From 2c354a6bfbcedee3f92fd8cbdd42ce0f0861fcaf Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 25 May 2020 14:33:06 +0200 Subject: [PATCH 1/5] Add zIPL bootloader group --- linux_os/guide/system/bootloader-zipl/group.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 linux_os/guide/system/bootloader-zipl/group.yml diff --git a/linux_os/guide/system/bootloader-zipl/group.yml b/linux_os/guide/system/bootloader-zipl/group.yml new file mode 100644 index 0000000000..36da84530c --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/group.yml @@ -0,0 +1,11 @@ +documentation_complete: true + +title: 'zIPL bootloader configuration' + +description: |- + During the boot process, the bootloader is + responsible for starting the execution of the kernel and passing + options to it. + The default {{{ full_name }}} boot loader for s390x systems is called zIPL. + +platform: machine From 13c11b539e5c8cc929a5ccbc4b117a98bb35d915 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 25 May 2020 15:26:19 +0200 Subject: [PATCH 2/5] Add zIPL rule for early audit capability --- .../zipl_audit_argument/rule.yml | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml new file mode 100644 index 0000000000..ce2bd60c59 --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml @@ -0,0 +1,40 @@ +documentation_complete: true + +prodtype: rhel8 + +title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL' + +description: |- + To ensure all processes can be audited, even those which start prior to the audit daemon, + check that all boot entries in /boot/loader/entries/*.conf have audit=1 + included in its options. + Make sure /etc/zipl.conf doesn't contain
image = 
setting, + as {{{ full_name }}} adheres to Boot Loader Specification (BLS). + And run
zipl
command so that /boot/bootmap is updated. + + To ensure that new kernels and boot entries continue to enable audit, + add
audit=1
to /etc/kernel/cmdline. + +rationale: |- + Each process on the system carries an "auditable" flag which indicates whether + its activities can be audited. Although auditd takes care of enabling + this for all processes which launch after it does, adding the kernel argument + ensures it is set for every process during boot. + +severity: medium + +ocil_clause: 'auditing is not enabled at boot time' + +ocil: |- + To check that audit is enabled at boot time, check all boot entries with following command: +
sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf
+ No line should be returned, each line returned is a boot entry that doesn't enable audit. + + Check that no image file is specified in /etc/zipl.conf: +
grep -R "^image\s*=" /etc/zipl.conf
+ No line should be returned, if a line is returned zipl may load a different kernel than intended. + + And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf + and /etc/zipl.conf: +
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. From 221979b3aebfe6dda39e1a446140454138e231bf Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 26 May 2020 15:06:12 +0200 Subject: [PATCH 3/5] Add few more zIPL kernel option rules Add rules for following options: - audit_backlog_limit - selinux - audit_backlog_limit - enable_selinux - page_poison - pti - slub_debug - vsyscall --- .../rule.yml | 41 +++++++++++++++++++ .../zipl_enable_selinux/rule.yml | 37 +++++++++++++++++ .../zipl_page_poison_argument/rule.yml | 41 +++++++++++++++++++ .../zipl_pti_argument/rule.yml | 40 ++++++++++++++++++ .../zipl_slub_debug_argument/rule.yml | 41 +++++++++++++++++++ .../zipl_vsyscall_argument/rule.yml | 41 +++++++++++++++++++ 6 files changed, 241 insertions(+) create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml new file mode 100644 index 0000000000..08c5b53207 --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml @@ -0,0 +1,41 @@ +documentation_complete: true + +prodtype: rhel8 + +title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL' + +description: |- + To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon, + check that all boot entries in /boot/loader/entries/*.conf have audit_backlog_limit=8192 + included in its options. + Make sure /etc/zipl.conf doesn't contain
image = 
setting, + as {{{ full_name }}} adheres to Boot Loader Specification (BLS). + And run
zipl
command so that /boot/bootmap is updated. + + To ensure that new kernels and boot entries continue to extend the audit log events queue, + add
audit_backlog_limit=8192
