OpenShift must prevent unauthorized and unintended information transfer via shared system resources and enable page poisoning.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-257548 | CNTR-OS-000560 | SV-257548r961149_rule | CCI-001090 | medium |
| Description | ||||
| Enabling page poisoning in OpenShift improves memory safety, mitigates memory corruption vulnerabilities, aids in fault isolation, assists with debugging. It enhances the overall security and stability of the platform, reducing the risk of memory-related exploits and improving the resilience of applications running on OpenShift. | ||||
| STIG | Date | |||
| Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide | 2025-05-15 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
SC-4
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.13.4
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-001090
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-257548r961149_chk)
Check the current CoreOS boot loader configuration has page poisoning enabled by executing the following:
for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep page_poison /boot/loader/entries/*.conf|| echo "not found"' 2>/dev/null; done
If "page_poison" is not set to "1" or returns "not found", this is a finding.
Fix Text (F-61207r921586_fix)
Apply the machine config to enable page poisoning by executing the following:
for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do
echo "apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: 05-kernelarg-page-poison-$mcpool
labels:
machineconfiguration.openshift.io/role: $mcpool
spec:
config:
ignition:
version: 3.1.0
kernelArguments:
- page_poison=1
" | oc apply -f -
done