{"description": "Enable this to turn on some debug checking for credential management. The additional code keeps\ntrack of the number of pointers from task_structs to any given cred struct, and checks to see\nthat this number never exceeds the usage count of the cred struct.\n\nFurthermore, if SELinux is enabled, this also checks that the security pointer in the cred\nstruct is never seen to be invalid.\n\nThe configuration that was used to build kernel is available at <tt>/boot/config-*</tt>.\n    To check the configuration value for <tt>CONFIG_DEBUG_CREDENTIALS</tt>, run the following command:\n    <tt>grep CONFIG_DEBUG_CREDENTIALS /boot/config-*</tt>\n    \n    For each kernel installed, a line with value \"y\" should be returned.\n    ", "rationale": "This adds sanity checks and validations to credential data structures.", "severity": "low", "references": {"anssi": ["R16"]}, "control_references": {"anssi": ["R16"]}, "components": [], "identifiers": {}, "ocil_clause": "the kernel was not built with the required value", "ocil": "To determine the config value the kernel was built with, run the following command:\n    <pre>$ grep CONFIG_DEBUG_CREDENTIALS /boot/config.*</pre>\n    \n    For each kernel installed, a line with value \"y\" should be returned.\n    ", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Enable checks on credential management", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/kernel_build_config/kernel_config_debug_credentials/rule.yml", "template": {"name": "kernel_build_config", "vars": {"config": "CONFIG_DEBUG_CREDENTIALS", "value": "y"}, "backends": {}}}