities at little performance cost.
-    Also prevents leak of data and detection of corrupted memory.
+    Virtual Syscalls provide an opportunity of attack for a user who has control
+    of the return instruction pointer.
 
 severity: medium