{"description": "The kernel traps and emulates calls into the fixed vsyscall address mapping.\nThis configuration is available from kernel 5.3, but may be available if backported by distros.\n\nThe configuration that was used to build kernel is available at /boot/config-*.\n To check the configuration value for CONFIG_LEGACY_VSYSCALL_EMULATE, run the following command:\n grep CONFIG_LEGACY_VSYSCALL_EMULATE /boot/config-*\n \n Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.\n ", "rationale": "The mapping is non-executable, but it still contains known contents, which could be\nused in certain rare security vulnerability exploits.", "severity": "medium", "references": {"anssi": ["R15"]}, "control_references": {"anssi": ["R15"]}, "components": [], "identifiers": {}, "ocil_clause": "the kernel was not built with the required value", "ocil": "To determine the config value the kernel was built with, run the following command:\n $ grep CONFIG_LEGACY_VSYSCALL_EMULATE /boot/config.*
\n \n Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.\n ", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Disable vsyscall emulation", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_emulate/rule.yml", "template": {"name": "kernel_build_config", "vars": {"config": "CONFIG_LEGACY_VSYSCALL_EMULATE", "value": "n"}, "backends": {}}}