Disable x86 vsyscall emulation

An XCCDF Rule

Description

Disabling it is roughly equivalent to booting with vsyscall=none, except that it will also disable the helpful warning if a program tries to use a vsyscall. With this option set to N, offending programs will just segfault, citing addresses of the form 0xffffffffff600?00. This configuration is available from kernel 3.19. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_X86_VSYSCALL_EMULATION, run the following command: grep CONFIG_X86_VSYSCALL_EMULATION /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

The vsyscall table is no longer required and is a potential source of ROP gadgets.

ID: xccdf_org.ssgproject.content_rule_kernel_config_x86_vsyscall_emulation
Severity: Low
References: BP28(R15)
Updated: about 1 year ago