Ensure SMEP is not disabled during boot

An XCCDF Rule

Description

The SMEP is used to prevent the supervisor mode from executing user space code, it is enabled by default since Linux kernel 3.0. But it could be disabled through kernel boot parameters. Ensure that Supervisor Mode Execution Prevention (SMEP) is not disabled by the nosmep boot paramenter option. Check that the line

GRUB_CMDLINE_LINUX="..."

within /etc/default/grub doesn't contain the argument nosmep. Run the following command to update command line for already installed kernels:

# grubby --update-kernel=ALL --remove-args="nosmep"

Rationale

Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows the kernel to unintentionally execute code in less privileged memory space.

ID: xccdf_org.ssgproject.content_rule_grub2_nosmep_argument_absent
Severity: Medium
References: BP28(R1)
Updated: about 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - grub2_nosmep_argument_absent
  - low_disruption  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Check nosmep argument exists
  command: grep '^GRUB_CMDLINE_LINUX=.*nosmep=.*"' /etc/default/grub
  failed_when: false
  register: argcheck
  when:
  - '"grub2-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - grub2_nosmep_argument_absent
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Replace existing nosmep argument
  replace:
    path: /etc/default/grub
    regexp: \(^GRUB_CMDLINE_LINUX=".*\)nosmep=?[^[:space:]]*\(.*"\)
    replace: \1 \2
  when:
  - '"grub2-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - argcheck is not skipped and argcheck.rc == 0
  tags:
  - grub2_nosmep_argument_absent
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Update grub defaults and the bootloader menu
  command: /sbin/grubby --update-kernel=ALL --remove-args="nosmep"
  when:
  - '"grub2-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - grub2_nosmep_argument_absent
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

# Correct the form of default kernel command line in GRUB
if grep -q '^GRUB_CMDLINE_LINUX=.*nosmep=.*"'  '/etc/default/grub' ; then
       sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)nosmep=?[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub'fi
grubby --update-kernel=ALL --remove-args=nosmep

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure SMEP is not disabled during boot

Description

Rationale

Remediation - Ansible

Remediation - Shell Script