Enable page allocator poisoning in zIPL
An XCCDF Rule
Description
To enable poisoning of free pages,
check that all boot entries in /boot/loader/entries/*.conf
have page_poison=1
included in its options.
To ensure that new kernels and boot entries continue to enable page poisoning,
add page_poison=1
to /etc/kernel/cmdline
.
Rationale
Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.
- ID
- xccdf_org.ssgproject.content_rule_zipl_page_poison_argument
- Severity
- Medium
- Updated
Remediation - Ansible
- name: Ensure BLS boot entries options contain page_poison=1
block:
- name: 'Check how many boot entries exist '
find:
paths: /boot/loader/entries/
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# Correct BLS option using grubby, which is a thin wrapper around BLS operations
grubby --update-kernel=ALL --args="page_poison=1"