to /etc/kernel/cmdline. + +rationale: |- + audit_backlog_limit sets the queue length for audit events awaiting transfer + to the audit daemon. Until the audit daemon is up and running, all log messages + are stored in this queue. If the queue is overrun during boot process, the action + defined by audit failure flag is taken. + +severity: medium + +ocil_clause: 'audit backlog limit is not configured' + +ocil: |- + To check that all boot entries extend the backlog limit; + Check that all boot entries extend the log events queue: +
sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf
+ No line should be returned, each line returned is a boot entry that does not extend the log events queue. + + Check that no image file is specified in /etc/zipl.conf: +
grep -R "^image\s*=" /etc/zipl.conf
+ No line should be returned, if a line is returned zipl may load a different kernel than intended. + + And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf + and /etc/zipl.conf: +
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml new file mode 100644 index 0000000000..e7a455b90c --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml @@ -0,0 +1,37 @@ +documentation_complete: true + +prodtype: rhel8 + +title: 'Ensure SELinux Not Disabled in zIPL' + +description: |- + To ensure SELinux is not disabled at boot time, + check that no boot entry in /boot/loader/entries/*.conf has selinux=0 + included in its options. + Make sure /etc/zipl.conf doesn't contain
image = 
setting, + as {{{ full_name }}} adheres to Boot Loader Specification (BLS). + And run
zipl
command so that /boot/bootmap is updated. + +rationale: |- + Disabling a major host protection feature, such as SELinux, at boot time prevents + it from confining system services at boot time. Further, it increases + the chances that it will remain off during system operation. + +severity: medium + +ocil_clause: 'SELinux is disabled at boot time' + +ocil: |- + To check that selinux is not disabled at boot time; + Check that no boot entry disables selinux: +
sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf
+ No line should be returned, each line returned is a boot entry that disables SELinux. + + Check that no image file is specified in /etc/zipl.conf: +
grep -R "^image\s*=" /etc/zipl.conf
+ No line should be returned, if a line is returned zipl may load a different kernel than intended. + + And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf + and /etc/zipl.conf: +
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml new file mode 100644 index 0000000000..b8a2eecee6 --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml @@ -0,0 +1,41 @@ +documentation_complete: true + +prodtype: rhel8 + +title: 'Enable page allocator poisoning in zIPL' + +description: |- + To enable poisoning of free pages, + check that all boot entries in /boot/loader/entries/*.conf have page_poison=1 + included in its options. + Make sure /etc/zipl.conf doesn't contain
image = 
setting, + as {{{ full_name }}} adheres to Boot Loader Specification (BLS). + And run
zipl
command so that /boot/bootmap is updated. + + To ensure that new kernels and boot entries continue to enable page poisoning, + add
page_poison=1
to /etc/kernel/cmdline. + +rationale: |- + Poisoning writes an arbitrary value to freed pages, so any modification or + reference to that page after being freed or before being initialized will be + detected and prevented. + This prevents many types of use-after-free vulnerabilities at little performance cost. + Also prevents leak of data and detection of corrupted memory. + +severity: medium + +ocil_clause: 'page allocator poisoning is not enabled' + +ocil: |- + To check that page poisoning is enabled at boot time, check all boot entries with following command: +
sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf
+ No line should be returned, each line returned is a boot entry that doesn't enable page poisoning. + + Check that no image file is specified in /etc/zipl.conf: +
grep -R "^image\s*=" /etc/zipl.conf
+ No line should be returned, if a line is returned zipl may load a different kernel than intended. + + And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf + and /etc/zipl.conf: +
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml new file mode 100644 index 0000000000..4757871a5f --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml @@ -0,0 +1,40 @@ +documentation_complete: true + +prodtype: rhel8 + +title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL' + +description: |- + To enable Kernel page-table isolation, + check that all boot entries in /boot/loader/entries/*.conf have pti=on + included in its options. + Make sure /etc/zipl.conf doesn't contain
image = 
setting, + as {{{ full_name }}} adheres to Boot Loader Specification (BLS). + And run
zipl
command so that /boot/bootmap is updated. + + To ensure that new kernels and boot entries continue to enable page-table isolation, + add
