Merge pull request #624 from konstruktoid/kernel

add additional kernel configuration options
konstruktoid · Apr 23, 2024 · 5d7e37c · 5d7e37c
2 parents 4ddf230 + 51f7fbb
commit 5d7e37c
Show file tree

Hide file tree

Showing 6 changed files with 225 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -328,6 +328,24 @@ daemon shall be forwarded to a traditional syslog daemon.
 See [journald.conf](https://www.freedesktop.org/software/systemd/man/latest/journald.conf.html)
 for more information.
 
+### ./defaults/main/kernel.yml
+
+```yaml
+allow_virtual_system_calls: true
+enable_page_poisoning: true
+page_table_isolation: true
+slub_debugger_poisoning: false
+```
+
+`allow_virtual_system_calls` will allow virtual system calls if `true` else no vsyscall mapping will be set, see [CONFIG_LEGACY_VSYSCALL_NONE](https://www.kernelconfig.io/config_legacy_vsyscall_none).
+
+`enable_page_poisoning: true` will enable [CONFIG_PAGE_POISONING](https://www.kernelconfig.io/config_page_poisoning)
+
+`page_table_isolation` is a countermeasure against attacks on the shared
+user/kernel address space, see [CONFIG_PAGE_TABLE_ISOLATION](https://www.kernelconfig.io/config_page_table_isolation)
+
+`slub_debugger_poisoning`, if set to `true`, prevents many types of use-after-free vulnerabilities and it also prevents leak of data and detection of corrupted memory. See [Short users guide for SLUB](https://github.com/torvalds/linux/blob/master/Documentation/mm/slub.rst#some-more-sophisticated-uses-of-slab_debug).
+
 ### ./defaults/main/limits.yml
 
 ```yaml

diff --git a/defaults/main/kernel.yml b/defaults/main/kernel.yml
@@ -0,0 +1,5 @@
+---
+allow_virtual_system_calls: true
+enable_page_poisoning: true
+page_table_isolation: true
+slub_debugger_poisoning: false
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
@@ -27,6 +27,7 @@ provisioner:
  sshd_update_moduli: true
  suid_sgid_permissions: false
  almalinux9:
+ enable_page_poisoning: true
  manage_resolved: false
  manage_timesyncd: false
  sshd_admin_net:
@@ -38,8 +39,10 @@ provisioner:
  sshd_update_moduli: true
  sysctl_conf_dir: /etc/sysctl.d/
  system_upgrade: false
+ slub_debugger_poisoning: true
  ufw_rate_limit: true
  bookworm:
+ allow_virtual_system_calls: false
  ansible_become_pass: vagrant
  ansible_python_interpreter: /usr/bin/python3
  disable_wireless: false
@@ -67,6 +70,7 @@ provisioner:
  jammy:
  disable_ipv6: true
  disable_wireless: true
+ enable_page_poisoning: true
  sshd_admin_net:
  - "0.0.0.0/0"
  sshd_allow_groups:
@@ -83,6 +87,7 @@ provisioner:
  rules:
  - AllowUsers testuser02
  - Banner none
+ slub_debugger_poisoning: true
 platforms:
  - name: almalinux8
  box: almalinux/8

diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
@@ -686,6 +686,92 @@
  - ansible_os_family == "Debian"
  - disable_ipv6
 
+ - name: Verify RedHat GRUB virtual system call settings
+ ansible.builtin.shell:
+ cmd: |
+ set -o pipefail
+ grubby --info="/boot/vmlinuz-$(uname -r)" | grep "vsyscall=none"
+ register: audit_grubenv
+ failed_when: audit_grubenv.rc != 0
+ changed_when: audit_grubenv.rc != 0
+ when:
+ - ansible_os_family == "RedHat"
+ - not allow_virtual_system_calls
+
+ - name: Verify Debian GRUB virtual system call settings
+ ansible.builtin.shell:
+ cmd: grep "linux.*vsyscall=none" /boot/grub/grub.cfg
+ register: page_grub_cfg
+ failed_when: page_grub_cfg.rc != 0
+ changed_when: page_grub_cfg.rc != 0
+ when:
+ - ansible_os_family == "Debian"
+ - not allow_virtual_system_calls
+
+ - name: Verify RedHat GRUB page poisoning settings
+ ansible.builtin.shell:
+ cmd: |
+ set -o pipefail
+ grubby --info="/boot/vmlinuz-$(uname -r)" | grep "page_poison=1"
+ register: audit_grubenv
+ failed_when: audit_grubenv.rc != 0
+ changed_when: audit_grubenv.rc != 0
+ when:
+ - ansible_os_family == "RedHat"
+ - enable_page_poisoning
+
+ - name: Verify Debian GRUB page poisoning settings
+ ansible.builtin.shell:
+ cmd: grep "linux.*page_poison=1" /boot/grub/grub.cfg
+ register: page_grub_cfg
+ failed_when: page_grub_cfg.rc != 0
+ changed_when: page_grub_cfg.rc != 0
+ when:
+ - ansible_os_family == "Debian"
+ - enable_page_poisoning
+
+ - name: Verify RedHat GRUB page table isolation settings
+ ansible.builtin.shell:
+ cmd: |
+ set -o pipefail
+ grubby --info="/boot/vmlinuz-$(uname -r)" | grep "pti={{ 'on' if page_table_isolation else 'auto' }}"
+ register: audit_grubenv
+ failed_when: audit_grubenv.rc != 0
+ changed_when: audit_grubenv.rc != 0
+ when:
+ - ansible_os_family == "RedHat"
+
