Do not allow ACPI methods to be inserted/replaced at run time

An XCCDF Rule

Description

This debug facility allows ACPI AML methods to be inserted and/or replaced without rebooting the system. This configuration is available from kernel 3.0. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_ACPI_CUSTOM_METHOD, run the following command: grep CONFIG_ACPI_CUSTOM_METHOD /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

Enabling this feature allows arbitrary kernel memory to be written to by root (uid=0) users, allowing them to bypass certain security measures

ID: xccdf_org.ssgproject.content_rule_kernel_config_acpi_custom_method
Severity: Low
References: BP28(R15)
Updated: about 1 year ago