From 1dd162f258357d697f95dd2db9cd046d8557474f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 16 Feb 2022 15:27:49 +0100
Subject: [PATCH] Add page_aloc.shuffle rules for OSPP profile

Resolves: rhbz#2055118
---
 ...-page_alloc_shuffle_argument-PR_8234.patch | 146 ++++++++++++++++++
 scap-security-guide.spec                      |   2 +
 2 files changed, 148 insertions(+)
 create mode 100644 scap-security-guide-0.1.61-add-rule-page_alloc_shuffle_argument-PR_8234.patch

diff --git a/scap-security-guide-0.1.61-add-rule-page_alloc_shuffle_argument-PR_8234.patch b/scap-security-guide-0.1.61-add-rule-page_alloc_shuffle_argument-PR_8234.patch
new file mode 100644
index 0000000..0b6d9c9
--- /dev/null
+++ b/scap-security-guide-0.1.61-add-rule-page_alloc_shuffle_argument-PR_8234.patch
@@ -0,0 +1,146 @@
+From 32ecdb4e8ccccf07acd8c6c82a3676ec15647b4a Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 16 Feb 2022 14:02:45 +0100
+Subject: [PATCH 1/3] add grub2 variant
+
+---
+ .../rule.yml                                  | 40 +++++++++++++++++++
+ 2 files changed, 40 insertions(+), 1 deletion(-)
+ create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml
+
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml
+new file mode 100644
+index 00000000000..3d0c8b95d8a
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml
+@@ -0,0 +1,40 @@
++documentation_complete: true
++
++prodtype: rhel9
++
++title: 'Enable randomization of the page allocator'
++
++description: |-
++    To enable randomization of the page allocator in the kernel, add the
++    <tt>page_alloc.shuffle=1</tt> argument to the default GRUB 2 command line.
++    {{{ describe_grub2_argument("page_alloc.shuffle=1") | indent(4) }}}
++
++rationale: |-
++    The <tt>CONFIG_SHUFFLE_PAGE_ALLOCATOR</tt> config option is primarily
++    focused on improving the average utilization of a direct-mapped
++    memory-side-cache. Aside of this performance effect, it also reduces
++    predictability of page allocations in situations when the bad actor can
++    crash the system and somehow leverage knowledge of (page) allocation order
++    right after a fresh reboot, or can control the timing between a
++    hot-pluggable memory node (as in NUMA node) and applications allocating
++    memory ouf of that node. The <tt>page_alloc.shuffle=1</tt> kernel command
++    line parameter then forces this functionality irrespectively of memory cache
++    architecture.
++
++severity: medium
++
++identifiers:
++    cce@rhel9: CCE-85879-5
++
++ocil_clause: 'randomization of the page allocator is not enabled in the kernel'
++
++ocil: |-
++    {{{ ocil_grub2_argument("page_alloc.shuffle=1") | indent(4) }}}
++
++platform: machine
++
++template:
++    name: grub2_bootloader_argument
++    vars:
++        arg_name: page_alloc.shuffle
++        arg_value: '1'
+
+From ccd4bee3bec201cdee883c662056fc408b2d88ad Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 16 Feb 2022 14:20:59 +0100
+Subject: [PATCH 2/3] add zipl variant
+
+---
+ .../zipl_page_alloc_shuffle_argument/rule.yml | 46 +++++++++++++++++++
+ 2 files changed, 46 insertions(+), 1 deletion(-)
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml
+new file mode 100644
+index 00000000000..5179b19fcc0
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml
+@@ -0,0 +1,46 @@
++documentation_complete: true
++
++prodtype: rhel9
++
++title: 'Enable randomization of the page allocator in zIPL'
++
++description: |-
++    To enable the randomization of the page allocator in the kernel, check that
++    all boot entries in <tt>/boot/loader/entries/*.conf</tt> have
++    <tt>page_alloc.shuffle=1</tt> included in its options.<br />
++
++    To enable randomization of the page allocator also for  newly installed
++    kernels, add <tt>page_alloc.shuffle=1</tt> to <tt>/etc/kernel/cmdline</tt>.
++
++rationale: |-
++    The <tt>CONFIG_SHUFFLE_PAGE_ALLOCATOR</tt> config option is primarily
++    focused on improving the average utilization of a direct-mapped
++    memory-side-cache. Aside of this performance effect, it also reduces
++    predictability of page allocations in situations when the bad actor can
++    crash the system and somehow leverage knowledge of (page) allocation order
++    right after a fresh reboot, or can control the timing between a
++    hot-pluggable memory node (as in NUMA node) and applications allocating
++    memory ouf of that node. The <tt>page_alloc.shuffle=1</tt> kernel command
++    line parameter then forces this functionality irrespectively of memory cache
++    architecture.
++
++severity: medium
++
++identifiers:
++    cce@rhel9: CCE-85880-3
++
++ocil_clause: 'randomization of the page allocator is not enabled in the kernel'
++
++ocil: |-
++  To check that the randomization of the page allocator in the kernel is
++  enabled, check all boot entries with following command:
++  <pre>sudo grep -L"^options\s+.*\bpage_alloc\.shuffle=1\b" /boot/loader/entries/*.conf</pre>
++  No line should be returned, each line returned is a boot entry that doesn't enable audit.
++
++platform: machine
++
++template:
++  name: zipl_bls_entries_option
++  vars:
++    arg_name: page_alloc.shuffle
++    arg_value: '1'
+
+From 89671b0a5a69ccaf0a46ff1fc86db82fc822dda0 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 16 Feb 2022 14:24:32 +0100
+Subject: [PATCH 3/3] add rules to rhel9 ospp profile
+
+---
+ products/rhel9/profiles/ospp.profile | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index f25abd7e4c4..4bdf8d98b97 100644
+--- a/products/rhel9/profiles/ospp.profile
++++ b/products/rhel9/profiles/ospp.profile
+@@ -126,6 +126,7 @@ selections:
+     - grub2_audit_backlog_limit_argument
+     - grub2_vsyscall_argument
+     - grub2_init_on_alloc_argument
++    - grub2_page_alloc_shuffle_argument
+ 
+     ## Security Settings
+     - sysctl_kernel_kptr_restrict
+@@ -409,3 +410,4 @@ selections:
+     - zipl_audit_backlog_limit_argument
+     - zipl_vsyscall_argument
+     - zipl_init_on_alloc_argument
++    - zipl_page_alloc_shuffle_argument
diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index 0a17a08..7f57276 100644
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@@ -59,6 +59,7 @@ Patch41:	scap-security-guide-0.1.61-rear_not_applicable_aarch64-PR_8221.patch
 Patch42:	scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch
 Patch43:	scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch
 Patch44:	scap-security-guide-0.1.61-update-ospp-description-PR_8232.patch
+Patch45:	scap-security-guide-0.1.61-add-rule-page_alloc_shuffle_argument-PR_8234.patch
 
 BuildRequires:	libxslt
 BuildRequires:	expat
@@ -148,6 +149,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 * Tue Feb 15 2022 Watson Sato <wsato@redhat.com> - 0.1.60-4
 - Fix Ansible service disabled tasks (RHBZ#2014561)
 - Update description of OSPP profile (RHBZ#2045386)
+- Add page_aloc.shuffle rules for OSPP profile (RHBZ#2055118)
 
 * Mon Feb 14 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-3
 - Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2045403)