{"description": "To enable poisoning of SLUB/SLAB objects, add the argument <tt>slub_debug=P</tt> to all\nBLS (Boot Loader Specification) entries ('options' line) for the Linux\noperating system in <tt>/boot/loader/entries/*.conf</tt>.", "rationale": "Poisoning writes an arbitrary value to freed objects, so any modification or\nreference to that object after being freed or before being initialized will be\ndetected and prevented.\nThis prevents many types of use-after-free vulnerabilities at little performance cost.\nAlso prevents leak of data and detection of corrupted memory.", "severity": "medium", "references": {"nist": ["CM-6(a)"], "srg": ["SRG-APP-000243-CTR-000600"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "SLUB/SLAB poisoning is not enabled", "ocil": "Inspect the form of all the BLS (Boot Loader Specification) entries\n('options' line) in <tt>/boot/loader/entries/*.conf</tt>. If they include\n<tt>slub_debug=P</tt>, then SLUB/SLAB poisoning is enabled at boot time.\n<br /><br />\nTo ensure <tt>slub_debug=P</tt> is configured on the installed kernel, add\nthe kernel argument via a <pre>MachineConfig</pre> object to the appropriate\npools.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Enable SLUB/SLAB allocator poisoning", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/restrictions/poisoning/coreos_slub_debug_kernel_argument/rule.yml", "template": {"name": "coreos_kernel_option", "vars": {"arg_name": "slub_debug", "arg_value": "P"}, "backends": {}}}