OpenShift must disable virtual syscalls.

STIG ID: CNTR-OS-000570  |  SRG: SRG-APP-000243-CTR-000600 |  Severity: medium |  CCI: CCI-001090 |  Vulnerability Id: V-257549 | 

Vulnerability Discussion

Virtual syscalls are a mechanism that allows user-space programs to make privileged system calls without transitioning to kernel mode. However, this feature can introduce additional security risks. Disabling virtual syscalls helps to mitigate potential vulnerabilities associated with this mechanism. By reducing the attack surface and limiting the ways in which user-space programs can interact with the kernel, OpenShift can enhance the overall security posture of the platform.

Check

Check the current CoreOS boot loader configuration has virtual syscalls disabled by executing the following:

for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep vsyscall=none boot/loader/entries/*.conf || echo "not found"' 2>/dev/null; done

If "vsyscall" is not set to "none" or returns "not found", this is a finding.

Fix

Apply the machine config to disable virtual syscalls by executing the following:

for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do
echo "apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: 05-kernelarg-vsyscall-none-$mcpool
labels:
machineconfiguration.openshift.io/role: $mcpool
spec:
config:
ignition:
version: 3.1.0
kernelArguments:
- vsyscall=none
" | oc apply -f -
done
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.