|
 |
973b04 |
From 2c354a6bfbcedee3f92fd8cbdd42ce0f0861fcaf Mon Sep 17 00:00:00 2001
|
|
|
973b04 |
From: Watson Sato <wsato@redhat.com>
|
|
|
973b04 |
Date: Mon, 25 May 2020 14:33:06 +0200
|
|
|
973b04 |
Subject: [PATCH 1/5] Add zIPL bootloader group
|
|
|
973b04 |
|
|
|
973b04 |
---
|
|
|
973b04 |
linux_os/guide/system/bootloader-zipl/group.yml | 11 +++++++++++
|
|
|
973b04 |
1 file changed, 11 insertions(+)
|
|
|
973b04 |
create mode 100644 linux_os/guide/system/bootloader-zipl/group.yml
|
|
|
973b04 |
|
|
|
973b04 |
diff --git a/linux_os/guide/system/bootloader-zipl/group.yml b/linux_os/guide/system/bootloader-zipl/group.yml
|
|
|
973b04 |
new file mode 100644
|
|
|
973b04 |
index 0000000000..36da84530c
|
|
|
973b04 |
--- /dev/null
|
|
|
973b04 |
+++ b/linux_os/guide/system/bootloader-zipl/group.yml
|
|
|
973b04 |
@@ -0,0 +1,11 @@
|
|
|
973b04 |
+documentation_complete: true
|
|
|
973b04 |
+
|
|
|
973b04 |
+title: 'zIPL bootloader configuration'
|
|
|
973b04 |
+
|
|
|
973b04 |
+description: |-
|
|
|
973b04 |
+ During the boot process, the bootloader is
|
|
|
973b04 |
+ responsible for starting the execution of the kernel and passing
|
|
|
973b04 |
+ options to it.
|
|
|
973b04 |
+ The default {{{ full_name }}} boot loader for s390x systems is called zIPL.
|
|
|
973b04 |
+
|
|
|
973b04 |
+platform: machine
|
|
|
973b04 |
|
|
|
973b04 |
From 13c11b539e5c8cc929a5ccbc4b117a98bb35d915 Mon Sep 17 00:00:00 2001
|
|
|
973b04 |
From: Watson Sato <wsato@redhat.com>
|
|
|
973b04 |
Date: Mon, 25 May 2020 15:26:19 +0200
|
|
|
973b04 |
Subject: [PATCH 2/5] Add zIPL rule for early audit capability
|
|
|
973b04 |
|
|
|
973b04 |
---
|
|
|
973b04 |
.../zipl_audit_argument/rule.yml | 40 +++++++++++++++++++
|
|
|
973b04 |
1 file changed, 40 insertions(+)
|
|
|
973b04 |
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
|
|
973b04 |
|
|
|
973b04 |
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
|
|
973b04 |
new file mode 100644
|
|
|
973b04 |
index 0000000000..ce2bd60c59
|
|
|
973b04 |
--- /dev/null
|
|
|
973b04 |
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
|
|
973b04 |
@@ -0,0 +1,40 @@
|
|
|
973b04 |
+documentation_complete: true
|
|
|
973b04 |
+
|
|
|
973b04 |
+prodtype: rhel8
|
|
|
973b04 |
+
|
|
|
973b04 |
+title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL'
|
|
|
973b04 |
+
|
|
|
973b04 |
+description: |-
|
|
|
973b04 |
+ To ensure all processes can be audited, even those which start prior to the audit daemon,
|
|
|
973b04 |
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
|
|
|
973b04 |
+ included in its options.
|
|
|
973b04 |
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain image = setting,
|
|
|
973b04 |
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
|
|
973b04 |
+ And run zipl command so that <tt>/boot/bootmap</tt> is updated.
|
|
|
973b04 |
+
|
|
|
973b04 |
+ To ensure that new kernels and boot entries continue to enable audit,
|
|
|
973b04 |
+ add audit=1 to <tt>/etc/kernel/cmdline</tt>.
|
|
|
973b04 |
+
|
|
|
973b04 |
+rationale: |-
|
|
|
973b04 |
+ Each process on the system carries an "auditable" flag which indicates whether
|
|
|
973b04 |
+ its activities can be audited. Although <tt>auditd</tt> takes care of enabling
|
|
|
973b04 |
+ this for all processes which launch after it does, adding the kernel argument
|
|
|
973b04 |
+ ensures it is set for every process during boot.
