Skip to content

Configure kernel to zero out memory before allocation

An XCCDF Rule

Description

To configure the kernel to zero out memory before allocating it, add the init_on_alloc=1 argument to the default GRUB 2 command line. To ensure that init_on_alloc=1 is added as a kernel command line argument to newly installed kernels, add init_on_alloc=1 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:

GRUB_CMDLINE_LINUX="... init_on_alloc=1 ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="init_on_alloc=1"

Rationale

When the kernel configuration option init_on_alloc is enabled, all page allocator and slab allocator memory will be zeroed when allocated, eliminating many kinds of "uninitialized heap memory" flaws, effectively preventing data leaks.

ID
xccdf_org.ssgproject.content_rule_grub2_init_on_alloc_argument
Severity
Medium
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - grub2_init_on_alloc_argument
  - low_disruption

Remediation - OS Build Blueprint

[customizations.kernel]
append = "init_on_alloc=1"

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

grubby --update-kernel=ALL --args=init_on_alloc=1

else