diff --git a/shared/fixes/bash/grub2_audit_argument.sh
deleted file mode 100644
index 913ebd6788..0000000000
--- a/shared/fixes/bash/grub2_audit_argument.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-# platform = Red Hat Enterprise Linux 7, multi_platform_fedora
-
-# Correct the form of default kernel command line in GRUB
-if grep -q '^GRUB_CMDLINE_LINUX=.*audit=.*"' '/etc/default/grub' ; then
- # modify the GRUB command-line if an audit= arg already exists
- sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit=[^[:space:]]*\(.*"\)/\1 audit=1 \2/' '/etc/default/grub'
-else
- # no audit=arg is present, append it
- sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 audit=1"/' '/etc/default/grub'
-fi
-
-# Correct the form of kernel command line for each installed kernel in the bootloader
-grubby --update-kernel=ALL --args="audit=1"
diff --git a/shared/checks/oval/grub2_audit_argument.xml
deleted file mode 100644
index 0a943fd97a..0000000000
--- a/shared/checks/oval/grub2_audit_argument.xml
+++ /dev/null
@@ -1,55 +0,0 @@
-
-
-
- Enable Auditing for Processes Which Start Prior to the Audit Daemon
-
- Red Hat Enterprise Linux 7
- multi_platform_fedora
-
- Look for argument audit=1 in the kernel line in /etc/default/grub.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- /etc/default/grub
- ^\s*GRUB_CMDLINE_LINUX="(.*)"$
- 1
-
-
-
-
-
-
-
-
- /etc/default/grub
- ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$
- 1
-
-
-
- ^.*audit=1.*$
-
-
-
diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument.rule b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument.rule
new file mode 100644
index 0000000000..361a6b9853
--- /dev/null
+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument.rule
@@ -0,0 +1,51 @@
+documentation_complete: true
+
+prodtype: rhel7,fedora
+
+title: 'Extend Audit Backlog Limit for the Audit Daemon'
+
+description: |-
+ To improve the kernel capacity to queue all log events, even those which occurred
+ prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default
+ GRUB 2 command line for the Linux operating system in
+ /etc/default/grub, in the manner below:
+ GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1 audit_backlog_limit=8192"
+
+rationale: |-
+ audit_backlog_limit sets the queue length for audit events awaiting transfer
+ to the audit daemon. Until the audit daemon is up and running, all log messages
+ are stored in this queue. If the queue is overrun during boot process, the action
+ defined by audit failure flag is taken.
+
+severity: unknown
+
+ocil_clause: 'audit backlog limit is not configured'
+
+ocil: |-
+ Inspect the form of default GRUB 2 command line for the Linux operating system
+ in /etc/default/grub. If they include audit_backlog_limit=1, then auditing
+ is enabled at boot time.
+
+ To ensure audit_backlog_limit=1 is configured on all installed kernels, the
+ following command may be used:
+
+ $ sudo /sbin/grubby --update-kernel=ALL --args="audit_backlog_limit=1"
+
+
+warnings:
+ - management: |-
+ The GRUB 2 configuration file, grub.cfg,
+ is automatically updated each time a new kernel is installed. Note that any
+ changes to /etc/default/grub require rebuilding the grub.cfg
+ file. To update the GRUB 2 configuration file manually, use the
+ grub2-mkconfig -o
command as follows:
+ ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
+{{% endif %}}
+
diff --git a/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument.rule b/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument.rule
new file mode 100644
index 0000000000..8773f2407f
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument.rule
@@ -0,0 +1,49 @@
+documentation_complete: true
+
+prodtype: rhel7,fedora
+
+title: 'Disable vsyscalls'
+
+description: |-
+ To disable use of virtual syscalls,
+ add the argument vsyscall=none to the default
+ GRUB 2 command line for the Linux operating system in
+ /etc/default/grub, in the manner below:
+ GRUB_CMDLINE_LINUX="vsyscall=none"
+
+rationale: |-
+ Virtual Syscalls provide an opportunity of attack for a user who has control
+ of the return instruction pointer.
+
+severity: unknown
+
+ocil_clause: 'vsyscalls are enabled'
+
+ocil: |-
+ Inspect the form of default GRUB 2 command line for the Linux operating system
+ in /etc/default/grub. If they include vsyscall=none,
+ then virtyal syscalls are not enabled at boot time.
+
+ To ensure vsyscall=none is configured on all installed kernels, the
+ following command may be used:
+
+ $ sudo /sbin/grubby --update-kernel=ALL --args="vsyscall=none
+
+
+warnings:
+ - management: |-
+ The GRUB 2 configuration file, grub.cfg,
+ is automatically updated each time a new kernel is installed. Note that any
+ changes to /etc/default/grub require rebuilding the grub.cfg
+ file. To update the GRUB 2 configuration file manually, use the
+ grub2-mkconfig -o
command as follows:
+ ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
+{{% endif %}}
+
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/group.yml b/linux_os/guide/system/permissions/restrictions/poisoning/group.yml
new file mode 100644
index 0000000000..6a7a370f2b
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/group.yml
@@ -0,0 +1,8 @@
+documentation_complete: true
+
+title: 'Memory Poisoning'
+
+description: |-
+ Memory Poisoning consists of writing a special value to uninitialized or freed memory.