|
|
|
973b04 |
+
|
|
|
973b04 |
+severity: medium
|
|
|
973b04 |
+
|
|
|
973b04 |
+ocil_clause: 'auditing is not enabled at boot time'
|
|
|
973b04 |
+
|
|
|
973b04 |
+ocil: |-
|
|
|
973b04 |
+ To check that audit is enabled at boot time, check all boot entries with following command:
|
|
|
973b04 |
+ sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf
|
|
|
973b04 |
+ No line should be returned, each line returned is a boot entry that doesn't enable audit.
|
|
|
973b04 |
+
|
|
|
973b04 |
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
|
|
973b04 |
+ grep -R "^image\s*=" /etc/zipl.conf
|
|
|
973b04 |
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
|
|
973b04 |
+
|
|
|
973b04 |
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
|
|
973b04 |
+ and <tt>/etc/zipl.conf</tt>:
|
|
|
973b04 |
+ find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
|
|
|
973b04 |
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
|
|
973b04 |
|
|
|
973b04 |
From 221979b3aebfe6dda39e1a446140454138e231bf Mon Sep 17 00:00:00 2001
|
|
|
973b04 |
From: Watson Sato <wsato@redhat.com>
|
|
|
973b04 |
Date: Tue, 26 May 2020 15:06:12 +0200
|
|
|
973b04 |
Subject: [PATCH 3/5] Add few more zIPL kernel option rules
|
|
|
973b04 |
|
|
|
973b04 |
Add rules for following options:
|
|
|
973b04 |
- audit_backlog_limit
|
|
|
973b04 |
- selinux
|
|
|
973b04 |
- audit_backlog_limit
|
|
|
973b04 |
- enable_selinux
|
|
|
973b04 |
- page_poison
|
|
|
973b04 |
- pti
|
|
|
973b04 |
- slub_debug
|
|
|
973b04 |
- vsyscall
|
|
|
973b04 |
---
|
|
|
973b04 |
.../rule.yml | 41 +++++++++++++++++++
|
|
|
973b04 |
.../zipl_enable_selinux/rule.yml | 37 +++++++++++++++++
|
|
|
973b04 |
.../zipl_page_poison_argument/rule.yml | 41 +++++++++++++++++++
|
|
|
973b04 |
.../zipl_pti_argument/rule.yml | 40 ++++++++++++++++++
|
|
|
973b04 |
.../zipl_slub_debug_argument/rule.yml | 41 +++++++++++++++++++
|
|
|
973b04 |
.../zipl_vsyscall_argument/rule.yml | 41 +++++++++++++++++++
|
|
|
973b04 |
6 files changed, 241 insertions(+)
|
|
|
973b04 |
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
|
|
973b04 |
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
|
|
973b04 |
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
|
|
973b04 |
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
|
|
973b04 |
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
|
|
973b04 |
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
|
|
973b04 |
|
|
|
973b04 |
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
|
|
973b04 |
new file mode 100644
|
|
|
973b04 |
index 0000000000..08c5b53207
|
|
|
973b04 |
--- /dev/null
|
|
|
973b04 |
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
|
|
973b04 |
@@ -0,0 +1,41 @@
|
|
|
973b04 |
+documentation_complete: true
|
|
|
973b04 |
+
|
|
|
973b04 |
+prodtype: rhel8
|
|
|
973b04 |
+
|
|
|
973b04 |
+title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL'
|
|
|
973b04 |
+
|
|
|
973b04 |
+description: |-
|
|
|
973b04 |
+ To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
|
|
|
973b04 |
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
|
|
|
973b04 |
+ included in its options.
|
|
|
973b04 |
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain image = setting,
|
|
|
973b04 |
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
|
|
973b04 |
+ And run zipl command so that <tt>/boot/bootmap</tt> is updated.
|
|
|
973b04 |
+
|
|
|
973b04 |
+ To ensure that new kernels and boot entries continue to extend the audit log events queue,
|
|
|
973b04 |
+ add audit_backlog_limit=8192 to <tt>/etc/kernel/cmdline</tt>.
|
|
|
973b04 |
+
|
|
|
973b04 |
+rationale: |-
|
|
|
973b04 |
+ audit_backlog_limit sets the queue length for audit events awaiting transfer
|
|
|
973b04 |
+ to the audit daemon. Until the audit daemon is up and running, all log messages
|
|
|
973b04 |
+ are stored in this queue. If the queue is overrun during boot process, the action
|
|
|
973b04 |
+ defined by audit failure flag is taken.
