Enable SLUB/SLAB allocator poisoning in zIPL
An XCCDF Rule
Description
To enable poisoning of SLUB/SLAB objects,
check that all boot entries in /boot/loader/entries/*.conf have slub_debug=P
included in its options.
To ensure that new kernels and boot entries continue to enable poisoning of SLUB/SLAB objects,
add slub_debug=P to /etc/kernel/cmdline.
Rationale
Poisoning writes an arbitrary value to freed objects, so any modification or reference to that object after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.
- ID
- xccdf_org.ssgproject.content_rule_zipl_slub_debug_argument
- Severity
- Medium
- Updated