Disable vsyscalls
An XCCDF Rule
Description
To disable use of virtual syscalls,
add the argument vsyscall=none to the default
GRUB 2 command line for the Linux operating system.
To ensure that vsyscall=none is added as a kernel command line
argument to newly installed kernels, add vsyscall=none to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... vsyscall=none ..."Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="vsyscall=none"
warning alert: Warning
The vsyscall emulation is only available on x86_64 architecture
(CONFIG_X86_VSYSCALL_EMULATION) making this rule not applicable
to other CPU architectures.
Rationale
Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer.
- ID
- xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument
- Severity
- Medium
- References
- Updated
Remediation - OS Build Blueprint
[customizations.kernel]
append = "vsyscall=none"
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- DISA-STIG-RHEL-08-010422
- NIST-800-53-CM-7(a)
Remediation - script:kickstart
bootloader vsyscall=none
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && grep -q x86_64 /proc/sys/kernel/osrelease ); }; then
grubby --update-kernel=ALL --args=vsyscall=none --env=/boot/grub2/grubenv
else