|
|
|
973b04 |
+
|
|
|
973b04 |
+severity: medium
|
|
|
973b04 |
+
|
|
|
973b04 |
+ocil_clause: 'audit backlog limit is not configured'
|
|
|
973b04 |
+
|
|
|
973b04 |
+ocil: |-
|
|
|
973b04 |
+ To check that all boot entries extend the backlog limit;
|
|
|
973b04 |
+ Check that all boot entries extend the log events queue:
|
|
|
973b04 |
+ sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf
|
|
|
973b04 |
+ No line should be returned, each line returned is a boot entry that does not extend the log events queue.
|
|
|
973b04 |
+
|
|
|
973b04 |
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
|
|
973b04 |
+ grep -R "^image\s*=" /etc/zipl.conf
|
|
|
973b04 |
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
|
|
973b04 |
+
|
|
|
973b04 |
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
|
|
973b04 |
+ and <tt>/etc/zipl.conf</tt>:
|
|
|
973b04 |
+ find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
|
|
|
973b04 |
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
|
|
973b04 |
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
|
|
973b04 |
new file mode 100644
|
|
|
973b04 |
index 0000000000..e7a455b90c
|
|
|
973b04 |
--- /dev/null
|
|
|
973b04 |
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
|
|
973b04 |
@@ -0,0 +1,37 @@
|
|
|
973b04 |
+documentation_complete: true
|
|
|
973b04 |
+
|
|
|
973b04 |
+prodtype: rhel8
|
|
|
973b04 |
+
|
|
|
973b04 |
+title: 'Ensure SELinux Not Disabled in zIPL'
|
|
|
973b04 |
+
|
|
|
973b04 |
+description: |-
|
|
|
973b04 |
+ To ensure SELinux is not disabled at boot time,
|
|
|
973b04 |
+ check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
|
|
|
973b04 |
+ included in its options.
|
|
|
973b04 |
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain image = setting,
|
|
|
973b04 |
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
|
|
973b04 |
+ And run zipl command so that <tt>/boot/bootmap</tt> is updated.
|
|
|
973b04 |
+
|
|
|
973b04 |
+rationale: |-
|
|
|
973b04 |
+ Disabling a major host protection feature, such as SELinux, at boot time prevents
|
|
|
973b04 |
+ it from confining system services at boot time. Further, it increases
|
|
|
973b04 |
+ the chances that it will remain off during system operation.
|
|
|
973b04 |
+
|
|
|
973b04 |
+severity: medium
|
|
|
973b04 |
+
|
|
|
973b04 |
+ocil_clause: 'SELinux is disabled at boot time'
|
|
|
973b04 |
+
|
|
|
973b04 |
+ocil: |-
|
|
|
973b04 |
+ To check that selinux is not disabled at boot time;
|
|
|
973b04 |
+ Check that no boot entry disables selinux:
|
|
|
973b04 |
+ sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf
|
|
|
973b04 |
+ No line should be returned, each line returned is a boot entry that disables SELinux.
|
|
|
973b04 |
+
|
|
|
973b04 |
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
|
|
973b04 |
+ grep -R "^image\s*=" /etc/zipl.conf
|
|
|
973b04 |
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
|
|
973b04 |
+
|
|
|
973b04 |
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
|
|
973b04 |
+ and <tt>/etc/zipl.conf</tt>:
|
|
|
973b04 |
+ find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
|
|
|
973b04 |
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
|
|
973b04 |
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
|
|
973b04 |
new file mode 100644
|
|
|
973b04 |
index 0000000000..b8a2eecee6
|
|
|
973b04 |
--- /dev/null
|
|
|
973b04 |
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
|
|
973b04 |
@@ -0,0 +1,41 @@
|
|
|
973b04 |
+documentation_complete: true
|
|
|
973b04 |
+
|
|
|
973b04 |
+prodtype: rhel8
|
|
|
973b04 |
+
|
|
|
973b04 |
+title: 'Enable page allocator poisoning in zIPL'
|
|
|
973b04 |
+
|
|
|
973b04 |
+description: |-
|
|
|
973b04 |
+ To enable poisoning of free pages,
|
|
|
973b04 |
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
|
|
|
973b04 |
+ included in its options.
|
|
|
973b04 |
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain image = setting,
|
|
|
973b04 |
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
|
|
973b04 |
+ And run zipl command so that <tt>/boot/bootmap</tt> is updated.
