Disable merging of slabs with similar size
An XCCDF Rule
Description
The kernel may merge similar slabs together to reduce overhead and increase
cache hotness of objects.
Disabling merging of slabs keeps the slabs separate and reduces the risk of
kernel heap overflows overwriting objects in merged caches.
To disable merging of slabs in the Kernel add the argument slab_nomerge=yes
to the default GRUB 2 command line for the Linux operating system.
To ensure that slab_nomerge=yes
is added as a kernel command line
argument to newly installed kernels, add slab_nomerge=yes
to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub
as shown below:
GRUB_CMDLINE_LINUX="... slab_nomerge=yes ..."Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="slab_nomerge=yes"
warning alert: Performance Warning
Rationale
Disabling the merge of slabs of similar sizes prevents the kernel from merging a seemingly useless but vulnerable slab with a useful and valuable slab. This increase the risk that a heap overflow could overwrite objects from merged caches, with unmerged caches the heap overflow would only affect the objects in the same cache. Overall, this reduces the kernel attack surface area by isolating slabs from each other.
- ID
- xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument
- Severity
- Medium
- References
- Updated
Remediation - OS Build Blueprint
[customizations.kernel]
append = "slab_nomerge=yes"
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# Correct the form of default kernel command line in GRUB
if grep -q '^\s*GRUB_CMDLINE_LINUX=.*slab_nomerge=.*"' '/etc/default/grub' ; then
# modify the GRUB command-line if an slab_nomerge= arg already exists
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- grub2_slab_nomerge_argument
- low_disruption