Skip to content

Enable SLUB/SLAB allocator poisoning

An XCCDF Rule

Description

To enable poisoning of SLUB/SLAB objects, add the argument slub_debug= to the default GRUB 2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain slub_debug= as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) slub_debug="

Rationale

Poisoning writes an arbitrary value to freed objects, so any modification or reference to that object after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.

ID
xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument
Severity
Medium
References
Updated



Remediation - OS Build Blueprint

[customizations.kernel]
append = "slub_debug=<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_slub_debug_options" use="legacy"/>"

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then

var_slub_debug_options='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_slub_debug_options" use="legacy"/>'



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-6(a)
  - grub2_slub_debug_argument