Enable SLUB/SLAB allocator poisoning in zIPL

An XCCDF Rule

Description

To enable poisoning of SLUB/SLAB objects, check that all boot entries in /boot/loader/entries/*.conf have slub_debug=P included in its options.
To ensure that new kernels and boot entries continue to enable poisoning of SLUB/SLAB objects, add slub_debug=P to /etc/kernel/cmdline.

Rationale

Poisoning writes an arbitrary value to freed objects, so any modification or reference to that object after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.

ID: xccdf_org.ssgproject.content_rule_zipl_slub_debug_argument
Severity: Medium
References: CCE-83371-5
Updated: about 1 year ago

- name: Ensure BLS boot entries options contain slub_debug=P
  block:

  - name: 'Check how many boot entries exist '
    find:
      paths: /boot/loader/entries/      patterns: '*.conf'
    register: n_entries

  - name: Check how many boot entries set slub_debug=P
    find:
      paths: /boot/loader/entries/
      contains: ^options .*slub_debug=P.*$
      patterns: '*.conf'
    register: n_entries_options

  - name: Update boot entries options
    command: grubby --update-kernel=ALL --args="slub_debug=P"
    when: n_entries is defined and n_entries_options is defined and n_entries.matched
      != n_entries_options.matched

  - name: Check if /etc/kernel/cmdline exists
    stat:
      path: /etc/kernel/cmdline
    register: cmdline_stat

  - name: Check if /etc/kernel/cmdline contains slub_debug=P
    find:
      paths: /etc/kernel/
      patterns: cmdline
      contains: ^.*slub_debug=P.*$
    register: cmdline_find

  - name: Add /etc/kernel/cmdline contains slub_debug=P
    lineinfile:
      create: true
      path: /etc/kernel/cmdline
      line: slub_debug=P
    when: cmdline_stat is defined and not cmdline_stat.stat.exists

  - name: Append /etc/kernel/cmdline contains slub_debug=P
    lineinfile:
      path: /etc/kernel/cmdline
      backrefs: true
      regexp: ^(.*)$
      line: \1 slub_debug=P
    when: cmdline_stat is defined and cmdline_stat.stat.exists and cmdline_find is
      defined and cmdline_find.matched == 0
  when:
  - ansible_architecture == "s390x"
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83371-5
  - configure_strategy
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - zipl_slub_debug_argument

# Remediation is applicable only in certain platforms
if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

# Correct BLS option using grubby, which is a thin wrapper around BLS operations
grubby --update-kernel=ALL --args="slub_debug=P"
# Ensure new kernels and boot entries retain the boot option
if [ ! -f /etc/kernel/cmdline ]; then
    echo "slub_debug=P" > /etc/kernel/cmdline
elif ! grep -q '^(.*\s)?slub_debug=P(\s.*)?$' /etc/kernel/cmdline; then
    
    sed -Ei 's/^(.*)$/\1 slub_debug=P/' /etc/kernel/cmdline
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable SLUB/SLAB allocator poisoning in zIPL

Description

Rationale

Remediation - Ansible

Remediation - Shell Script