Disable vsyscalls

An XCCDF Rule

Details
Profiles
Prose

Description

To disable use of virtual syscalls, add the argument vsyscall=none to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in /boot/loader/entries/*.conf.

Rationale

Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer.

ID: xccdf_org.ssgproject.content_rule_coreos_vsyscall_kernel_argument
Severity: Medium
References: CM-7(a)

SRG-OS-000480-GPOS-00227

SRG-APP-000243-CTR-000600

CCE-82674-3
Updated: about 1 year ago


apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:      version: 3.1.0
  kernelArguments:
    - vsyscall=none

Disable vsyscalls

Description

Rationale

Remediation - Kubernetes Patch