+ Poisoning can be used as a mechanism to prevent leak of information and detection of
+ corrupted memory.
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument.rule b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument.rule
new file mode 100644
index 0000000000..9056613b0d
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument.rule
@@ -0,0 +1,52 @@
+documentation_complete: true
+
+prodtype: rhel7,fedora
+
+title: 'Enable page allocator poisoning'
+
+description: |-
+ To enable poisoning of free pages,
+ add the argument page_poison=1 to the default
+ GRUB 2 command line for the Linux operating system in
+ /etc/default/grub, in the manner below:
+ GRUB_CMDLINE_LINUX="page_poison=1"
+
+rationale: |-
+ Poisoning writes an arbitrary value to freed pages, so any modification or
+ reference to that page after being freed or before being initialized will be
+ detected and prevented.
+ This prevents many types of use-after-free vulnerabilities at little performance cost.
+ Also prevents leak of data and detection of corrupted memory.
+
+severity: unknown
+
+ocil_clause: 'page allocator poisoning is not enabled'
+
+ocil: |-
+ Inspect the form of default GRUB 2 command line for the Linux operating system
+ in /etc/default/grub. If they include page_poison=1,
+ then page poisoning is enabled at boot time.
+
+ To ensure page_poison=1 is configured on all installed kernels, the
+ following command may be used:
+
+ $ sudo /sbin/grubby --update-kernel=ALL --args="page_poison=1
+
+
+warnings:
+ - management: |-
+ The GRUB 2 configuration file, grub.cfg,
+ is automatically updated each time a new kernel is installed. Note that any
+ changes to /etc/default/grub require rebuilding the grub.cfg
+ file. To update the GRUB 2 configuration file manually, use the
+ grub2-mkconfig -o
command as follows:
+ ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
+{{% endif %}}
+
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument.rule b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument.rule
new file mode 100644
index 0000000000..ea982ee216
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument.rule
@@ -0,0 +1,52 @@
+documentation_complete: true
+
+prodtype: rhel7,fedora
+
+title: 'Enable SLUB/SLAB allocator poisoning'
+
+description: |-
+ To enable poisoning of SLUB/SLAB objects,
+ add the argument slub_debug=P to the default
+ GRUB 2 command line for the Linux operating system in
+ /etc/default/grub, in the manner below:
+ GRUB_CMDLINE_LINUX="slub_debug=P"
+
+rationale: |-
+ Poisoning writes an arbitrary value to freed objects, so any modification or
+ reference to that object after being freed or before being initialized will be
+ detected and prevented.
+ This prevents many types of use-after-free vulnerabilities at little performance cost.
+ Also prevents leak of data and detection of corrupted memory.
+
+severity: unknown
+
+ocil_clause: 'SLUB/SLAB poisoning is not enabled'
+
+ocil: |-
+ Inspect the form of default GRUB 2 command line for the Linux operating system
+ in /etc/default/grub. If they include slub_debug=P,
+ then SLUB/SLAB poisoning is enabled at boot time.
+
+ To ensure slub_debug=P is configured on all installed kernels, the
+ following command may be used:
+
+ $ sudo /sbin/grubby --update-kernel=ALL --args="slub_debug=P
+
+
+warnings:
+ - management: |-
+ The GRUB 2 configuration file, grub.cfg,
+ is automatically updated each time a new kernel is installed. Note that any
+ changes to /etc/default/grub require rebuilding the grub.cfg
+ file. To update the GRUB 2 configuration file manually, use the
+ grub2-mkconfig -o
command as follows:
+ ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
+{{% endif %}}
+
diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile
index bfdc68de8b..dd157a6e5b 100644
--- a/rhel7/profiles/ospp42.profile
+++ b/rhel7/profiles/ospp42.profile
@@ -15,6 +15,7 @@ description: |-
selections:
- installed_OS_is_certified
- grub2_audit_argument
+ - grub2_audit_backlog_limit_argument
- service_auditd_enabled
- grub2_enable_fips_mode
- rpm_verify_hashes
@@ -53,6 +54,9 @@ selections:
- grub2_password
- grub2_uefi_password
- grub2_disable_interactive_boot
+ - grub2_slub_debug_argument
+ - grub2_page_poison_argument
+ - grub2_vsyscall_argument
- no_empty_passwords
- require_singleuser_auth
- service_debug-shell_disabled