|
|
|
973b04 |
+
|
|
|
973b04 |
+ To ensure that new kernels and boot entries continue to enable page poisoning,
|
|
|
973b04 |
+ add page_poison=1 to <tt>/etc/kernel/cmdline</tt>.
|
|
|
973b04 |
+
|
|
|
973b04 |
+rationale: |-
|
|
|
973b04 |
+ Poisoning writes an arbitrary value to freed pages, so any modification or
|
|
|
973b04 |
+ reference to that page after being freed or before being initialized will be
|
|
|
973b04 |
+ detected and prevented.
|
|
|
973b04 |
+ This prevents many types of use-after-free vulnerabilities at little performance cost.
|
|
|
973b04 |
+ Also prevents leak of data and detection of corrupted memory.
|
|
|
973b04 |
+
|
|
|
973b04 |
+severity: medium
|
|
|
973b04 |
+
|
|
|
973b04 |
+ocil_clause: 'page allocator poisoning is not enabled'
|
|
|
973b04 |
+
|
|
|
973b04 |
+ocil: |-
|
|
|
973b04 |
+ To check that page poisoning is enabled at boot time, check all boot entries with following command:
|
|
|
973b04 |
+ sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf
|
|
|
973b04 |
+ No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
|
|
|
973b04 |
+
|
|
|
973b04 |
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
|
|
973b04 |
+ grep -R "^image\s*=" /etc/zipl.conf
|
|
|
973b04 |
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
|
|
973b04 |
+
|
|
|
973b04 |
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
|
|
973b04 |
+ and <tt>/etc/zipl.conf</tt>:
|
|
|
973b04 |
+ find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
|
|
|
973b04 |
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
|
|
973b04 |
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
|
|
973b04 |
new file mode 100644
|
|
|
973b04 |
index 0000000000..4757871a5f
|
|
|
973b04 |
--- /dev/null
|
|
|
973b04 |
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
|
|
973b04 |
@@ -0,0 +1,40 @@
|
|
|
973b04 |
+documentation_complete: true
|
|
|
973b04 |
+
|
|
|
973b04 |
+prodtype: rhel8
|
|
|
973b04 |
+
|
|
|
973b04 |
+title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL'
|
|
|
973b04 |
+
|
|
|
973b04 |
+description: |-
|
|
|
973b04 |
+ To enable Kernel page-table isolation,
|
|
|
973b04 |
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
|
|
|
973b04 |
+ included in its options.
|
|
|
973b04 |
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain image = setting,
|
|
|
973b04 |
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
|
|
973b04 |
+ And run zipl command so that <tt>/boot/bootmap</tt> is updated.
|
|
|
973b04 |
+
|
|
|
973b04 |
+ To ensure that new kernels and boot entries continue to enable page-table isolation,
|
|
|
973b04 |
+ add pti=on to <tt>/etc/kernel/cmdline</tt>.
|
|
|
973b04 |
+
|
|
|
973b04 |
+rationale: |-
|
|
|
973b04 |
+ Kernel page-table isolation is a kernel feature that mitigates
|
|
|
973b04 |
+ the Meltdown security vulnerability and hardens the kernel
|
|
|
973b04 |
+ against attempts to bypass kernel address space layout
|
|
|
973b04 |
+ randomization (KASLR).
|
|
|
973b04 |
+
|
|
|
973b04 |
+severity: medium
|
|
|
973b04 |
+
|
|
|
973b04 |
+ocil_clause: 'Kernel page-table isolation is not enabled'
|
|
|
973b04 |
+
|
|
|
973b04 |
+ocil: |-
|
|
|
973b04 |
+ To check that page-table isolation is enabled at boot time, check all boot entries with following command:
|
|
|
973b04 |
+ sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf
|
|
|
973b04 |
+ No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
|
|
|
973b04 |
+
|
|
|
973b04 |
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
|
|
973b04 |
+ grep -R "^image\s*=" /etc/zipl.conf
|
|
|
973b04 |
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
|
|
973b04 |
+
|
|
|
973b04 |
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
|
|
973b04 |
+ and <tt>/etc/zipl.conf</tt>:
|
|
|
973b04 |
+ find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
|
|
|
973b04 |
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
|
|
973b04 |
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
|
|
973b04 |
new file mode 100644
|
|
|
973b04 |
index 0000000000..166dd41afd
|
|
|
973b04 |
--- /dev/null
|
|
|
973b04 |
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
|
|
973b04 |
@@ -0,0 +1,41 @@
|
|
|
973b04 |
+documentation_complete: true
|
|
|
973b04 |
+
|
|
|
973b04 |
+prodtype: rhel8
|
|
|
973b04 |
+
|
|
|
973b04 |
+title: 'Enable SLUB/SLAB allocator poisoning in zIPL'
|
|
|
973b04 |
+
|
|
|
973b04 |
+description: |-
|
|
|
973b04 |
+ To enable poisoning of SLUB/SLAB objects,
|
|
|
973b04 |
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
|
|
|
973b04 |
+ included in its options.
