OpenShift must enable poisoning of SLUB/SLAB objects.

An XCCDF Rule

Description

By enabling poisoning of SLUB/SLAB objects, OpenShift can detect and identify use-after-free scenarios more effectively. The poisoned objects are marked as invalid or inaccessible, causing crashes or triggering alerts when an application attempts to access them. This helps identify and mitigate potential security vulnerabilities before they can be exploited.

ID: SV-257550r961149_rule
Version: CNTR-OS-000580
Severity: Medium
References: CCI-001090
Updated: about 2 months ago

Remediation Templates

Apply the machine config to enable poisoning of SLUB/SLAB objects by executing the following:

for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do
echo "apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:  name: 05-kernelarg-slub-debug-$mcpool
  labels:
    machineconfiguration.openshift.io/role: $mcpool
spec:
  config:
    ignition:
      version: 3.1.0
  kernelArguments:
  - slub_debug=P
" | oc apply -f -
done

OpenShift must enable poisoning of SLUB/SLAB objects.

Description

Remediation Templates

A Manual Procedure