Disable vsyscalls
An XCCDF Rule
Description
To disable use of virtual syscalls,
add the argument vsyscall=none to the default
GRUB 2 command line for the Linux operating system.
Configure the default Grub2 kernel command line to contain vsyscall=none as follows:
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) vsyscall=none"
warning alert: Warning
The vsyscall emulation is only available on x86_64 architecture
(CONFIG_X86_VSYSCALL_EMULATION) making this rule not applicable
to other CPU architectures.
Rationale
Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer.
- ID
- xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-53-CM-7(a)
- grub2_vsyscall_argument
Remediation - script:kickstart
bootloader vsyscall=none
Remediation - OS Build Blueprint
[customizations.kernel]
append = "vsyscall=none"
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && grep -q x86_64 /proc/sys/kernel/osrelease ); }; then
grubby --update-kernel=ALL --args=vsyscall=none
else