Enable Kernel Page-Table Isolation (KPTI)

An XCCDF Rule

Description

To enable Kernel page-table isolation, add the argument pti=on to the default GRUB 2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain pti=on as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) pti=on"

Rationale

Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR).

ID: xccdf_org.ssgproject.content_rule_grub2_pti_argument
Severity: Low
References: BP28(R8)

CCI-000381

SI-16

SRG-OS-000095-GPOS-00049 SRG-OS-000433-GPOS-00193
Updated: about 1 year ago

[customizations.kernel]
append = "pti=on"

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-SI-16
  - grub2_pti_argument  - low_disruption
  - low_severity
  - medium_complexity
  - reboot_required
  - restrict_strategy

- name: Update grub defaults and the bootloader menu
  command: /sbin/grubby --update-kernel=ALL --args="pti=on"
  when:
  - '"grub2-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-SI-16
  - grub2_pti_argument
  - low_disruption
  - low_severity
  - medium_complexity
  - reboot_required
  - restrict_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

grubby --update-kernel=ALL --args=pti=on

else    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable Kernel Page-Table Isolation (KPTI)

Description

Rationale

Remediation - OS Build Blueprint

Remediation - Ansible

Remediation - Shell Script