Disable vsyscalls

An XCCDF Rule

Description

To disable use of virtual syscalls, add the argument vsyscall=none to the default GRUB 2 command line for the Linux operating system. To ensure that vsyscall=none is added as a kernel command line argument to newly installed kernels, add vsyscall=none to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:

GRUB_CMDLINE_LINUX="... vsyscall=none ..."

Run the following command to update command line for already installed kernels:

# grubby --update-kernel=ALL --args="vsyscall=none"

warning alert: Warning

The vsyscall emulation is only available on x86_64 architecture (CONFIG_X86_VSYSCALL_EMULATION) making this rule not applicable to other CPU architectures.

Rationale

Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer.

ID: xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument
Severity: Medium
References: CCI-000366 CCI-001084

CM-7(a)

FPT_ASLR_EXT.1

SRG-OS-000134-GPOS-00068 SRG-OS-000480-GPOS-00227
Updated: 5 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-7(a)
  - grub2_vsyscall_argument  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Check vsyscall argument exists
  command: grep '^\s*GRUB_CMDLINE_LINUX=.*vsyscall=' /etc/default/grub
  failed_when: false
  register: argcheck
  when:
  - '"grub2-common" in ansible_facts.packages'
  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
    and ansible_architecture == "x86_64" )
  tags:
  - NIST-800-53-CM-7(a)
  - grub2_vsyscall_argument
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Check vsyscall argument exists
  command: grep '^\s*GRUB_CMDLINE_LINUX=' /etc/default/grub
  failed_when: false
  register: linecheck
  when:
  - '"grub2-common" in ansible_facts.packages'
  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
    and ansible_architecture == "x86_64" )
  tags:
  - NIST-800-53-CM-7(a)
  - grub2_vsyscall_argument
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Add vsyscall argument
  ansible.builtin.lineinfile:
    line: GRUB_CMDLINE_LINUX="vsyscall=none "
    state: present
    dest: /etc/default/grub
    create: true
    mode: '0644'
  when:
  - '"grub2-common" in ansible_facts.packages'
  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
    and ansible_architecture == "x86_64" )
  - argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and
    linecheck.rc != 0
  tags:
  - NIST-800-53-CM-7(a)
  - grub2_vsyscall_argument
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Replace existing vsyscall argument
  replace:
    path: /etc/default/grub
    regexp: vsyscall=[a-zA-Z0-9,]+
    replace: vsyscall=none
  when:
  - '"grub2-common" in ansible_facts.packages'
  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
    and ansible_architecture == "x86_64" )
  - argcheck is not skipped and linecheck is not skipped and argcheck.rc == 0 and
    linecheck.rc == 0
  tags:
  - NIST-800-53-CM-7(a)
  - grub2_vsyscall_argument
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Add vsyscall argument
  replace:
    path: /etc/default/grub
    regexp: (^\s*GRUB_CMDLINE_LINUX=.*)"
    replace: \1 vsyscall=none"
  when:
  - '"grub2-common" in ansible_facts.packages'
  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
    and ansible_architecture == "x86_64" )
  - argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and
    linecheck.rc == 0
  tags:
  - NIST-800-53-CM-7(a)
  - grub2_vsyscall_argument
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Update grub defaults and the bootloader menu
  command: /sbin/grubby --update-kernel=ALL --args="vsyscall=none"
  when:
  - '"grub2-common" in ansible_facts.packages'
  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
    and ansible_architecture == "x86_64" )
  tags:
  - NIST-800-53-CM-7(a)
  - grub2_vsyscall_argument
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy

[customizations.kernel]
append = "vsyscall=none"

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && grep -q x86_64 /proc/sys/kernel/osrelease ); }; then

# Correct the form of default kernel command line in GRUB
if grep -q '^\s*GRUB_CMDLINE_LINUX=.*vsyscall=.*"'  '/etc/default/grub' ; then
       # modify the GRUB command-line if an vsyscall= arg already exists       sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)vsyscall=[^[:space:]]\+\(.*\"\)/\1vsyscall=none\2/"  '/etc/default/grub'
# Add to already existing GRUB_CMDLINE_LINUX parameters
elif grep -q '^\s*GRUB_CMDLINE_LINUX='  '/etc/default/grub' ; then
       # no vsyscall=arg is present, append it
       sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)\"/\1 vsyscall=none\"/"  '/etc/default/grub'
# Add GRUB_CMDLINE_LINUX parameters line
else
       echo "GRUB_CMDLINE_LINUX=\"vsyscall=none\"" >> '/etc/default/grub'
fi
grubby --update-kernel=ALL --args=vsyscall=none

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable vsyscalls

Description

Rationale

Remediation - Ansible

Remediation - OS Build Blueprint

Remediation - Shell Script