{"description": "This is the portion of low virtual memory which should be protected from userspace allocation.\nThis configuration is available from kernel 3.14, but may be available if backported\nby distros.\n\nThe configuration that was used to build kernel is available at <tt>/boot/config-*</tt>.\nTo check the configuration value for <tt>CONFIG_DEFAULT_MMAP_MIN_ADDR</tt>, run the following command:\n<tt>grep CONFIG_DEFAULT_MMAP_MIN_ADDR /boot/config-*</tt>\nFor each kernel installed, a line with value should be returned.\nIf the system architecture is x86_64, the value should be 65536.\nIf the system architecture is aarch64, the value should be 32768.", "rationale": "Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs.", "severity": "medium", "references": {"anssi": ["R25", "R27"]}, "control_references": {"anssi": ["R25", "R27"]}, "components": [], "identifiers": {}, "ocil_clause": "the kernel was not built with the required value", "ocil": "To determine the config value the kernel was built with, run the following command:\n<pre>$ grep CONFIG_DEFAULT_MMAP_MIN_ADDR /boot/config.*</pre>\nFor each kernel installed, a line with value should be returned.\nIf the system architecture is x86_64, the value should be 65536.\nIf the system architecture is aarch64, the value should be 32768.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "x86_64_arch or aarch64_arch", "platforms": ["x86_64_arch or aarch64_arch"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["aarch64_arch_or_x86_64_arch"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure Low Address Space To Protect From User Allocation", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/kernel_build_config/kernel_config_default_mmap_min_addr/rule.yml", "template": null}