Configure kernel to zero out memory before allocation
An XCCDF Rule
Description
To configure the kernel to zero out memory before allocating it, add the
init_on_alloc=1
argument to the default GRUB 2 command line.
To ensure that init_on_alloc=1
is added as a kernel command line
argument to newly installed kernels, add init_on_alloc=1
to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub
as shown below:
GRUB_CMDLINE_LINUX="... init_on_alloc=1 ..."Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="init_on_alloc=1"
Rationale
When the kernel configuration option init_on_alloc
is enabled,
all page allocator and slab allocator memory will be zeroed when allocated,
eliminating many kinds of "uninitialized heap memory" flaws, effectively
preventing data leaks.
- ID
- xccdf_org.ssgproject.content_rule_grub2_init_on_alloc_argument
- Severity
- Medium
- Updated
Remediation - OS Build Blueprint
[customizations.kernel]
append = "init_on_alloc=1"
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- grub2_init_on_alloc_argument
- low_disruption
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
grubby --update-kernel=ALL --args=init_on_alloc=1
else