Ensure SMAP is not disabled during boot
An XCCDF Rule
Description
The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into
memory pages in the user space, it is enabled by default since Linux kernel 3.7.
But it could be disabled through kernel boot parameters.
Ensure that Supervisor Mode Access Prevention (SMAP) is not disabled by
the nosmap
boot paramenter option.
Check that the line
GRUB_CMDLINE_LINUX="..."within
/etc/default/grub
doesn't contain the argument nosmap
.
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --remove-args="nosmap"
Rationale
Disabling SMAP can facilitate exploitation of vulnerabilities caused by unintended access and manipulation of data in the user space.
- ID
- xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-88345-4
- grub2_nosmap_argument_absent
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
grubby --update-kernel=ALL --remove-args=nosmap
else