Skip to content
Log In

Enable SLUB/SLAB allocator poisoning

An XCCDF Rule

Description

To enable poisoning of SLUB/SLAB objects, add the argument slub_debug= to the default GRUB 2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain slub_debug= as follows: 
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) slub_debug="

Rationale

Poisoning writes an arbitrary value to freed objects, so any modification or reference to that object after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.

ID
xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument
Severity
Medium
References
Updated

Remediation Templates

OS Build Blueprint

[customizations.kernel]
append = "slub_debug=<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_slub_debug_options" use="legacy"/>"

An Ansible Snippet

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-6(a)
  - grub2_slub_debug_argument

script:kickstart

bootloader slub_debug=<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_slub_debug_options" use="legacy"/>

A Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel && { rpm --quiet -q grub2-common; }; then
var_slub_debug_options='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_slub_debug_options" use="legacy"/>'