Enable Kernel Page-Table Isolation (KPTI)
An XCCDF Rule
Description
To enable Kernel page-table isolation,
add the argument pti=on to the default
GRUB 2 command line for the Linux operating system.
To ensure that pti=on is added as a kernel command line
argument to newly installed kernels, add pti=on to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... pti=on ..."Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="pti=on"
Rationale
Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR).
- ID
- xccdf_org.ssgproject.content_rule_grub2_pti_argument
- Severity
- Low
- References
- Updated
Remediation - OS Build Blueprint
[customizations.kernel]
append = "pti=on"
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- DISA-STIG-OL08-00-040004
- NIST-800-53-SI-16
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
grubby --update-kernel=ALL --args=pti=on --env=/boot/grub2/grubenv
else