pti=on
to /etc/kernel/cmdline. + +rationale: |- + Kernel page-table isolation is a kernel feature that mitigates + the Meltdown security vulnerability and hardens the kernel + against attempts to bypass kernel address space layout + randomization (KASLR). + +severity: medium + +ocil_clause: 'Kernel page-table isolation is not enabled' + +ocil: |- + To check that page-table isolation is enabled at boot time, check all boot entries with following command: +
sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf
+ No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation . + + Check that no image file is specified in /etc/zipl.conf: +
grep -R "^image\s*=" /etc/zipl.conf
+ No line should be returned, if a line is returned zipl may load a different kernel than intended. + + And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf + and /etc/zipl.conf: +
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml new file mode 100644 index 0000000000..166dd41afd --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml @@ -0,0 +1,41 @@ +documentation_complete: true + +prodtype: rhel8 + +title: 'Enable SLUB/SLAB allocator poisoning in zIPL' + +description: |- + To enable poisoning of SLUB/SLAB objects, + check that all boot entries in /boot/loader/entries/*.conf have slub_debug=P + included in its options. + Make sure /etc/zipl.conf doesn't contain
image = 
setting, + as {{{ full_name }}} adheres to Boot Loader Specification (BLS). + And run
zipl
command so that /boot/bootmap is updated. + + To ensure that new kernels and boot entries continue to extend the audit log events queue, + add
slub_debug=P
to /etc/kernel/cmdline. + +rationale: |- + Poisoning writes an arbitrary value to freed objects, so any modification or + reference to that object after being freed or before being initialized will be + detected and prevented. + This prevents many types of use-after-free vulnerabilities at little performance cost. + Also prevents leak of data and detection of corrupted memory. + +severity: medium + +ocil_clause: 'SLUB/SLAB poisoning is not enabled' + +ocil: |- + To check that SLUB/SLAB poisoning is enabled, check all boot entries with following command; +
sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf
+ No line should be returned, each line returned is a boot entry that does not enable poisoning. + + Check that no image file is specified in /etc/zipl.conf: +
grep -R "^image\s*=" /etc/zipl.conf
+ No line should be returned, if a line is returned zipl may load a different kernel than intended. + + And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf + and /etc/zipl.conf: +
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml new file mode 100644 index 0000000000..6b95d16fb8 --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml @@ -0,0 +1,41 @@ +documentation_complete: true + +prodtype: rhel8 + +title: 'Disable vsyscalls in zIPL' + +description: |- + To disable use of virtual syscalls, + check that all boot entries in /boot/loader/entries/*.conf have vsyscall=none + included in its options. + Make sure /etc/zipl.conf doesn't contain
image = 
setting, + as {{{ full_name }}} adheres to Boot Loader Specification (BLS). + And run
zipl
command so that /boot/bootmap is updated. + + To ensure that new kernels and boot entries continue to disable virtual syscalls, + add
vsyscall=none
to /etc/kernel/cmdline. + +rationale: |- + Poisoning writes an arbitrary value to freed pages, so any modification or + reference to that page after being freed or before being initialized will be + detected and prevented. + This prevents many types of use-after-free vulnerabilities at little performance cost. + Also prevents leak of data and detection of corrupted memory. + +severity: medium + +ocil_clause: 'vsyscalls are enabled' + +ocil: |- + To check that virtual syscalls are disabled at boot time, check all boot entries with following command: +
sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf
+ No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls. + + Check that no image file is specified in /etc/zipl.conf: +
grep -R "^image\s*=" /etc/zipl.conf
+ No line should be returned, if a line is returned zipl may load a different kernel than intended. + + And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf + and /etc/zipl.conf: +
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. From a45ba0eaa12de63abb43449c6caee4776100005c Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 2 Jun 2020 13:29:39 +0200 Subject: [PATCH 4/5] Fix formatting of zIPL rules
 is renderend in a separate line, while  is rendered inline.
