Disable vsyscalls in zIPL

An XCCDF Rule

Description

To disable use of virtual syscalls, check that all boot entries in /boot/loader/entries/*.conf have vsyscall=none included in its options.
To ensure that new kernels and boot entries continue to disable virtual syscalls, add vsyscall=none to /etc/kernel/cmdline.

Rationale

Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer.

ID: xccdf_org.ssgproject.content_rule_zipl_vsyscall_argument
Severity: Medium
References: FPT_ASLR_EXT.1

CCE-83381-4
Updated: about 1 year ago

- name: Ensure BLS boot entries options contain vsyscall=none
  block:

  - name: 'Check how many boot entries exist '
    find:
      paths: /boot/loader/entries/      patterns: '*.conf'
    register: n_entries

  - name: Check how many boot entries set vsyscall=none
    find:
      paths: /boot/loader/entries/
      contains: ^options .*vsyscall=none.*$
      patterns: '*.conf'
    register: n_entries_options

  - name: Update boot entries options
    command: grubby --update-kernel=ALL --args="vsyscall=none"
    when: n_entries is defined and n_entries_options is defined and n_entries.matched
      != n_entries_options.matched

  - name: Check if /etc/kernel/cmdline exists
    stat:
      path: /etc/kernel/cmdline
    register: cmdline_stat

  - name: Check if /etc/kernel/cmdline contains vsyscall=none
    find:
      paths: /etc/kernel/
      patterns: cmdline
      contains: ^.*vsyscall=none.*$
    register: cmdline_find

  - name: Add /etc/kernel/cmdline contains vsyscall=none
    lineinfile:
      create: true
      path: /etc/kernel/cmdline
      line: vsyscall=none
    when: cmdline_stat is defined and not cmdline_stat.stat.exists

  - name: Append /etc/kernel/cmdline contains vsyscall=none
    lineinfile:
      path: /etc/kernel/cmdline
      backrefs: true
      regexp: ^(.*)$
      line: \1 vsyscall=none
    when: cmdline_stat is defined and cmdline_stat.stat.exists and cmdline_find is
      defined and cmdline_find.matched == 0
  when:
  - ansible_architecture == "s390x"
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83381-4
  - configure_strategy
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - zipl_vsyscall_argument

# Remediation is applicable only in certain platforms
if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

# Correct BLS option using grubby, which is a thin wrapper around BLS operations
grubby --update-kernel=ALL --args="vsyscall=none"
# Ensure new kernels and boot entries retain the boot option
if [ ! -f /etc/kernel/cmdline ]; then
    echo "vsyscall=none" > /etc/kernel/cmdline
elif ! grep -q '^(.*\s)?vsyscall=none(\s.*)?$' /etc/kernel/cmdline; then
    
    sed -Ei 's/^(.*)$/\1 vsyscall=none/' /etc/kernel/cmdline
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable vsyscalls in zIPL

Description

Rationale

Remediation - Ansible

Remediation - Shell Script