|
|
|
973b04 |
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain image = setting,
|
|
|
973b04 |
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
|
|
973b04 |
+ And run zipl command so that <tt>/boot/bootmap</tt> is updated.
|
|
|
973b04 |
+
|
|
|
973b04 |
+ To ensure that new kernels and boot entries continue to extend the audit log events queue,
|
|
|
973b04 |
+ add slub_debug=P to <tt>/etc/kernel/cmdline</tt>.
|
|
|
973b04 |
+
|
|
|
973b04 |
+rationale: |-
|
|
|
973b04 |
+ Poisoning writes an arbitrary value to freed objects, so any modification or
|
|
|
973b04 |
+ reference to that object after being freed or before being initialized will be
|
|
|
973b04 |
+ detected and prevented.
|
|
|
973b04 |
+ This prevents many types of use-after-free vulnerabilities at little performance cost.
|
|
|
973b04 |
+ Also prevents leak of data and detection of corrupted memory.
|
|
|
973b04 |
+
|
|
|
973b04 |
+severity: medium
|
|
|
973b04 |
+
|
|
|
973b04 |
+ocil_clause: 'SLUB/SLAB poisoning is not enabled'
|
|
|
973b04 |
+
|
|
|
973b04 |
+ocil: |-
|
|
|
973b04 |
+ To check that SLUB/SLAB poisoning is enabled, check all boot entries with following command;
|
|
|
973b04 |
+ sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf
|
|
|
973b04 |
+ No line should be returned, each line returned is a boot entry that does not enable poisoning.
|
|
|
973b04 |
+
|
|
|
973b04 |
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
|
|
973b04 |
+ grep -R "^image\s*=" /etc/zipl.conf
|
|
|
973b04 |
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
|
|
973b04 |
+
|
|
|
973b04 |
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
|
|
973b04 |
+ and <tt>/etc/zipl.conf</tt>:
|
|
|
973b04 |
+ find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
|
|
|
973b04 |
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
|
|
973b04 |
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
|
|
973b04 |
new file mode 100644
|
|
|
973b04 |
index 0000000000..6b95d16fb8
|
|
|
973b04 |
--- /dev/null
|
|
|
973b04 |
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
|
|
973b04 |
@@ -0,0 +1,41 @@
|
|
|
973b04 |
+documentation_complete: true
|
|
|
973b04 |
+
|
|
|
973b04 |
+prodtype: rhel8
|
|
|
973b04 |
+
|
|
|
973b04 |
+title: 'Disable vsyscalls in zIPL'
|
|
|
973b04 |
+
|
|
|
973b04 |
+description: |-
|
|
|
973b04 |
+ To disable use of virtual syscalls,
|
|
|
973b04 |
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
|
|
|
973b04 |
+ included in its options.
|
|
|
973b04 |
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain image = setting,
|
|
|
973b04 |
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
|
|
973b04 |
+ And run zipl command so that <tt>/boot/bootmap</tt> is updated.
|
|
|
973b04 |
+
|
|
|
973b04 |
+ To ensure that new kernels and boot entries continue to disable virtual syscalls,
|
|
|
973b04 |
+ add vsyscall=none to <tt>/etc/kernel/cmdline</tt>.
|
|
|
973b04 |
+
|
|
|
973b04 |
+rationale: |-
|
|
|
973b04 |
+ Poisoning writes an arbitrary value to freed pages, so any modification or
|
|
|
973b04 |
+ reference to that page after being freed or before being initialized will be
|
|
|
973b04 |
+ detected and prevented.
|
|
|
973b04 |
+ This prevents many types of use-after-free vulnerabilities at little performance cost.
|
|
|
973b04 |
+ Also prevents leak of data and detection of corrupted memory.
