Skip to content

Disable vsyscalls

An XCCDF Rule

Description

To disable use of virtual syscalls, add the argument vsyscall=none to the default GRUB 2 command line for the Linux operating system. To ensure that vsyscall=none is added as a kernel command line argument to newly installed kernels, add vsyscall=none to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:

GRUB_CMDLINE_LINUX="... vsyscall=none ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="vsyscall=none"

Rationale

Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer.

ID
xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument
Severity
Medium
References
Updated



Remediation - OS Build Blueprint

[customizations.kernel]
append = "vsyscall=none"

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

# Correct the form of default kernel command line in GRUB
if grep -q '^\s*GRUB_CMDLINE_LINUX=.*vsyscall=.*"'  '/etc/default/grub' ; then
       # modify the GRUB command-line if an vsyscall= arg already exists

Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-7(a)
  - grub2_vsyscall_argument