Enable page allocator poisoning

An XCCDF Rule

Description

To enable poisoning of free pages, add the argument page_poison=1 to the default GRUB 2 command line for the Linux operating system. To ensure that page_poison=1 is added as a kernel command line argument to newly installed kernels, add page_poison=1 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:

GRUB_CMDLINE_LINUX="... page_poison=1 ..."

Run the following command to update command line for already installed kernels:

# grubby --update-kernel=ALL --args="page_poison=1"

Rationale

Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.

ID: xccdf_org.ssgproject.content_rule_grub2_page_poison_argument
Severity: Medium
References: BP28(R8)

CCI-001084

CM-6(a)

SRG-OS-000134-GPOS-00068 SRG-OS-000480-GPOS-00227
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then

# Correct the form of default kernel command line in GRUB
if grep -q '^\s*GRUB_CMDLINE_LINUX=.*page_poison=.*"'  '/etc/default/grub' ; then
       # modify the GRUB command-line if an page_poison= arg already exists       sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)page_poison=[^[:space:]]\+\(.*\"\)/\1page_poison=1\2/"  '/etc/default/grub'
# Add to already existing GRUB_CMDLINE_LINUX parameters
elif grep -q '^\s*GRUB_CMDLINE_LINUX='  '/etc/default/grub' ; then
       # no page_poison=arg is present, append it
       sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)\"/\1 page_poison=1\"/"  '/etc/default/grub'
# Add GRUB_CMDLINE_LINUX parameters line
else
       echo "GRUB_CMDLINE_LINUX=\"page_poison=1\"" >> '/etc/default/grub'
fi
grubby --update-kernel=ALL --args=page_poison=1

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

[customizations.kernel]
append = "page_poison=1"

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-6(a)
  - grub2_page_poison_argument  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Check page_poison argument exists
  command: grep '^\s*GRUB_CMDLINE_LINUX=.*page_poison=' /etc/default/grub
  failed_when: false
  register: argcheck
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"grub2-common" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6(a)
  - grub2_page_poison_argument
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Check page_poison argument exists
  command: grep '^\s*GRUB_CMDLINE_LINUX=' /etc/default/grub
  failed_when: false
  register: linecheck
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"grub2-common" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6(a)
  - grub2_page_poison_argument
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Add page_poison argument
  ansible.builtin.lineinfile:
    line: GRUB_CMDLINE_LINUX="page_poison=1 "
    state: present
    dest: /etc/default/grub
    create: true
    mode: '0644'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"grub2-common" in ansible_facts.packages'
  - argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and
    linecheck.rc != 0
  tags:
  - NIST-800-53-CM-6(a)
  - grub2_page_poison_argument
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Replace existing page_poison argument
  replace:
    path: /etc/default/grub
    regexp: page_poison=[a-zA-Z0-9,]+
    replace: page_poison=1
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"grub2-common" in ansible_facts.packages'
  - argcheck is not skipped and linecheck is not skipped and argcheck.rc == 0 and
    linecheck.rc == 0
  tags:
  - NIST-800-53-CM-6(a)
  - grub2_page_poison_argument
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Add page_poison argument
  replace:
    path: /etc/default/grub
    regexp: (^\s*GRUB_CMDLINE_LINUX=.*)"
    replace: \1 page_poison=1"
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"grub2-common" in ansible_facts.packages'
  - argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and
    linecheck.rc == 0
  tags:
  - NIST-800-53-CM-6(a)
  - grub2_page_poison_argument
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Update grub defaults and the bootloader menu
  command: /sbin/grubby --update-kernel=ALL --args="page_poison=1"
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"grub2-common" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6(a)
  - grub2_page_poison_argument
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy

Enable page allocator poisoning

Description

Rationale

Remediation - Shell Script

Remediation - OS Build Blueprint

Remediation - Ansible