Disable vsyscalls in zIPL

An XCCDF Rule

Details
Profiles
Prose

Description

To disable use of virtual syscalls, check that all boot entries in /boot/loader/entries/*.conf have vsyscall=none included in its options.
To ensure that new kernels and boot entries continue to disable virtual syscalls, add vsyscall=none to /etc/kernel/cmdline.

Rationale

Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer.

ID: xccdf_org.ssgproject.content_rule_zipl_vsyscall_argument
Severity: Medium
References: FPT_ASLR_EXT.1
Updated: about 1 year ago