Skip to content

Ensure SMAP is not disabled during boot

An XCCDF Rule

Description

The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into memory pages in the user space, it is enabled by default since Linux kernel 3.7. But it could be disabled through kernel boot parameters. Ensure that Supervisor Mode Access Prevention (SMAP) is not disabled by the nosmap boot paramenter option. Check that the line

GRUB_CMDLINE_LINUX="..."
within /etc/default/grub doesn't contain the argument nosmap. Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --remove-args="nosmap"

Rationale

Disabling SMAP can facilitate exploitation of vulnerabilities caused by unintended access and manipulation of data in the user space.

ID
xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - grub2_nosmap_argument_absent
  - low_disruption

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2 && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

# Correct the form of default kernel command line in GRUB
if grep -q '^GRUB_CMDLINE_LINUX=.*nosmap=.*"'  '/etc/default/grub' ; then
       sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)nosmap=?[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub'