Add page_aloc.shuffle rules for OSPP profile
Resolves: rhbz#2055118
This commit is contained in:
		
							parent
							
								
									fb47aa3e38
								
							
						
					
					
						commit
						1dd162f258
					
				| @ -0,0 +1,146 @@ | |||||||
|  | From 32ecdb4e8ccccf07acd8c6c82a3676ec15647b4a Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Vojtech Polasek <vpolasek@redhat.com> | ||||||
|  | Date: Wed, 16 Feb 2022 14:02:45 +0100 | ||||||
|  | Subject: [PATCH 1/3] add grub2 variant | ||||||
|  | 
 | ||||||
|  | ---
 | ||||||
|  |  .../rule.yml                                  | 40 +++++++++++++++++++ | ||||||
|  |  2 files changed, 40 insertions(+), 1 deletion(-) | ||||||
|  |  create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml | ||||||
|  | 
 | ||||||
|  | diff --git a/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml
 | ||||||
|  | new file mode 100644 | ||||||
|  | index 00000000000..3d0c8b95d8a
 | ||||||
|  | --- /dev/null
 | ||||||
|  | +++ b/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml
 | ||||||
|  | @@ -0,0 +1,40 @@
 | ||||||
|  | +documentation_complete: true
 | ||||||
|  | +
 | ||||||
|  | +prodtype: rhel9
 | ||||||
|  | +
 | ||||||
|  | +title: 'Enable randomization of the page allocator'
 | ||||||
|  | +
 | ||||||
|  | +description: |-
 | ||||||
|  | +    To enable randomization of the page allocator in the kernel, add the
 | ||||||
|  | +    <tt>page_alloc.shuffle=1</tt> argument to the default GRUB 2 command line.
 | ||||||
|  | +    {{{ describe_grub2_argument("page_alloc.shuffle=1") | indent(4) }}}
 | ||||||
|  | +
 | ||||||
|  | +rationale: |-
 | ||||||
|  | +    The <tt>CONFIG_SHUFFLE_PAGE_ALLOCATOR</tt> config option is primarily
 | ||||||
|  | +    focused on improving the average utilization of a direct-mapped
 | ||||||
|  | +    memory-side-cache. Aside of this performance effect, it also reduces
 | ||||||
|  | +    predictability of page allocations in situations when the bad actor can
 | ||||||
|  | +    crash the system and somehow leverage knowledge of (page) allocation order
 | ||||||
|  | +    right after a fresh reboot, or can control the timing between a
 | ||||||
|  | +    hot-pluggable memory node (as in NUMA node) and applications allocating
 | ||||||
|  | +    memory ouf of that node. The <tt>page_alloc.shuffle=1</tt> kernel command
 | ||||||
|  | +    line parameter then forces this functionality irrespectively of memory cache
 | ||||||
|  | +    architecture.
 | ||||||
|  | +
 | ||||||
|  | +severity: medium
 | ||||||
|  | +
 | ||||||
|  | +identifiers:
 | ||||||
|  | +    cce@rhel9: CCE-85879-5
 | ||||||
|  | +
 | ||||||
|  | +ocil_clause: 'randomization of the page allocator is not enabled in the kernel'
 | ||||||
|  | +
 | ||||||
|  | +ocil: |-
 | ||||||
|  | +    {{{ ocil_grub2_argument("page_alloc.shuffle=1") | indent(4) }}}
 | ||||||
|  | +
 | ||||||
|  | +platform: machine
 | ||||||
|  | +
 | ||||||
|  | +template:
 | ||||||
|  | +    name: grub2_bootloader_argument
 | ||||||
|  | +    vars:
 | ||||||
|  | +        arg_name: page_alloc.shuffle
 | ||||||
|  | +        arg_value: '1'
 | ||||||
|  | 
 | ||||||
|  | From ccd4bee3bec201cdee883c662056fc408b2d88ad Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Vojtech Polasek <vpolasek@redhat.com> | ||||||
|  | Date: Wed, 16 Feb 2022 14:20:59 +0100 | ||||||
|  | Subject: [PATCH 2/3] add zipl variant | ||||||
|  | 
 | ||||||
|  | ---
 | ||||||
|  |  .../zipl_page_alloc_shuffle_argument/rule.yml | 46 +++++++++++++++++++ | ||||||
|  |  2 files changed, 46 insertions(+), 1 deletion(-) | ||||||
|  |  create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml | ||||||
|  | 
 | ||||||
|  | diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml
 | ||||||
|  | new file mode 100644 | ||||||
|  | index 00000000000..5179b19fcc0
 | ||||||
|  | --- /dev/null
 | ||||||
|  | +++ b/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml
 | ||||||
|  | @@ -0,0 +1,46 @@
 | ||||||
|  | +documentation_complete: true
 | ||||||
|  | +
 | ||||||
|  | +prodtype: rhel9
 | ||||||
|  | +
 | ||||||
|  | +title: 'Enable randomization of the page allocator in zIPL'
 | ||||||
|  | +
 | ||||||
|  | +description: |-
 | ||||||
|  | +    To enable the randomization of the page allocator in the kernel, check that
 | ||||||
|  | +    all boot entries in <tt>/boot/loader/entries/*.conf</tt> have
 | ||||||
|  | +    <tt>page_alloc.shuffle=1</tt> included in its options.<br />
 | ||||||
|  | +
 | ||||||
|  | +    To enable randomization of the page allocator also for  newly installed
 | ||||||
|  | +    kernels, add <tt>page_alloc.shuffle=1</tt> to <tt>/etc/kernel/cmdline</tt>.
 | ||||||
|  | +
 | ||||||
|  | +rationale: |-
 | ||||||
