diff --git a/README.md b/README.md index 1899881d..ab8c41d9 100644 --- a/README.md +++ b/README.md @@ -328,6 +328,24 @@ daemon shall be forwarded to a traditional syslog daemon. See [journald.conf](https://www.freedesktop.org/software/systemd/man/latest/journald.conf.html) for more information. +### ./defaults/main/kernel.yml + +```yaml +allow_virtual_system_calls: true +enable_page_poisoning: true +page_table_isolation: true +slub_debugger_poisoning: false +``` + +`allow_virtual_system_calls` will allow virtual system calls if `true` else no vsyscall mapping will be set, see [CONFIG_LEGACY_VSYSCALL_NONE](https://www.kernelconfig.io/config_legacy_vsyscall_none). + +`enable_page_poisoning: true` will enable [CONFIG_PAGE_POISONING](https://www.kernelconfig.io/config_page_poisoning) + +`page_table_isolation` is a countermeasure against attacks on the shared +user/kernel address space, see [CONFIG_PAGE_TABLE_ISOLATION](https://www.kernelconfig.io/config_page_table_isolation) + +`slub_debugger_poisoning`, if set to `true`, prevents many types of use-after-free vulnerabilities and it also prevents leak of data and detection of corrupted memory. See [Short users guide for SLUB](https://github.com/torvalds/linux/blob/master/Documentation/mm/slub.rst#some-more-sophisticated-uses-of-slab_debug). + ### ./defaults/main/limits.yml ```yaml diff --git a/defaults/main/kernel.yml b/defaults/main/kernel.yml new file mode 100644 index 00000000..a0cf7f24 --- /dev/null +++ b/defaults/main/kernel.yml @@ -0,0 +1,5 @@ +--- +allow_virtual_system_calls: true +enable_page_poisoning: true +page_table_isolation: true +slub_debugger_poisoning: false diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 9e8e4356..61c9620c 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -27,6 +27,7 @@ provisioner: sshd_update_moduli: true suid_sgid_permissions: false almalinux9: + enable_page_poisoning: true manage_resolved: false manage_timesyncd: false sshd_admin_net: @@ -38,8 +39,10 @@ provisioner: sshd_update_moduli: true sysctl_conf_dir: /etc/sysctl.d/ system_upgrade: false + slub_debugger_poisoning: true ufw_rate_limit: true bookworm: + allow_virtual_system_calls: false ansible_become_pass: vagrant ansible_python_interpreter: /usr/bin/python3 disable_wireless: false @@ -67,6 +70,7 @@ provisioner: jammy: disable_ipv6: true disable_wireless: true + enable_page_poisoning: true sshd_admin_net: - "0.0.0.0/0" sshd_allow_groups: @@ -83,6 +87,7 @@ provisioner: rules: - AllowUsers testuser02 - Banner none + slub_debugger_poisoning: true platforms: - name: almalinux8 box: almalinux/8 diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index e5f243f5..545285a9 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -686,6 +686,92 @@ - ansible_os_family == "Debian" - disable_ipv6 + - name: Verify RedHat GRUB virtual system call settings + ansible.builtin.shell: + cmd: | + set -o pipefail + grubby --info="/boot/vmlinuz-$(uname -r)" | grep "vsyscall=none" + register: audit_grubenv + failed_when: audit_grubenv.rc != 0 + changed_when: audit_grubenv.rc != 0 + when: + - ansible_os_family == "RedHat" + - not allow_virtual_system_calls + + - name: Verify Debian GRUB virtual system call settings + ansible.builtin.shell: + cmd: grep "linux.*vsyscall=none" /boot/grub/grub.cfg + register: page_grub_cfg + failed_when: page_grub_cfg.rc != 0 + changed_when: page_grub_cfg.rc != 0 + when: + - ansible_os_family == "Debian" + - not allow_virtual_system_calls + + - name: Verify RedHat GRUB page poisoning settings + ansible.builtin.shell: + cmd: | + set -o pipefail + grubby --info="/boot/vmlinuz-$(uname -r)" | grep "page_poison=1" + register: audit_grubenv + failed_when: audit_grubenv.rc != 0 + changed_when: audit_grubenv.rc != 0 + when: + - ansible_os_family == "RedHat" + - enable_page_poisoning + + - name: Verify Debian GRUB page poisoning settings + ansible.builtin.shell: + cmd: grep "linux.*page_poison=1" /boot/grub/grub.cfg + register: page_grub_cfg + failed_when: page_grub_cfg.rc != 0 + changed_when: page_grub_cfg.rc != 0 + when: + - ansible_os_family == "Debian" + - enable_page_poisoning + + - name: Verify RedHat GRUB page table isolation settings + ansible.builtin.shell: + cmd: | + set -o pipefail + grubby --info="/boot/vmlinuz-$(uname -r)" | grep "pti={{ 'on' if page_table_isolation else 'auto' }}" + register: audit_grubenv + failed_when: audit_grubenv.rc != 0 + changed_when: audit_grubenv.rc != 0 + when: + - ansible_os_family == "RedHat" + + - name: Verify Debian GRUB page table isolation settings + ansible.builtin.shell: + cmd: grep "linux.