{"description": "The kernel traps and emulates calls into the fixed vsyscall address mapping and does not allow\nreads.\nThis configuration is available from kernel 5.3.\n\nThe configuration that was used to build kernel is available at /boot/config-*.\n To check the configuration value for CONFIG_LEGACY_VSYSCALL_XONLY, run the following command:\n grep CONFIG_LEGACY_VSYSCALL_XONLY /boot/config-*\n \n Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.\n ", "rationale": "Disabling this mitigates certain uses of the vsyscall area as an ASLR-bypassing buffer.", "severity": "medium", "references": {"anssi": ["R15"]}, "control_references": {"anssi": ["R15"]}, "components": [], "identifiers": {}, "ocil_clause": "the kernel was not built with the required value", "ocil": "To determine the config value the kernel was built with, run the following command:\n $ grep CONFIG_LEGACY_VSYSCALL_XONLY /boot/config.*
\n \n Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.\n ", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Disable vsyscall emulate execution only", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_xonly/rule.yml", "template": {"name": "kernel_build_config", "vars": {"config": "CONFIG_LEGACY_VSYSCALL_XONLY", "value": "n"}, "backends": {}}}