Enable randomization of the page allocator
An XCCDF Rule
Description
To enable randomization of the page allocator in the kernel, add the
page_alloc.shuffle=1 argument to the default GRUB 2 command line.
Configure the default Grub2 kernel command line to contain page_alloc.shuffle=1 as follows:
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) page_alloc.shuffle=1"
Rationale
The CONFIG_SHUFFLE_PAGE_ALLOCATOR config option is primarily
focused on improving the average utilization of a direct-mapped
memory-side-cache. Aside of this performance effect, it also reduces
predictability of page allocations in situations when the bad actor can
crash the system and somehow leverage knowledge of (page) allocation order
right after a fresh reboot, or can control the timing between a
hot-pluggable memory node (as in NUMA node) and applications allocating
memory ouf of that node. The page_alloc.shuffle=1 kernel command
line parameter then forces this functionality irrespectively of memory cache
architecture.
- ID
- xccdf_org.ssgproject.content_rule_grub2_page_alloc_shuffle_argument
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- grub2_page_alloc_shuffle_argument
- low_disruption
Remediation - OS Build Blueprint
[customizations.kernel]
append = "page_alloc.shuffle=1"
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
grubby --update-kernel=ALL --args=page_alloc.shuffle=1
else