Randomize layout of sensitive kernel structures

An XCCDF Rule

Description

Randomize at compile-time the layouts of structures that are entirely function pointers (and have not been manually annotated with __no_randomize_layout), or structures that have been explicitly marked with __randomize_layout. This configuration is available from kernel 4.13, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_GCC_PLUGIN_RANDSTRUCT, run the following command: grep CONFIG_GCC_PLUGIN_RANDSTRUCT /boot/config-* For each kernel installed, a line with value "y" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

Randomizing the layout of kernel data structures make it more difficult for an attacker to know the location of sensitive data.

ID: xccdf_org.ssgproject.content_rule_kernel_config_gcc_plugin_randstruct
Severity: Medium
References: BP28(R21)
Updated: about 1 year ago