Enable Kernel Page-Table Isolation (KPTI)

An XCCDF Rule

Details
Profiles
Prose

Description

To enable Kernel page-table isolation, add the argument pti=on to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in /boot/loader/entries/*.conf.

Rationale

Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR).

ID: xccdf_org.ssgproject.content_rule_coreos_pti_kernel_argument
Severity: High
References: SI-16

SRG-OS-000433-GPOS-00193

CCE-82497-9
Updated: about 1 year ago


apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:      version: 3.1.0
  kernelArguments:
    - pti=on

Enable Kernel Page-Table Isolation (KPTI)

Description

Rationale

Remediation - Kubernetes Patch