Configure kernel to zero out memory before allocation in zIPL

An XCCDF Rule

Description

To ensure that the kernel is configured to zero out memory before allocation, check that all boot entries in /boot/loader/entries/*.conf have init_on_alloc=1 included in its options.
To ensure that new kernels and boot entries continue to zero out memory before allocation, add init_on_alloc=1 to /etc/kernel/cmdline.

Rationale

When the kernel configuration option init_on_alloc is enabled, all page allocator and slab allocator memory will be zeroed when allocated, eliminating many kinds of "uninitialized heap memory" flaws, effectively preventing data leaks.

ID: xccdf_org.ssgproject.content_rule_zipl_init_on_alloc_argument
Severity: Medium
References: CCE-85868-8
Updated: about 1 year ago

- name: Ensure BLS boot entries options contain init_on_alloc=1
  block:

  - name: 'Check how many boot entries exist '
    find:
      paths: /boot/loader/entries/      patterns: '*.conf'
    register: n_entries

  - name: Check how many boot entries set init_on_alloc=1
    find:
      paths: /boot/loader/entries/
      contains: ^options .*init_on_alloc=1.*$
      patterns: '*.conf'
    register: n_entries_options

  - name: Update boot entries options
    command: grubby --update-kernel=ALL --args="init_on_alloc=1"
    when: n_entries is defined and n_entries_options is defined and n_entries.matched
      != n_entries_options.matched

  - name: Check if /etc/kernel/cmdline exists
    stat:
      path: /etc/kernel/cmdline
    register: cmdline_stat

  - name: Check if /etc/kernel/cmdline contains init_on_alloc=1
    find:
      paths: /etc/kernel/
      patterns: cmdline
      contains: ^.*init_on_alloc=1.*$
    register: cmdline_find

  - name: Add /etc/kernel/cmdline contains init_on_alloc=1
    lineinfile:
      create: true
      path: /etc/kernel/cmdline
      line: init_on_alloc=1
    when: cmdline_stat is defined and not cmdline_stat.stat.exists

  - name: Append /etc/kernel/cmdline contains init_on_alloc=1
    lineinfile:
      path: /etc/kernel/cmdline
      backrefs: true
      regexp: ^(.*)$
      line: \1 init_on_alloc=1
    when: cmdline_stat is defined and cmdline_stat.stat.exists and cmdline_find is
      defined and cmdline_find.matched == 0
  when:
  - ansible_architecture == "s390x"
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-85868-8
  - configure_strategy
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - zipl_init_on_alloc_argument

# Remediation is applicable only in certain platforms
if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

# Correct BLS option using grubby, which is a thin wrapper around BLS operations
grubby --update-kernel=ALL --args="init_on_alloc=1"
# Ensure new kernels and boot entries retain the boot option
if [ ! -f /etc/kernel/cmdline ]; then
    echo "init_on_alloc=1" > /etc/kernel/cmdline
elif ! grep -q '^(.*\s)?init_on_alloc=1(\s.*)?$' /etc/kernel/cmdline; then
    
    sed -Ei 's/^(.*)$/\1 init_on_alloc=1/' /etc/kernel/cmdline
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure kernel to zero out memory before allocation in zIPL

Description

Rationale

Remediation - Ansible

Remediation - Shell Script