|
|
|
973b04 |
+
|
|
|
973b04 |
+severity: medium
|
|
|
973b04 |
+
|
|
|
973b04 |
+ocil_clause: 'vsyscalls are enabled'
|
|
|
973b04 |
+
|
|
|
973b04 |
+ocil: |-
|
|
|
973b04 |
+ To check that virtual syscalls are disabled at boot time, check all boot entries with following command:
|
|
|
973b04 |
+ sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf
|
|
|
973b04 |
+ No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
|
|
|
973b04 |
+
|
|
|
973b04 |
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
|
|
973b04 |
+ grep -R "^image\s*=" /etc/zipl.conf
|
|
|
973b04 |
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
|
|
973b04 |
+
|
|
|
973b04 |
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
|
|
973b04 |
+ and <tt>/etc/zipl.conf</tt>:
|
|
|
973b04 |
+ find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
|
|
|
973b04 |
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
|
|
973b04 |
|
|
|
973b04 |
From a45ba0eaa12de63abb43449c6caee4776100005c Mon Sep 17 00:00:00 2001
|
|
|
973b04 |
From: Watson Sato <wsato@redhat.com>
|
|
|
973b04 |
Date: Tue, 2 Jun 2020 13:29:39 +0200
|
|
|
973b04 |
Subject: [PATCH 4/5] Fix formatting of zIPL rules
|
|
|
973b04 |
|
|
|
973b04 |
is renderend in a separate line, while <tt> is rendered inline.
|
|
|
973b04 |
Add line breaks for better readability.
|
|
|
973b04 |
---
|
|
|
973b04 |
.../bootloader-zipl/zipl_audit_argument/rule.yml | 10 +++++-----
|
|
|
973b04 |
.../zipl_audit_backlog_limit_argument/rule.yml | 10 +++++-----
|
|
|
973b04 |
.../bootloader-zipl/zipl_enable_selinux/rule.yml | 8 ++++----
|
|
|
973b04 |
.../bootloader-zipl/zipl_page_poison_argument/rule.yml | 10 +++++-----
|
|
|
973b04 |
.../system/bootloader-zipl/zipl_pti_argument/rule.yml | 10 +++++-----
|
|
|
973b04 |
.../bootloader-zipl/zipl_slub_debug_argument/rule.yml | 10 +++++-----
|
|
|
973b04 |
.../bootloader-zipl/zipl_vsyscall_argument/rule.yml | 10 +++++-----
|
|
|
973b04 |
7 files changed, 34 insertions(+), 34 deletions(-)
|
|
|
973b04 |
|
|
|
973b04 |
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
|
|
973b04 |
index ce2bd60c59..16c0b3f89a 100644
|
|
|
973b04 |
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
|
|
973b04 |
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
|
|
973b04 |
@@ -7,13 +7,13 @@ title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL'
|
|
|
973b04 |
description: |-
|
|
|
973b04 |
To ensure all processes can be audited, even those which start prior to the audit daemon,
|
|
|
973b04 |
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
|
|
|
973b04 |
- included in its options.
|
|
|
973b04 |
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain image = setting,
|
|
|
973b04 |
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
|
|
973b04 |
- And run zipl command so that <tt>/boot/bootmap</tt> is updated.
|
|
|
973b04 |
+ included in its options.
|
|
|
973b04 |
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
|
|
973b04 |
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
|
|
973b04 |
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.
|
|
|
973b04 |
|
|
|
973b04 |
To ensure that new kernels and boot entries continue to enable audit,
|
|
|
973b04 |
- add audit=1 to <tt>/etc/kernel/cmdline</tt>.
|
|
|
973b04 |
+ add <tt>audit=1</tt> to <tt>/etc/kernel/cmdline</tt>.
|
|
|
973b04 |
|
|
|
973b04 |
rationale: |-
|
|
|
973b04 |
Each process on the system carries an "auditable" flag which indicates whether
|
|
|
973b04 |
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
|
|
973b04 |
index 08c5b53207..47a532d50f 100644
|
|
|
973b04 |
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
|
|
973b04 |
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
|
|
973b04 |
@@ -7,13 +7,13 @@ title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL'
|
|
|
973b04 |
description: |-
|
|
|
973b04 |
To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
|
|
|
973b04 |
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
|
|
|
973b04 |
- included in its options.
|
|
|
973b04 |
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain image = setting,
|
|
|
973b04 |
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
|
|
973b04 |
- And run zipl command so that <tt>/boot/bootmap</tt> is updated.
|
|
|
973b04 |
+ included in its options.
|
|
|
973b04 |
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
|
|
973b04 |
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
|
|
973b04 |
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.
