Ensure SMAP is not disabled during boot
An XCCDF Rule
Description
The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into
memory pages in the user space, it is enabled by default since Linux kernel 3.7.
But it could be disabled through kernel boot parameters.
Ensure that Supervisor Mode Access Prevention (SMAP) is not disabled by
the nosmap
boot paramenter option.
Check that the line
GRUB_CMDLINE_LINUX="..."within
/etc/default/grub
doesn't contain the argument nosmap
.
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --remove-args="nosmap"
Rationale
Disabling SMAP can facilitate exploitation of vulnerabilities caused by unintended access and manipulation of data in the user space.
- ID
- xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- grub2_nosmap_argument_absent
- low_disruption
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2 && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# Correct the form of default kernel command line in GRUB
if grep -q '^GRUB_CMDLINE_LINUX=.*nosmap=.*"' '/etc/default/grub' ; then
sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)nosmap=?[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub'