Enable randomization of the page allocator
An XCCDF Rule
Description
To enable randomization of the page allocator in the kernel, add the
page_alloc.shuffle=1
argument to the default GRUB 2 command line.
Configure the default Grub2 kernel command line to contain page_alloc.shuffle=1 as follows:
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) page_alloc.shuffle=1"
Rationale
The CONFIG_SHUFFLE_PAGE_ALLOCATOR
config option is primarily
focused on improving the average utilization of a direct-mapped
memory-side-cache. Aside of this performance effect, it also reduces
predictability of page allocations in situations when the bad actor can
crash the system and somehow leverage knowledge of (page) allocation order
right after a fresh reboot, or can control the timing between a
hot-pluggable memory node (as in NUMA node) and applications allocating
memory ouf of that node. The page_alloc.shuffle=1
kernel command
line parameter then forces this functionality irrespectively of memory cache
architecture.
- ID
- xccdf_org.ssgproject.content_rule_grub2_page_alloc_shuffle_argument
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- grub2_page_alloc_shuffle_argument
- low_disruption
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# Correct the form of default kernel command line in GRUB
if grep -q '^\s*GRUB_CMDLINE_LINUX=.*page_alloc.shuffle=.*"' '/etc/default/grub' ; then
# modify the GRUB command-line if an page_alloc.shuffle= arg already exists