Bug 2055118

Summary: Add page_alloc.shuffle=1 kernel command line parameter to the OSPP profile
Product: Red Hat Enterprise Linux 9 Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: CLOSED ERRATA QA Contact: Milan Lysonek <mlysonek>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: ggasparb, jpazdziora, mhaicman, mlysonek, openscap-maint, vpolasek, wsato
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.60-4.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 13:53:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pazdziora (Red Hat) 2022-02-16 10:29:30 UTC 
Description of problem:

Based on performance impact analysis of the page_alloc.shuffle=1 done in bug 2042500 and the security impact assessment, we'd like a new SCAP rule to be added to RHEL 9 OSPP SCAP profile to set the page_alloc.shuffle=1 kernel command line parameter.

Per https://cateee.net/lkddb/web-lkddb/SHUFFLE_PAGE_ALLOCATOR.html, the CONFIG_SHUFFLE_PAGE_ALLOCATOR config option is primarily focused on improving the average utilization of a direct-mapped memory-side-cache. Aside of this performance effect, it also reduces predictability of page allocations in situations when the the bad actor can crash the system and somehow leverage knowledge of (page) allocation order right after a fresh reboot, or can control the timing between a hot-pluggable memory node (as in NUMA node) and applications allocating memory ouf of that node. The page_alloc.shuffle=1 kernel command line parameter then forces this functionality irrespectively of memory cache architecture.

Adding this parameter is not directly related to any SFR, it is a preventive measure against potential future vulnerabilities.

Version-Release number of selected component (if applicable):

scap-security-guide-0.1.60-1.el9

How reproducible:

Deterministic.

Steps to Reproduce:
1. oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_ospp /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
2. reboot
3. cat /proc/cmdline
4. grep page_alloc.shuffle=1 /proc/cmdline
5. cat /sys/module/page_alloc/parameters/shuffle

Actual results:

/proc/cmdline does not contain page_alloc.shuffle=1
/sys/module/page_alloc/parameters/shuffle may contain N, especially on a VM.

Expected results:

/proc/cmdline does contains page_alloc.shuffle=1
/sys/module/page_alloc/parameters/shuffle contains Y

Additional info:
Comment 1 Jan Pazdziora (Red Hat) 2022-02-16 10:31:17 UTC 
This is a followup to the general RHEL 9 OSPP SCAP profile kernel command line parameters bug 2016038.
Comment 7 Vojtech Polasek 2022-02-16 15:41:09 UTC 
Fixed upstream:
https://github.com/ComplianceAsCode/content/pull/8234
Comment 15 errata-xmlrpc 2022-05-17 13:53:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: scap-security-guide), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2610