Enable randomization of the page allocator
An XCCDF Rule
Description
To enable randomization of the page allocator in the kernel, add the
page_alloc.shuffle=1 argument to the default GRUB 2 command line.
To ensure that page_alloc.shuffle=1 is added as a kernel command line
argument to newly installed kernels, add page_alloc.shuffle=1 to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... page_alloc.shuffle=1 ..."Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="page_alloc.shuffle=1"
Rationale
The CONFIG_SHUFFLE_PAGE_ALLOCATOR config option is primarily
focused on improving the average utilization of a direct-mapped
memory-side-cache. Aside of this performance effect, it also reduces
predictability of page allocations in situations when the bad actor can
crash the system and somehow leverage knowledge of (page) allocation order
right after a fresh reboot, or can control the timing between a
hot-pluggable memory node (as in NUMA node) and applications allocating
memory ouf of that node. The page_alloc.shuffle=1 kernel command
line parameter then forces this functionality irrespectively of memory cache
architecture.
- ID
- xccdf_org.ssgproject.content_rule_grub2_page_alloc_shuffle_argument
- Severity
- Medium
- Updated
Remediation - OS Build Blueprint
[customizations.kernel]
append = "page_alloc.shuffle=1"
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- grub2_page_alloc_shuffle_argument
- low_disruption
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
grubby --update-kernel=ALL --args=page_alloc.shuffle=1
else