Add page_aloc.shuffle rules for OSPP profile
Resolves: rhbz#2055118
This commit is contained in:
Watson Sato
parent
fb47aa3e38
commit
1dd162f258
@ -0,0 +1,146 @@
|
||||
From 32ecdb4e8ccccf07acd8c6c82a3676ec15647b4a Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 16 Feb 2022 14:02:45 +0100
|
||||
Subject: [PATCH 1/3] add grub2 variant
|
||||
|
||||
---
|
||||
.../rule.yml | 40 +++++++++++++++++++
|
||||
2 files changed, 40 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..3d0c8b95d8a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml
|
||||
@@ -0,0 +1,40 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel9
|
||||
+
|
||||
+title: 'Enable randomization of the page allocator'
|
||||
+
|
||||
+description: |-
|
||||
+ To enable randomization of the page allocator in the kernel, add the
|
||||
+ <tt>page_alloc.shuffle=1</tt> argument to the default GRUB 2 command line.
|
||||
+ {{{ describe_grub2_argument("page_alloc.shuffle=1") | indent(4) }}}
|
||||
+
|
||||
+rationale: |-
|
||||
+ The <tt>CONFIG_SHUFFLE_PAGE_ALLOCATOR</tt> config option is primarily
|
||||
+ focused on improving the average utilization of a direct-mapped
|
||||
+ memory-side-cache. Aside of this performance effect, it also reduces
|
||||
+ predictability of page allocations in situations when the bad actor can
|
||||
+ crash the system and somehow leverage knowledge of (page) allocation order
|
||||
+ right after a fresh reboot, or can control the timing between a
|
||||
+ hot-pluggable memory node (as in NUMA node) and applications allocating
|
||||
+ memory ouf of that node. The <tt>page_alloc.shuffle=1</tt> kernel command
|
||||
+ line parameter then forces this functionality irrespectively of memory cache
|
||||
+ architecture.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel9: CCE-85879-5
|
||||
+
|
||||
+ocil_clause: 'randomization of the page allocator is not enabled in the kernel'
|
||||
+
|
||||
+ocil: |-
|
||||
+ {{{ ocil_grub2_argument("page_alloc.shuffle=1") | indent(4) }}}
|
||||
+
|
||||
+platform: machine
|
||||
+
|
||||
+template:
|
||||
+ name: grub2_bootloader_argument
|
||||
+ vars:
|
||||
+ arg_name: page_alloc.shuffle
|
||||
+ arg_value: '1'
|
||||
|
||||
From ccd4bee3bec201cdee883c662056fc408b2d88ad Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 16 Feb 2022 14:20:59 +0100
|
||||
Subject: [PATCH 2/3] add zipl variant
|
||||
|
||||
---
|
||||
.../zipl_page_alloc_shuffle_argument/rule.yml | 46 +++++++++++++++++++
|
||||
2 files changed, 46 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..5179b19fcc0
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml
|
||||
@@ -0,0 +1,46 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel9
|
||||
+
|
||||
+title: 'Enable randomization of the page allocator in zIPL'
|
||||
+
|
||||
+description: |-
|
||||
+ To enable the randomization of the page allocator in the kernel, check that
|
||||
+ all boot entries in <tt>/boot/loader/entries/*.conf</tt> have
|
||||
+ <tt>page_alloc.shuffle=1</tt> included in its options.<br />
|
||||
+
|
||||
+ To enable randomization of the page allocator also for newly installed
|
||||
+ kernels, add <tt>page_alloc.shuffle=1</tt> to <tt>/etc/kernel/cmdline</tt>.
|
||||
+
|
||||
+rationale: |-
|
||||
+ The <tt>CONFIG_SHUFFLE_PAGE_ALLOCATOR</tt> config option is primarily
|
||||
+ focused on improving the average utilization of a direct-mapped
|
||||
+ memory-side-cache. Aside of this performance effect, it also reduces
|
||||
+ predictability of page allocations in situations when the bad actor can
|
||||
+ crash the system and somehow leverage knowledge of (page) allocation order
|
||||
+ right after a fresh reboot, or can control the timing between a
|
||||
+ hot-pluggable memory node (as in NUMA node) and applications allocating
|
||||
+ memory ouf of that node. The <tt>page_alloc.shuffle=1</tt> kernel command
|
||||
+ line parameter then forces this functionality irrespectively of memory cache
|
||||
+ architecture.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel9: CCE-85880-3
|
||||
+
|
||||
+ocil_clause: 'randomization of the page allocator is not enabled in the kernel'
|
||||
+
|
||||
+ocil: |-
|
||||
+ To check that the randomization of the page allocator in the kernel is
|
||||
+ enabled, check all boot entries with following command:
|
||||
+ <pre>sudo grep -L"^options\s+.*\bpage_alloc\.shuffle=1\b" /boot/loader/entries/*.conf</pre>
|
||||
+ No line should be returned, each line returned is a boot entry that doesn't enable audit.
|
||||
+
|
||||
+platform: machine
|
||||
+
|
||||
+template:
|
||||
+ name: zipl_bls_entries_option
|
||||
+ vars:
|
||||
+ arg_name: page_alloc.shuffle
|
||||
+ arg_value: '1'
|
||||
|
||||
From 89671b0a5a69ccaf0a46ff1fc86db82fc822dda0 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 16 Feb 2022 14:24:32 +0100
|
||||
Subject: [PATCH 3/3] add rules to rhel9 ospp profile
|
||||
|
||||
---
|
||||
products/rhel9/profiles/ospp.profile | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||||
index f25abd7e4c4..4bdf8d98b97 100644
|
||||
--- a/products/rhel9/profiles/ospp.profile
|
||||
+++ b/products/rhel9/profiles/ospp.profile
|
||||
@@ -126,6 +126,7 @@ selections:
|
||||
- grub2_audit_backlog_limit_argument
|
||||
- grub2_vsyscall_argument
|
||||
- grub2_init_on_alloc_argument
|
||||
+ - grub2_page_alloc_shuffle_argument
|
||||
|
||||
## Security Settings
|
||||
- sysctl_kernel_kptr_restrict
|
||||
@@ -409,3 +410,4 @@ selections:
|
||||
- zipl_audit_backlog_limit_argument
|
||||
- zipl_vsyscall_argument
|
||||
- zipl_init_on_alloc_argument
|
||||
+ - zipl_page_alloc_shuffle_argument
|
||||
@ -59,6 +59,7 @@ Patch41: scap-security-guide-0.1.61-rear_not_applicable_aarch64-PR_8221.patch
|
||||
Patch42: scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch
|
||||
Patch43: scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch
|
||||
Patch44: scap-security-guide-0.1.61-update-ospp-description-PR_8232.patch
|
||||
Patch45: scap-security-guide-0.1.61-add-rule-page_alloc_shuffle_argument-PR_8234.patch
|
||||
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: expat
|
||||
@ -148,6 +149,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
|
||||
* Tue Feb 15 2022 Watson Sato <wsato@redhat.com> - 0.1.60-4
|
||||
- Fix Ansible service disabled tasks (RHBZ#2014561)
|
||||
- Update description of OSPP profile (RHBZ#2045386)
|
||||
- Add page_aloc.shuffle rules for OSPP profile (RHBZ#2055118)
|
||||
|
||||
* Mon Feb 14 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-3
|
||||
- Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2045403)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user