1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
documentation_complete: true
title: 'Ensure SMAP is not disabled during boot'
description: |-
The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into
memory pages in the user space, it is enabled by default since Linux kernel 3.7.
But it could be disabled through kernel boot parameters.
Ensure that Supervisor Mode Access Prevention (SMAP) is not disabled by
the <tt>nosmap</tt> boot paramenter option.
{{{ describe_grub2_argument_absent("nosmap") | indent(4) }}}
rationale: |-
Disabling SMAP can facilitate exploitation of vulnerabilities caused by unintended access and
manipulation of data in the user space.
severity: medium
identifiers:
cce@rhel8: CCE-87345-5
cce@rhel9: CCE-88345-4
cce@rhel10: CCE-89372-7
ocil_clause: 'the kernel is configured to disable SMAP'
ocil: |-
Make sure that the kernel is not disabling SMAP with the following
commands.
<pre>grep -q nosmap /boot/config-`uname -r`</pre>
If the command returns a line, it means that SMAP is being disabled.
template:
name: grub2_bootloader_argument_absent
vars:
arg_name: nosmap
|
