{"description": "The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into\nmemory pages in the user space, it is enabled by default since Linux kernel 3.7.\nBut it could be disabled through kernel boot parameters.\n\nEnsure that Supervisor Mode Access Prevention (SMAP) is not disabled by\nthe <tt>nosmap</tt> boot parameter option.\n\nCheck that the line <pre>GRUB_CMDLINE_LINUX=\"...\"</pre> within <tt>/etc/default/grub</tt>\ndoesn't contain the argument <tt>nosmap</tt>.\nRun the following command to update command line for already installed kernels:\n<pre># grubby --update-kernel=ALL --remove-args=\"nosmap\"</pre>", "rationale": "Disabling SMAP can facilitate exploitation of vulnerabilities caused by unintended access and\nmanipulation of data in the user space.", "severity": "medium", "references": {"anssi": ["R1"]}, "control_references": {"anssi": ["R1"]}, "components": [], "identifiers": {}, "ocil_clause": "the kernel is configured to disable SMAP", "ocil": "Make sure that the kernel is not disabling SMAP with the following\ncommands.\n<pre>grep -q nosmap /boot/config-`uname -r`</pre>\nIf the command returns a line, it means that SMAP is being disabled.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["grub2 and system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["grub2_and_system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure SMAP is not disabled during boot", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml", "template": {"name": "grub2_bootloader_argument_absent", "vars": {"arg_name": "nosmap"}, "backends": {}}}