*pti={{ 'on' if page_table_isolation else 'auto' }}" /boot/grub/grub.cfg + register: page_grub_cfg + failed_when: page_grub_cfg.rc != 0 + changed_when: page_grub_cfg.rc != 0 + when: + - ansible_os_family == "Debian" + + - name: Verify RedHat GRUB SLUB debugger settings + ansible.builtin.shell: + cmd: | + set -o pipefail + grubby --info="/boot/vmlinuz-$(uname -r)" | grep "slub_debug=P" + register: audit_grubenv + failed_when: audit_grubenv.rc != 0 + changed_when: audit_grubenv.rc != 0 + when: + - ansible_os_family == "RedHat" + - slub_debugger_poisoning + + - name: Verify Debian GRUB SLUB debugger settings + ansible.builtin.shell: + cmd: grep "linux.*slub_debug=P" /boot/grub/grub.cfg + register: page_grub_cfg + failed_when: page_grub_cfg.rc != 0 + changed_when: page_grub_cfg.rc != 0 + when: + - ansible_os_family == "Debian" + - slub_debugger_poisoning + - name: IPv6 sysctl configuration become: true when: diff --git a/tasks/kernel.yml b/tasks/kernel.yml new file mode 100644 index 00000000..9c4ba839 --- /dev/null +++ b/tasks/kernel.yml @@ -0,0 +1,105 @@ +--- +- name: Configure Kernel parameters + become: true + block: + - name: Configure virtual system calls + ansible.builtin.lineinfile: + line: GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" + dest: /etc/default/grub.d/99-hardening-vsyscall.cfg + state: present + create: true + mode: "0640" + owner: root + group: root + when: + - ansible_os_family == "Debian" + - not allow_virtual_system_calls + notify: + - Update GRUB + + - name: Configure virtual system calls using grubby + ansible.builtin.command: + cmd: grubby --update-kernel=ALL --args="vsyscall=none" + register: grubby_update_kernel + changed_when: grubby_update_kernel.rc != 0 + failed_when: grubby_update_kernel.rc != 0 + when: + - ansible_os_family == "RedHat" + - ansible_virtualization_type not in ["container", "docker", "podman"] + - not allow_virtual_system_calls + + - name: Configure page poisoning + ansible.builtin.lineinfile: + line: GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1" + dest: /etc/default/grub.d/99-hardening-page-poison.cfg + state: present + create: true + mode: "0640" + owner: root + group: root + when: + - ansible_os_family == "Debian" + - enable_page_poisoning + notify: + - Update GRUB + + - name: Configure page poisoning using grubby + ansible.builtin.command: + cmd: grubby --update-kernel=ALL --args="page_poison=1" + register: grubby_update_kernel + changed_when: grubby_update_kernel.rc != 0 + failed_when: grubby_update_kernel.rc != 0 + when: + - ansible_os_family == "RedHat" + - ansible_virtualization_type not in ["container", "docker", "podman"] + - enable_page_poisoning + + - name: Configure page table isolation + ansible.builtin.lineinfile: + line: GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti={{ 'on' if page_table_isolation else 'auto' }}" + dest: /etc/default/grub.d/99-hardening-pti.cfg + state: present + create: true + mode: "0640" + owner: root + group: root + when: + - ansible_os_family == "Debian" + notify: + - Update GRUB + + - name: Configure page table isolation using grubby + ansible.builtin.command: + cmd: grubby --update-kernel=ALL --args="pti={{ 'on' if page_table_isolation else 'auto' }}" + register: grubby_update_kernel + changed_when: grubby_update_kernel.rc != 0 + failed_when: grubby_update_kernel.rc != 0 + when: + - ansible_os_family == "RedHat" + - ansible_virtualization_type not in ["container", "docker", "podman"] + + - name: Configure SLUB debugger poisoning + ansible.builtin.lineinfile: + line: GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=P" + dest: /etc/default/grub.d/99-hardening-slub-debug.cfg + state: present + create: true + mode: "0640" + owner: root + group: root + when: + - ansible_os_family == "Debian" + - slub_debugger_poisoning + notify: + - Update GRUB + + - name: Configure SLUB debugger poisoning using grubby + ansible.builtin.command: + cmd: grubby --update-kernel=ALL --args="slub_debug=P" + register: grubby_update_kernel + changed_when: grubby_update_kernel.rc != 0 + failed_when: grubby_update_kernel.rc != 0 + when: + - ansible_os_family == "RedHat" + - ansible_virtualization_type not in ["container", "docker", "podman"] + - slub_debugger_poisoning diff --git a/tasks/main.yml b/tasks/main.yml index 9f888321..832e5da3 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -42,6 +42,12 @@ - kernel - sysctl +- name: Configure kernel settings + ansible.builtin.import_tasks: + file: kernel.yml + tags: + - kernel + - name: Disable kernel modules ansible.builtin.import_tasks: file: kernelmodules.yml