Add line breaks for better readability.
---
 .../bootloader-zipl/zipl_audit_argument/rule.yml       | 10 +++++-----
 .../zipl_audit_backlog_limit_argument/rule.yml         | 10 +++++-----
 .../bootloader-zipl/zipl_enable_selinux/rule.yml       |  8 ++++----
 .../bootloader-zipl/zipl_page_poison_argument/rule.yml | 10 +++++-----
 .../system/bootloader-zipl/zipl_pti_argument/rule.yml  | 10 +++++-----
 .../bootloader-zipl/zipl_slub_debug_argument/rule.yml  | 10 +++++-----
 .../bootloader-zipl/zipl_vsyscall_argument/rule.yml    | 10 +++++-----
 7 files changed, 34 insertions(+), 34 deletions(-)

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
index ce2bd60c59..16c0b3f89a 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -7,13 +7,13 @@ title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL'
 description: |-
     To ensure all processes can be audited, even those which start prior to the audit daemon,
     check that all boot entries in /boot/loader/entries/*.conf have audit=1
-    included in its options.
-    Make sure /etc/zipl.conf doesn't contain 
image = 
setting, - as {{{ full_name }}} adheres to Boot Loader Specification (BLS). - And run
zipl
command so that /boot/bootmap is updated. + included in its options.
+ Make sure /etc/zipl.conf doesn't contain image = setting, + as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run zipl command so that /boot/bootmap is updated.

To ensure that new kernels and boot entries continue to enable audit, - add
audit=1
to /etc/kernel/cmdline. + add audit=1 to /etc/kernel/cmdline. rationale: |- Each process on the system carries an "auditable" flag which indicates whether diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml index 08c5b53207..47a532d50f 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml @@ -7,13 +7,13 @@ title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL' description: |- To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon, check that all boot entries in /boot/loader/entries/*.conf have audit_backlog_limit=8192 - included in its options. - Make sure /etc/zipl.conf doesn't contain
image = 
setting, - as {{{ full_name }}} adheres to Boot Loader Specification (BLS). - And run
zipl
command so that /boot/bootmap is updated. + included in its options.
+ Make sure /etc/zipl.conf doesn't contain image = setting, + as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run zipl command so that /boot/bootmap is updated.

To ensure that new kernels and boot entries continue to extend the audit log events queue, - add
audit_backlog_limit=8192
to /etc/kernel/cmdline. + add audit_backlog_limit=8192 to /etc/kernel/cmdline. rationale: |- audit_backlog_limit sets the queue length for audit events awaiting transfer diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml index e7a455b90c..5aa91c16aa 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml @@ -7,10 +7,10 @@ title: 'Ensure SELinux Not Disabled in zIPL' description: |- To ensure SELinux is not disabled at boot time, check that no boot entry in /boot/loader/entries/*.conf has selinux=0 - included in its options. - Make sure /etc/zipl.conf doesn't contain
image = 
setting, - as {{{ full_name }}} adheres to Boot Loader Specification (BLS). - And run
zipl
command so that /boot/bootmap is updated. + included in its options.
+ Make sure /etc/zipl.conf doesn't contain image = setting, + as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run zipl command so that /boot/bootmap is updated.

rationale: |- Disabling a major host protection feature, such as SELinux, at boot time prevents diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml index b8a2eecee6..8546325752 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml @@ -7,13 +7,13 @@ title: 'Enable page allocator poisoning in zIPL' description: |- To enable poisoning of free pages, check that all boot entries in /boot/loader/entries/*.conf have page_poison=1 - included in its options. - Make sure /etc/zipl.conf doesn't contain
image = 
setting, - as {{{ full_name }}} adheres to Boot Loader Specification (BLS). - And run
zipl
command so that /boot/bootmap is updated. + included in its options.
