Perform full reference count validation

An XCCDF Rule

Description

Enabling this switches the refcounting infrastructure from a fast unchecked atomic_t implementation to a fully state checked implementation, which can have a slight impact in performance. This configuration is available from kernel 4.13, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_REFCOUNT_FULL, run the following command: grep CONFIG_REFCOUNT_FULL /boot/config-* For each kernel installed, a line with value "y" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

Refcounting provides protections against various use-after-free conditions that can be used in security flaw exploits.

ID: xccdf_org.ssgproject.content_rule_kernel_config_refcount_full
Severity: Medium
References: BP28(R15)
Updated: about 1 year ago