|
|
|
973b04 |
|
|
|
973b04 |
To ensure that new kernels and boot entries continue to extend the audit log events queue,
|
|
|
973b04 |
- add audit_backlog_limit=8192 to <tt>/etc/kernel/cmdline</tt>.
|
|
|
973b04 |
+ add <tt>audit_backlog_limit=8192</tt> to <tt>/etc/kernel/cmdline</tt>.
|
|
|
973b04 |
|
|
|
973b04 |
rationale: |-
|
|
|
973b04 |
audit_backlog_limit sets the queue length for audit events awaiting transfer
|
|
|
973b04 |
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
|
|
973b04 |
index e7a455b90c..5aa91c16aa 100644
|
|
|
973b04 |
--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
|
|
973b04 |
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
|
|
973b04 |
@@ -7,10 +7,10 @@ title: 'Ensure SELinux Not Disabled in zIPL'
|
|
|
973b04 |
description: |-
|
|
|
973b04 |
To ensure SELinux is not disabled at boot time,
|
|
|
973b04 |
check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
|
|
|
973b04 |
- included in its options.
|
|
|
973b04 |
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain image = setting,
|
|
|
973b04 |
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
|
|
973b04 |
- And run zipl command so that <tt>/boot/bootmap</tt> is updated.
|
|
|
973b04 |
+ included in its options.
|
|
|
973b04 |
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
|
|
973b04 |
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
|
|
973b04 |
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.
|
|
|
973b04 |
|
|
|
973b04 |
rationale: |-
|
|
|
973b04 |
Disabling a major host protection feature, such as SELinux, at boot time prevents
|
|
|
973b04 |
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
|
|
973b04 |
index b8a2eecee6..8546325752 100644
|
|
|
973b04 |
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
|
|
973b04 |
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
|
|
973b04 |
@@ -7,13 +7,13 @@ title: 'Enable page allocator poisoning in zIPL'
|
|
|
973b04 |
description: |-
|
|
|
973b04 |
To enable poisoning of free pages,
|
|
|
973b04 |
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
|
|
|
973b04 |
- included in its options.
|
|
|
973b04 |
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain image = setting,
|
|
|
973b04 |
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
|
|
973b04 |
- And run zipl command so that <tt>/boot/bootmap</tt> is updated.
|
|
|
973b04 |
+ included in its options.
|
|
|
973b04 |
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
|
|
973b04 |
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
|
|
973b04 |
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.
|
|
|
973b04 |
|
|
|
973b04 |
To ensure that new kernels and boot entries continue to enable page poisoning,
|
|
|
973b04 |
- add page_poison=1 to <tt>/etc/kernel/cmdline</tt>.
|
|
|
973b04 |
+ add <tt>page_poison=1</tt> to <tt>/etc/kernel/cmdline</tt>.
|
|
|
973b04 |
|
|
|
973b04 |
rationale: |-
|
|
|
973b04 |
Poisoning writes an arbitrary value to freed pages, so any modification or
|
|
|
973b04 |
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
|
|
973b04 |
index 4757871a5f..eaef25ce40 100644
|
|
|
973b04 |
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
|
|
973b04 |
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
|
|
973b04 |
@@ -7,13 +7,13 @@ title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL'
|
|
|
973b04 |
description: |-
|
|
|
973b04 |
To enable Kernel page-table isolation,
|
|
|
973b04 |
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
|
|
|
973b04 |
- included in its options.
|
|
|
973b04 |
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain image = setting,
|
|
|
973b04 |
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
|
|
973b04 |
- And run zipl command so that <tt>/boot/bootmap</tt> is updated.
|
|
|
973b04 |
+ included in its options.
|
|
|
973b04 |
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
|
|
973b04 |
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
|
|
973b04 |
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.
|
|
|
973b04 |
|
|
|
973b04 |
To ensure that new kernels and boot entries continue to enable page-table isolation,
|
|
|
973b04 |
- add pti=on to <tt>/etc/kernel/cmdline</tt>.
|
|
|
973b04 |
+ add <tt>pti=on</tt> to <tt>/etc/kernel/cmdline</tt>.
|
|
|
973b04 |
|
|
|
973b04 |
rationale: |-
|
|
|
973b04 |
Kernel page-table isolation is a kernel feature that mitigates
|
|
|
973b04 |
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
|
|
973b04 |
index 166dd41afd..68e91a92d6 100644
|
|
|
973b04 |
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
|
|
973b04 |
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
|
|
973b04 |
@@ -7,13 +7,13 @@ title: 'Enable SLUB/SLAB allocator poisoning in zIPL'
|
|
|
973b04 |
description: |-
|
|
|
973b04 |
To enable poisoning of SLUB/SLAB objects,
|
|
|
973b04 |
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
|
|
|
973b04 |
- included in its options.