+ Make sure /etc/zipl.conf doesn't contain image = setting, + as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run zipl command so that /boot/bootmap is updated.
To ensure that new kernels and boot entries continue to enable page poisoning, - add
page_poison=1
to /etc/kernel/cmdline. + add page_poison=1 to /etc/kernel/cmdline. rationale: |- Poisoning writes an arbitrary value to freed pages, so any modification or diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml index 4757871a5f..eaef25ce40 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml @@ -7,13 +7,13 @@ title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL' description: |- To enable Kernel page-table isolation, check that all boot entries in /boot/loader/entries/*.conf have pti=on - included in its options. - Make sure /etc/zipl.conf doesn't contain
image = 
setting, - as {{{ full_name }}} adheres to Boot Loader Specification (BLS). - And run
zipl
command so that /boot/bootmap is updated. + included in its options.
+ Make sure /etc/zipl.conf doesn't contain image = setting, + as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run zipl command so that /boot/bootmap is updated.

To ensure that new kernels and boot entries continue to enable page-table isolation, - add
pti=on
to /etc/kernel/cmdline. + add pti=on to /etc/kernel/cmdline. rationale: |- Kernel page-table isolation is a kernel feature that mitigates diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml index 166dd41afd..68e91a92d6 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml @@ -7,13 +7,13 @@ title: 'Enable SLUB/SLAB allocator poisoning in zIPL' description: |- To enable poisoning of SLUB/SLAB objects, check that all boot entries in /boot/loader/entries/*.conf have slub_debug=P - included in its options. - Make sure /etc/zipl.conf doesn't contain
image = 
setting, - as {{{ full_name }}} adheres to Boot Loader Specification (BLS). - And run
zipl
command so that /boot/bootmap is updated. + included in its options.
+ Make sure /etc/zipl.conf doesn't contain image = setting, + as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run zipl command so that /boot/bootmap is updated.

To ensure that new kernels and boot entries continue to extend the audit log events queue, - add
slub_debug=P
to /etc/kernel/cmdline. + add slub_debug=P to /etc/kernel/cmdline. rationale: |- Poisoning writes an arbitrary value to freed objects, so any modification or diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml index 6b95d16fb8..8d39337f9e 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml @@ -7,13 +7,13 @@ title: 'Disable vsyscalls in zIPL' description: |- To disable use of virtual syscalls, check that all boot entries in /boot/loader/entries/*.conf have vsyscall=none - included in its options. - Make sure /etc/zipl.conf doesn't contain
image = 
setting, - as {{{ full_name }}} adheres to Boot Loader Specification (BLS). - And run
zipl
command so that /boot/bootmap is updated. + included in its options.
+ Make sure /etc/zipl.conf doesn't contain image = setting, + as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run zipl command so that /boot/bootmap is updated.

To ensure that new kernels and boot entries continue to disable virtual syscalls, - add
vsyscall=none
to /etc/kernel/cmdline. + add vsyscall=none to /etc/kernel/cmdline. rationale: |- Poisoning writes an arbitrary value to freed pages, so any modification or From ae8f9252c3c5c1d1ac1bed201e0981c0d50168aa Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 3 Jun 2020 13:08:07 +0200 Subject: [PATCH 5/5] zipl_vsyscall_argument: Fix rationale copy-pasta error --- .../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml index 8d39337f9e..9624b43349 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml @@ -16,11 +16,8 @@ description: |- add vsyscall=none to /etc/kernel/cmdline. rationale: |- - Poisoning writes an arbitrary value to freed pages, so any modification or - reference to that page after being freed or before being initialized will be - detected and prevented. - This prevents many types of use-after-free vulnerabilities at little performance cost. - Also prevents leak of data and detection of corrupted memory. + Virtual Syscalls provide an opportunity of attack for a user who has control + of the return instruction pointer. severity: medium