Enable SLUB/SLAB allocator poisoning

An XCCDF Rule

Description

To enable poisoning of SLUB/SLAB objects, add the argument slub_debug= to the default GRUB 2 command line for the Linux operating system. To ensure that slub_debug= is added as a kernel command line argument to newly installed kernels, add slub_debug= to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:

GRUB_CMDLINE_LINUX="... slub_debug= ..."

Run the following command to update command line for already installed kernels:

# grubby --update-kernel=ALL --args="slub_debug="

Rationale

Poisoning writes an arbitrary value to freed objects, so any modification or reference to that object after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.

ID: xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument
Severity: Medium
References: BP28(R8)

CCI-001084

CM-6(a)

SRG-OS-000134-GPOS-00068 SRG-OS-000433-GPOS-00192

RHEL-08-010423

SV-230279r792888_rule

CCE-80945-9
Updated: about 1 year ago

[customizations.kernel]
append = "slub_debug=<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_slub_debug_options" use="legacy"/>"

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-80945-9
  - DISA-STIG-RHEL-08-010423  - NIST-800-53-CM-6(a)
  - grub2_slub_debug_argument
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy
- name: XCCDF Value var_slub_debug_options # promote to variable
  set_fact:
    var_slub_debug_options: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_slub_debug_options" use="legacy"/>
  tags:
    - always

- name: Update grub defaults and the bootloader menu
  command: /sbin/grubby --update-kernel=ALL --args="slub_debug={{ var_slub_debug_options
    }}"
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"grub2-common" in ansible_facts.packages'
  tags:
  - CCE-80945-9
  - DISA-STIG-RHEL-08-010423
  - NIST-800-53-CM-6(a)
  - grub2_slub_debug_argument
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then

var_slub_debug_options='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_slub_debug_options" use="legacy"/>'


grubby --update-kernel=ALL --args=slub_debug=$var_slub_debug_options --env=/boot/grub2/grubenv

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable SLUB/SLAB allocator poisoning

Description

Rationale

Remediation - OS Build Blueprint

Remediation - Ansible

Remediation - Shell Script