Enable page allocator poisoning
An XCCDF Rule
Description
To enable poisoning of free pages,
add the argument page_poison=1
to the default
GRUB 2 command line for the Linux operating system.
To ensure that page_poison=1
is added as a kernel command line
argument to newly installed kernels, add page_poison=1
to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub
as shown below:
GRUB_CMDLINE_LINUX="... page_poison=1 ..."Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="page_poison=1"
Rationale
Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.
- ID
- xccdf_org.ssgproject.content_rule_grub2_page_poison_argument
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then
grubby --update-kernel=ALL --args=page_poison=1
else
Remediation - OS Build Blueprint
[customizations.kernel]
append = "page_poison=1"
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- DISA-STIG-RHEL-09-212040
- NIST-800-53-CM-6(a)