User a virtually-mapped stack

An XCCDF Rule

Details
Profiles
Prose

Description

Enable this to use virtually-mapped kernel stacks with guard pages. This configuration is available from kernel 4.9. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_VMAP_STACK, run the following command: grep CONFIG_VMAP_STACK /boot/config-* For each kernel installed, a line with value "y" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

This causes kernel stack overflows to be caught immediately rather than causing difficult-to-diagnose corruption.

ID: xccdf_org.ssgproject.content_rule_kernel_config_vmap_stack
Severity: Medium
References: BP28(R15)
Updated: about 1 year ago