diff --git a/shared/templates/create_grub2_bootloader_argument.py b/shared/templates/create_grub2_bootloader_argument.py
new file mode 100644
index 0000000000..bbd6e46a82
--- /dev/null
+++ b/shared/templates/create_grub2_bootloader_argument.py
@@ -0,0 +1,40 @@
+#!/usr/bin/python2
+
+#
+# create_grub2_bootloader_argument.py
+# generate template-based checks for unsuccessful file modifications detailed
+
+
+from template_common import FilesGenerator, UnknownTargetError
+
+import re
+
+class GRUB2BootloaderArgumentGenerator(FilesGenerator):
+ def generate(self, target, args):
+ arg_name, arg_value = args[0:2]
+ arg_name_value = arg_name + '=' + arg_value
+
+ if target == "bash":
+ self.file_from_template(
+ "./template_BASH_grub2_bootloader_argument",
+ {
+ "ARG_NAME": arg_name,
+ "ARG_NAME_VALUE": arg_name_value
+ },
+ "./bash/grub2_{0}_argument.sh", arg_name
+ )
+ elif target == "oval":
+ self.file_from_template(
+ "./template_OVAL_grub2_bootloader_argument",
+ {
+ "ARG_NAME": arg_name,
+ "ARG_NAME_VALUE": arg_name_value
+ },
+ "./oval/grub2_{0}_argument.xml", arg_name
+ )
+ else:
+ raise UnknownTargetError(target)
+
+ def csv_format(self):
+ return("CSV should contains lines of the format: " +
+ "SYSCALL")
diff --git a/shared/templates/csv/grub2_bootloader_argument.csv b/shared/templates/csv/grub2_bootloader_argument.csv
new file mode 100644
index 0000000000..8610111715
--- /dev/null
+++ b/shared/templates/csv/grub2_bootloader_argument.csv
@@ -0,0 +1,10 @@
+# format:
+# ,
+# - argument_name is the name of argument for the bootloader
+# - value is the value for the argument
+
+audit,1
+audit_backlog_limit,8192
+slub_debug,P
+page_poison,1
+vsyscall,none
diff --git a/shared/templates/template_BASH_grub2_bootloader_argument b/shared/templates/template_BASH_grub2_bootloader_argument
new file mode 100644
index 0000000000..9f48517415
--- /dev/null
+++ b/shared/templates/template_BASH_grub2_bootloader_argument
@@ -0,0 +1,13 @@
+# platform = Red Hat Enterprise Linux 7, multi_platform_fedora
+
+# Correct the form of default kernel command line in GRUB
+if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ ARG_NAME }}}=.*"' '/etc/default/grub' ; then
+ # modify the GRUB command-line if an {{{ ARG_NAME }}}= arg already exists
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ ARG_NAME }}}=[^[:space:]]*\(.*"\)/\1 {{{ ARG_NAME_VALUE }}} \2/' '/etc/default/grub'
+else
+ # no {{{ ARG_NAME }}}=arg is present, append it
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 {{{ ARG_NAME_VALUE }}}"/' '/etc/default/grub'
+fi
+
+# Correct the form of kernel command line for each installed kernel in the bootloader
+grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
diff --git a/shared/templates/template_OVAL_grub2_bootloader_argument b/shared/templates/template_OVAL_grub2_bootloader_argument
new file mode 100644
index 0000000000..b6f4b1397a
--- /dev/null
+++ b/shared/templates/template_OVAL_grub2_bootloader_argument
@@ -0,0 +1,55 @@
+
+
+
+ Ensure GRUB 2 is configured to run Linux operating system with argument {{{ ARG_NAME_VALUE }}}
+
+ Red Hat Enterprise Linux 7
+ multi_platform_fedora
+
+ Look for argument {{{ ARG_NAME_VALUE }}} in the kernel line in /etc/default/grub.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ /etc/default/grub
+ ^\s*GRUB_CMDLINE_LINUX="(.*)"$
+ 1
+
+
+
+
+
+
+
+
+ /etc/default/grub
+ ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$
+ 1
+
+
+
+ ^.*{{{ ARG_NAME_VALUE }}}.*$
+
+
+
diff --git a/ssg/build_templates.py b/ssg/build_templates.py
index f4373553b2..c36bbbacc4 100644
--- a/ssg/build_templates.py
+++ b/ssg/build_templates.py
@@ -28,6 +28,7 @@
from create_audit_rules_usergroup_modification import AuditRulesUserGroupModificationGenerator
from create_audit_rules_execution import AuditRulesExecutionGenerator
from create_audit_rules_path_syscall import AuditRulesPathSyscallGenerator
+from create_grub2_bootloader_argument import GRUB2BootloaderArgumentGenerator
class Builder(object):
@@ -74,6 +75,7 @@ def __init__(self, env_yaml):
"audit_rules_usergroup_modification.csv": AuditRulesUserGroupModificationGenerator(),
"audit_rules_execution.csv": AuditRulesExecutionGenerator(),
"audit_rules_path_syscall.csv": AuditRulesPathSyscallGenerator(),
+ "grub2_bootloader_argument.csv": GRUB2BootloaderArgumentGenerator(),
}
self.langs = TEMPLATED_LANGUAGES
utils_dir = os.path.dirname(os.path.realpath(__file__))