+ - name: Verify Debian GRUB page table isolation settings
+ ansible.builtin.shell:
+ cmd: grep "linux.*pti={{ 'on' if page_table_isolation else 'auto' }}" /boot/grub/grub.cfg
+ register: page_grub_cfg
+ failed_when: page_grub_cfg.rc != 0
+ changed_when: page_grub_cfg.rc != 0
+ when:
+ - ansible_os_family == "Debian"
+
+ - name: Verify RedHat GRUB SLUB debugger settings
+ ansible.builtin.shell:
+ cmd: |
+ set -o pipefail
+ grubby --info="/boot/vmlinuz-$(uname -r)" | grep "slub_debug=P"
+ register: audit_grubenv
+ failed_when: audit_grubenv.rc != 0
+ changed_when: audit_grubenv.rc != 0
+ when:
+ - ansible_os_family == "RedHat"
+ - slub_debugger_poisoning
+
+ - name: Verify Debian GRUB SLUB debugger settings
+ ansible.builtin.shell:
+ cmd: grep "linux.*slub_debug=P" /boot/grub/grub.cfg
+ register: page_grub_cfg
+ failed_when: page_grub_cfg.rc != 0
+ changed_when: page_grub_cfg.rc != 0
+ when:
+ - ansible_os_family == "Debian"
+ - slub_debugger_poisoning
+
  - name: IPv6 sysctl configuration
  become: true
  when:

diff --git a/tasks/kernel.yml b/tasks/kernel.yml
@@ -0,0 +1,105 @@
+---
+- name: Configure Kernel parameters
+ become: true
+ block:
+ - name: Configure virtual system calls
+ ansible.builtin.lineinfile:
+ line: GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
+ dest: /etc/default/grub.d/99-hardening-vsyscall.cfg
+ state: present
+ create: true
+ mode: "0640"
+ owner: root
+ group: root
+ when:
+ - ansible_os_family == "Debian"
+ - not allow_virtual_system_calls
+ notify:
+ - Update GRUB
+
+ - name: Configure virtual system calls using grubby
+ ansible.builtin.command:
+ cmd: grubby --update-kernel=ALL --args="vsyscall=none"
+ register: grubby_update_kernel
+ changed_when: grubby_update_kernel.rc != 0
+ failed_when: grubby_update_kernel.rc != 0
+ when:
+ - ansible_os_family == "RedHat"
+ - ansible_virtualization_type not in ["container", "docker", "podman"]
+ - not allow_virtual_system_calls
+
+ - name: Configure page poisoning
+ ansible.builtin.lineinfile:
+ line: GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1"
+ dest: /etc/default/grub.d/99-hardening-page-poison.cfg
+ state: present
+ create: true
+ mode: "0640"
+ owner: root
+ group: root
+ when:
+ - ansible_os_family == "Debian"
+ - enable_page_poisoning
+ notify:
+ - Update GRUB
+
+ - name: Configure page poisoning using grubby
+ ansible.builtin.command:
+ cmd: grubby --update-kernel=ALL --args="page_poison=1"
+ register: grubby_update_kernel
+ changed_when: grubby_update_kernel.rc != 0
+ failed_when: grubby_update_kernel.rc != 0
+ when:
+ - ansible_os_family == "RedHat"
+ - ansible_virtualization_type not in ["container", "docker", "podman"]
+ - enable_page_poisoning
+
+ - name: Configure page table isolation
+ ansible.builtin.lineinfile:
+ line: GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti={{ 'on' if page_table_isolation else 'auto' }}"
+ dest: /etc/default/grub.d/99-hardening-pti.cfg
+ state: present
+ create: true
+ mode: "0640"
+ owner: root
+ group: root
+ when:
+ - ansible_os_family == "Debian"
+ notify:
+ - Update GRUB
+
+ - name: Configure page table isolation using grubby
+ ansible.builtin.command:
+ cmd: grubby --update-kernel=ALL --args="pti={{ 'on' if page_table_isolation else 'auto' }}"
+ register: grubby_update_kernel
+ changed_when: grubby_update_kernel.rc != 0
+ failed_when: grubby_update_kernel.rc != 0
+ when:
+ - ansible_os_family == "RedHat"
+ - ansible_virtualization_type not in ["container", "docker", "podman"]
+
+ - name: Configure SLUB debugger poisoning
+ ansible.builtin.lineinfile:
+ line: GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=P"
+ dest: /etc/default/grub.d/99-hardening-slub-debug.cfg
+ state: present
+ create: true
+ mode: "0640"
+ owner: root
+ group: root
+ when:
+ - ansible_os_family == "Debian"
+ - slub_debugger_poisoning
+ notify:
+ - Update GRUB
+
+ - name: Configure SLUB debugger poisoning using grubby
+ ansible.builtin.command:
+ cmd: grubby --update-kernel=ALL --args="slub_debug=P"
+ register: grubby_update_kernel
+ changed_when: grubby_update_kernel.rc != 0
+ failed_when: grubby_update_kernel.rc != 0
+ when:
+ - ansible_os_family == "RedHat"
+ - ansible_virtualization_type not in ["container", "docker", "podman"]
+ - slub_debugger_poisoning
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -42,6 +42,12 @@
  - kernel
  - sysctl
 
+- name: Configure kernel settings
+ ansible.builtin.import_tasks:
+ file: kernel.yml
+ tags:
+ - kernel
+
 - name: Disable kernel modules
  ansible.builtin.import_tasks:
  file: kernelmodules.yml