{"description": "To enable poisoning of SLUB/SLAB objects,\nadd the argument <tt>slub_debug=<sub idref=\"var_slub_debug_options\" /></tt> to the default\nGRUB 2 command line for the Linux operating system.\nTo ensure that <tt>slub_debug=<sub idref=\"var_slub_debug_options\" /></tt> is added as a kernel command line\nargument to newly installed kernels, add <tt>slub_debug=<sub idref=\"var_slub_debug_options\" /></tt> to the\ndefault Grub2 command line for Linux operating systems. Modify the line within\n<tt>/etc/default/grub</tt> as shown below:\n<pre>GRUB_CMDLINE_LINUX=\"... slub_debug=<sub idref=\"var_slub_debug_options\" /> ...\"</pre>\nRun the following command to update command line for already installed kernels:<pre># update-grub</pre>", "rationale": "Poisoning writes an arbitrary value to freed objects, so any modification or\nreference to that object after being freed or before being initialized will be\ndetected and prevented.\nThis prevents many types of use-after-free vulnerabilities at little performance cost.\nAlso prevents leak of data and detection of corrupted memory.", "severity": "medium", "references": {"nist": ["CM-6(a)"], "srg": ["SRG-OS-000433-GPOS-00192", "SRG-OS-000134-GPOS-00068"], "anssi": ["R8"]}, "control_references": {"anssi": ["R8"]}, "components": [], "identifiers": {}, "ocil_clause": "SLUB/SLAB poisoning is not enabled", "ocil": "Inspect the form of default GRUB 2 command line for the Linux operating system\nin <tt>/etc/default/grub</tt>. If it includes <tt>slub_debug=<sub idref=\"var_slub_debug_options\" /></tt>,\nthen the parameter will be configured for newly installed kernels.\nFirst check if the GRUB recovery is enabled:\n<pre>$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>\nIf this option is set to true, then check that a line is output by the following command:\n<pre>$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*slub_debug=<sub idref=\"var_slub_debug_options\" />.*' /etc/default/grub</pre>\nIf the recovery is disabled, check the line with\n<pre>$ sudo grep 'GRUB_CMDLINE_LINUX.*slub_debug=<sub idref=\"var_slub_debug_options\" />.*' /etc/default/grub</pre>.Moreover, current Grub config file <tt>grub.cfg</tt> must be checked. The file can be found\neither in <tt>/boot/grub</tt> in case of legacy BIOS systems, or in <tt>/boot/grub</tt> in case of UEFI systems.\nIf they include <tt>slub_debug=<sub idref=\"var_slub_debug_options\" /></tt>, then the parameter\nis configured at boot time.\n<pre>$ sudo grep vmlinuz GRUB_CFG_FILE_PATH | grep -v 'slub_debug=<sub idref=\"var_slub_debug_options\" />'</pre>\nFill in <tt>GRUB_CFG_FILE_PATH</tt> based on information above.\nThis command should not return any output.", "oval_external_content": null, "fixtext": "To ensure that <tt>slub_debug=<sub idref=\"var_slub_debug_options\" /></tt> is added as a kernel command line\nargument to newly installed kernels, add <tt>slub_debug=<sub idref=\"var_slub_debug_options\" /></tt> to the\ndefault Grub2 command line for Linux operating systems. Modify the line within\n<tt>/etc/default/grub</tt> as shown below:\n<pre>GRUB_CMDLINE_LINUX=\"... slub_debug=<sub idref=\"var_slub_debug_options\" /> ...\"</pre>\nRun the following command to update command line for already installed kernels:<pre># update-grub</pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must clear SLUB/SLAB objects to prevent use-after-free attacks.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must clear SLUB/SLAB objects to prevent use-after-free attacks.", "vuldiscussion": "Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.\n\nPoisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.\n\nSLAB objects are blocks of physically contiguous memory. SLUB is the unqueued SLAB allocator.", "checktext": "Verify that GRUB 2 is configured to enable poisoning of SLUB/SLAB objects to mitigate use-after-free vulnerabilities with the following commands:\n\nCheck that the current GRUB 2 configuration has poisoning of SLUB/SLAB objects enabled:\n\n$ sudo grubby --info=ALL | grep args | grep -v 'slub_debug=P'\n\nIf any output is returned, this is a finding.\n\nCheck that poisoning of SLUB/SLAB objects is enabled by default to persist in kernel updates:\n\n$ sudo grep slub_debug /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"slub_debug=P\"\n\nIf \"slub_debug\" does not contain \"P\", is missing, or is commented out, this is a finding.", "fixtext": "Configure RHEL  to enable poisoning of SLUB/SLAB objects with the following commands:\n\n$ sudo grubby --update-kernel=ALL --args=\"slub_debug=P\"\n\nAdd or modify the following line in \"/etc/default/grub\" to ensure the configuration survives kernel updates:\n\nGRUB_CMDLINE_LINUX=\"slub_debug=P\""}}, "platform": "grub2", "platforms": ["grub2"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["grub2"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Enable SLUB/SLAB allocator poisoning", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml", "template": {"name": "grub2_bootloader_argument", "vars": {"arg_name": "slub_debug", "arg_variable": "var_slub_debug_options"}, "backends": {}}}