Enable Kernel Page-Table Isolation (KPTI)

An XCCDF Rule

Description

To enable Kernel page-table isolation, add the argument pti=on to the default GRUB 2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain pti=on as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) pti=on"

Rationale

Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR).

ID: xccdf_org.ssgproject.content_rule_grub2_pti_argument
Severity: Low
References: CCI-000381

SI-16

SRG-OS-000095-GPOS-00049 SRG-OS-000433-GPOS-00193

R8
Updated: 18 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-SI-16
  - grub2_pti_argument  - low_disruption
  - low_severity
  - medium_complexity
  - reboot_required
  - restrict_strategy

- name: Check pti argument exists
  command: grep '^\s*GRUB_CMDLINE_LINUX=.*pti=' /etc/default/grub
  failed_when: false
  register: argcheck
  when:
  - '"grub2-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-SI-16
  - grub2_pti_argument
  - low_disruption
  - low_severity
  - medium_complexity
  - reboot_required
  - restrict_strategy

- name: Check pti argument exists
  command: grep '^\s*GRUB_CMDLINE_LINUX=' /etc/default/grub
  failed_when: false
  register: linecheck
  when:
  - '"grub2-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-SI-16
  - grub2_pti_argument
  - low_disruption
  - low_severity
  - medium_complexity
  - reboot_required
  - restrict_strategy

- name: Add pti argument
  ansible.builtin.lineinfile:
    line: GRUB_CMDLINE_LINUX="pti=on "
    state: present
    dest: /etc/default/grub
    create: true
    mode: '0644'
  when:
  - '"grub2-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and
    linecheck.rc != 0
  tags:
  - NIST-800-53-SI-16
  - grub2_pti_argument
  - low_disruption
  - low_severity
  - medium_complexity
  - reboot_required
  - restrict_strategy

- name: Replace existing pti argument
  replace:
    path: /etc/default/grub
    regexp: pti=[a-zA-Z0-9,]+
    replace: pti=on
  when:
  - '"grub2-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - argcheck is not skipped and linecheck is not skipped and argcheck.rc == 0 and
    linecheck.rc == 0
  tags:
  - NIST-800-53-SI-16
  - grub2_pti_argument
  - low_disruption
  - low_severity
  - medium_complexity
  - reboot_required
  - restrict_strategy

- name: Add pti argument
  replace:
    path: /etc/default/grub
    regexp: (^\s*GRUB_CMDLINE_LINUX=.*)"
    replace: \1 pti=on"
  when:
  - '"grub2-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and
    linecheck.rc == 0
  tags:
  - NIST-800-53-SI-16
  - grub2_pti_argument
  - low_disruption
  - low_severity
  - medium_complexity
  - reboot_required
  - restrict_strategy

- name: Update grub defaults and the bootloader menu
  command: /usr/sbin/update-grub
  when:
  - '"grub2-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-SI-16
  - grub2_pti_argument
  - low_disruption
  - low_severity
  - medium_complexity
  - reboot_required
  - restrict_strategy

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

# Correct the form of default kernel command line in GRUB
if grep -q '^\s*GRUB_CMDLINE_LINUX=.*pti=.*"'  '/etc/default/grub' ; then
       # modify the GRUB command-line if an pti= arg already exists       sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)pti=[^[:space:]]\+\(.*\"\)/\1pti=on\2/"  '/etc/default/grub'
# Add to already existing GRUB_CMDLINE_LINUX parameters
elif grep -q '^\s*GRUB_CMDLINE_LINUX='  '/etc/default/grub' ; then
       # no pti=arg is present, append it
       sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)\"/\1 pti=on\"/"  '/etc/default/grub'
# Add GRUB_CMDLINE_LINUX parameters line
else
       echo "GRUB_CMDLINE_LINUX=\"pti=on\"" >> '/etc/default/grub'
fi
update-grub

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable Kernel Page-Table Isolation (KPTI)

Description

Rationale

Remediation - Ansible

Remediation - Shell Script