Enable SLUB/SLAB allocator poisoning

An XCCDF Rule

Details
Profiles
Prose

Description

To enable poisoning of SLUB/SLAB objects, add the argument slub_debug=P to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in /boot/loader/entries/*.conf.

Rationale

Poisoning writes an arbitrary value to freed objects, so any modification or reference to that object after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.

ID: xccdf_org.ssgproject.content_rule_coreos_slub_debug_kernel_argument
Severity: Medium
References: CM-6(a)

SRG-APP-000243-CTR-000600

CCE-82672-7
Updated: about 1 year ago


apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:      version: 3.1.0
  kernelArguments:
    - slub_debug=P

Enable SLUB/SLAB allocator poisoning

Description

Rationale

Remediation - Kubernetes Patch