Disable vsyscalls

An XCCDF Rule

Description

To disable use of virtual syscalls, add the argument vsyscall=none to the default GRUB 2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain vsyscall=none as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) vsyscall=none"

Rationale

Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer.

ID: xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument
Severity: Medium
References: CCI-001084

CM-7(a)

FPT_ASLR_EXT.1

SRG-OS-000134-GPOS-00068 SRG-OS-000480-GPOS-00227
Updated: about 1 year ago

[customizations.kernel]
append = "vsyscall=none"

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-7(a)
  - grub2_vsyscall_argument  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Update grub defaults and the bootloader menu
  command: /sbin/grubby --update-kernel=ALL --args="vsyscall=none"
  when:
  - '"grub2-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-CM-7(a)
  - grub2_vsyscall_argument
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

grubby --update-kernel=ALL --args=vsyscall=none

else    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable vsyscalls

Description

Rationale

Remediation - OS Build Blueprint

Remediation - Ansible

Remediation - Shell Script