|  | +    The <tt>CONFIG_SHUFFLE_PAGE_ALLOCATOR</tt> config option is primarily
 | ||||||
|  | +    focused on improving the average utilization of a direct-mapped
 | ||||||
|  | +    memory-side-cache. Aside of this performance effect, it also reduces
 | ||||||
|  | +    predictability of page allocations in situations when the bad actor can
 | ||||||
|  | +    crash the system and somehow leverage knowledge of (page) allocation order
 | ||||||
|  | +    right after a fresh reboot, or can control the timing between a
 | ||||||
|  | +    hot-pluggable memory node (as in NUMA node) and applications allocating
 | ||||||
|  | +    memory ouf of that node. The <tt>page_alloc.shuffle=1</tt> kernel command
 | ||||||
|  | +    line parameter then forces this functionality irrespectively of memory cache
 | ||||||
|  | +    architecture.
 | ||||||
|  | +
 | ||||||
|  | +severity: medium
 | ||||||
|  | +
 | ||||||
|  | +identifiers:
 | ||||||
|  | +    cce@rhel9: CCE-85880-3
 | ||||||
|  | +
 | ||||||
|  | +ocil_clause: 'randomization of the page allocator is not enabled in the kernel'
 | ||||||
|  | +
 | ||||||
|  | +ocil: |-
 | ||||||
|  | +  To check that the randomization of the page allocator in the kernel is
 | ||||||
|  | +  enabled, check all boot entries with following command:
 | ||||||
|  | +  <pre>sudo grep -L"^options\s+.*\bpage_alloc\.shuffle=1\b" /boot/loader/entries/*.conf</pre>
 | ||||||
|  | +  No line should be returned, each line returned is a boot entry that doesn't enable audit.
 | ||||||
|  | +
 | ||||||
|  | +platform: machine
 | ||||||
|  | +
 | ||||||
|  | +template:
 | ||||||
|  | +  name: zipl_bls_entries_option
 | ||||||
|  | +  vars:
 | ||||||
|  | +    arg_name: page_alloc.shuffle
 | ||||||
|  | +    arg_value: '1'
 | ||||||
|  | 
 | ||||||
|  | From 89671b0a5a69ccaf0a46ff1fc86db82fc822dda0 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Vojtech Polasek <vpolasek@redhat.com> | ||||||
|  | Date: Wed, 16 Feb 2022 14:24:32 +0100 | ||||||
|  | Subject: [PATCH 3/3] add rules to rhel9 ospp profile | ||||||
|  | 
 | ||||||
|  | ---
 | ||||||
|  |  products/rhel9/profiles/ospp.profile | 2 ++ | ||||||
|  |  1 file changed, 2 insertions(+) | ||||||
|  | 
 | ||||||
|  | diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
 | ||||||
|  | index f25abd7e4c4..4bdf8d98b97 100644
 | ||||||
|  | --- a/products/rhel9/profiles/ospp.profile
 | ||||||
|  | +++ b/products/rhel9/profiles/ospp.profile
 | ||||||
|  | @@ -126,6 +126,7 @@ selections:
 | ||||||
|  |      - grub2_audit_backlog_limit_argument | ||||||
|  |      - grub2_vsyscall_argument | ||||||
|  |      - grub2_init_on_alloc_argument | ||||||
|  | +    - grub2_page_alloc_shuffle_argument
 | ||||||
|  |   | ||||||
|  |      ## Security Settings | ||||||
|  |      - sysctl_kernel_kptr_restrict | ||||||
|  | @@ -409,3 +410,4 @@ selections:
 | ||||||
|  |      - zipl_audit_backlog_limit_argument | ||||||
|  |      - zipl_vsyscall_argument | ||||||
|  |      - zipl_init_on_alloc_argument | ||||||
|  | +    - zipl_page_alloc_shuffle_argument
 | ||||||
| @ -59,6 +59,7 @@ Patch41:	scap-security-guide-0.1.61-rear_not_applicable_aarch64-PR_8221.patch | |||||||
| Patch42:	scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch | Patch42:	scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch | ||||||
| Patch43:	scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch | Patch43:	scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch | ||||||
| Patch44:	scap-security-guide-0.1.61-update-ospp-description-PR_8232.patch | Patch44:	scap-security-guide-0.1.61-update-ospp-description-PR_8232.patch | ||||||
|  | Patch45:	scap-security-guide-0.1.61-add-rule-page_alloc_shuffle_argument-PR_8234.patch | ||||||
| 
 | 
 | ||||||
| BuildRequires:	libxslt | BuildRequires:	libxslt | ||||||
| BuildRequires:	expat | BuildRequires:	expat | ||||||
| @ -148,6 +149,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md | |||||||
| * Tue Feb 15 2022 Watson Sato <wsato@redhat.com> - 0.1.60-4 | * Tue Feb 15 2022 Watson Sato <wsato@redhat.com> - 0.1.60-4 | ||||||
| - Fix Ansible service disabled tasks (RHBZ#2014561) | - Fix Ansible service disabled tasks (RHBZ#2014561) | ||||||
| - Update description of OSPP profile (RHBZ#2045386) | - Update description of OSPP profile (RHBZ#2045386) | ||||||
|  | - Add page_aloc.shuffle rules for OSPP profile (RHBZ#2055118) | ||||||
| 
 | 
 | ||||||
| * Mon Feb 14 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-3 | * Mon Feb 14 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-3 | ||||||
| - Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2045403) | - Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2045403) | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user