Check: RHEL-08-010422
RHEL 8 STIG:
RHEL-08-010422
(in versions v1 r14 through v1 r4)
Title
RHEL 8 must disable virtual syscalls. (Cat II impact)
Discussion
Syscalls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently executing task and switch context to kernel mode and then back to userspace after the system call completes. Virtual Syscalls map into user space a page that contains some variables and the implementation of some system calls. This allows the system calls to be executed in userspace to alleviate the context switching expense. Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer. Disabling vsyscalls help to prevent return oriented programming (ROP) attacks via buffer overflows and overruns. If the system intends to run containers based on RHEL 6 components, then virtual syscalls will need enabled so the components function properly. Satisfies: SRG-OS-000134-GPOS-00068, SRG-OS-000433-GPOS-00192
Check Content
Verify that GRUB 2 is configured to disable vsyscalls with the following commands: Check that the current GRUB 2 configuration disables vsyscalls: $ sudo grub2-editenv list | grep vsyscall kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 page_poison=1 vsyscall=none audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82 If "vsyscall" is not set to "none" or is missing, this is a finding. Check that vsyscalls are disabled by default to persist in kernel updates: $ sudo grep vsyscall /etc/default/grub GRUB_CMDLINE_LINUX="vsyscall=none" If "vsyscall" is not set to "none", is missing or commented out and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Fix Text
Document the use of vsyscalls with the ISSO as an operational requirement or disable them with the following command: $ sudo grubby --update-kernel=ALL --args="vsyscall=none" Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates: GRUB_CMDLINE_LINUX="vsyscall=none"
Additional Identifiers
Rule ID: SV-230278r792886_rule
Vulnerability ID: V-230278
Group Title: SRG-OS-000134-GPOS-00068
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001084 |
The information system isolates security functions from nonsecurity functions. |
Controls
Number | Title |
---|---|
SC-3 |
Security Function Isolation |