Randomize the kernel memory sections

An XCCDF Rule

Details
Profiles
Prose

Description

Randomizes the base virtual address of kernel memory sections (physical memory mapping, vmalloc & vmemmap). This configuration is available from kernel 4.8, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_RANDOMIZE_MEMORY, run the following command: grep CONFIG_RANDOMIZE_MEMORY /boot/config-* For each kernel installed, a line with value "y" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

This security feature makes exploits relying on predictable memory locations less reliable.

ID: xccdf_org.ssgproject.content_rule_kernel_config_randomize_memory
Severity: Medium
References: BP28(R25)
Updated: about 1 year ago