Skip to content

Enable SLUB/SLAB allocator poisoning

An XCCDF Rule

Description

To enable poisoning of SLUB/SLAB objects, add the argument slub_debug= to the default GRUB 2 command line for the Linux operating system. To ensure that slub_debug= is added as a kernel command line argument to newly installed kernels, add slub_debug= to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:

GRUB_CMDLINE_LINUX="... slub_debug= ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="slub_debug="

Rationale

Poisoning writes an arbitrary value to freed objects, so any modification or reference to that object after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.

ID
xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument
Severity
Medium
References
Updated



Remediation - OS Build Blueprint

[customizations.kernel]
append = "slub_debug=<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_slub_debug_options" use="legacy"/>"

Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-RHEL-09-212045
  - NIST-800-53-CM-6(a)

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then

var_slub_debug_options='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_slub_debug_options" use="legacy"/>'