|
|
|
973b04 |
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain image = setting,
|
|
|
973b04 |
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
|
|
973b04 |
- And run zipl command so that <tt>/boot/bootmap</tt> is updated.
|
|
|
973b04 |
+ included in its options.
|
|
|
973b04 |
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
|
|
973b04 |
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
|
|
973b04 |
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.
|
|
|
973b04 |
|
|
|
973b04 |
To ensure that new kernels and boot entries continue to extend the audit log events queue,
|
|
|
973b04 |
- add slub_debug=P to <tt>/etc/kernel/cmdline</tt>.
|
|
|
973b04 |
+ add <tt>slub_debug=P</tt> to <tt>/etc/kernel/cmdline</tt>.
|
|
|
973b04 |
|
|
|
973b04 |
rationale: |-
|
|
|
973b04 |
Poisoning writes an arbitrary value to freed objects, so any modification or
|
|
|
973b04 |
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
|
|
973b04 |
index 6b95d16fb8..8d39337f9e 100644
|
|
|
973b04 |
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
|
|
973b04 |
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
|
|
973b04 |
@@ -7,13 +7,13 @@ title: 'Disable vsyscalls in zIPL'
|
|
|
973b04 |
description: |-
|
|
|
973b04 |
To disable use of virtual syscalls,
|
|
|
973b04 |
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
|
|
|
973b04 |
- included in its options.
|
|
|
973b04 |
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain image = setting,
|
|
|
973b04 |
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
|
|
973b04 |
- And run zipl command so that <tt>/boot/bootmap</tt> is updated.
|
|
|
973b04 |
+ included in its options.
|
|
|
973b04 |
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
|
|
973b04 |
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
|
|
973b04 |
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.
|
|
|
973b04 |
|
|
|
973b04 |
To ensure that new kernels and boot entries continue to disable virtual syscalls,
|
|
|
973b04 |
- add vsyscall=none to <tt>/etc/kernel/cmdline</tt>.
|
|
|
973b04 |
+ add <tt>vsyscall=none</tt> to <tt>/etc/kernel/cmdline</tt>.
|
|
|
973b04 |
|
|
|
973b04 |
rationale: |-
|
|
|
973b04 |
Poisoning writes an arbitrary value to freed pages, so any modification or
|
|
|
973b04 |
|
|
|
973b04 |
From ae8f9252c3c5c1d1ac1bed201e0981c0d50168aa Mon Sep 17 00:00:00 2001
|
|
|
973b04 |
From: Watson Sato <wsato@redhat.com>
|
|
|
973b04 |
Date: Wed, 3 Jun 2020 13:08:07 +0200
|
|
|
973b04 |
Subject: [PATCH 5/5] zipl_vsyscall_argument: Fix rationale
|
|
|
973b04 |
|
|
|
973b04 |
copy-pasta error
|
|
|
973b04 |
---
|
|
|
973b04 |
.../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 7 ++-----
|
|
|
973b04 |
1 file changed, 2 insertions(+), 5 deletions(-)
|
|
|
973b04 |
|
|
|
973b04 |
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
|
|
973b04 |
index 8d39337f9e..9624b43349 100644
|
|
|
973b04 |
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
|
|
973b04 |
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
|
|
973b04 |
@@ -16,11 +16,8 @@ description: |-
|
|
|
973b04 |
add <tt>vsyscall=none</tt> to <tt>/etc/kernel/cmdline</tt>.
|
|
|
973b04 |
|
|
|
973b04 |
rationale: |-
|
|
|
973b04 |
- Poisoning writes an arbitrary value to freed pages, so any modification or
|
|
|
973b04 |
- reference to that page after being freed or before being initialized will be
|
|
|
973b04 |
- detected and prevented.
|
|
|
973b04 |
- This prevents many types of use-after-free vulnerabilities at little performance cost.
|
|
|
973b04 |
- Also prevents leak of data and detection of corrupted memory.
|
|
|
973b04 |
+ Virtual Syscalls provide an opportunity of attack for a user who has control
|
|
|
973b04 |
+ of the return instruction pointer.
|
|
|
973b04 |
|
|
|
973b04 |
severity: medium
|
|
|
973b04 |
|