OpenShift must enable poisoning of SLUB/SLAB objects.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-257550	CNTR-OS-000580	SV-257550r961149_rule	CCI-001090	medium
Description
By enabling poisoning of SLUB/SLAB objects, OpenShift can detect and identify use-after-free scenarios more effectively. The poisoned objects are marked as invalid or inaccessible, causing crashes or triggering alerts when an application attempts to access them. This helps identify and mitigate potential security vulnerabilities before they can be exploited.
STIG			Date
Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide			2025-05-15

Related Frameworks

3 paths across 3 frameworks

NIST 800-531 mapping

SC-4

1.00

DISA · 2 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent

NIST 800-1711 mapping

3.13.4

1.00

DISA · 2 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

CCI1 mapping

CCI-001090

1.00

DISA · 2 · disa_xccdf · related

Details

Check Text (C-257550r961149_chk)

Verify that Red Hat Enterprise Linux CoreOS (RHCOS) is configured to enable poisoning of SLUB/SLAB objects to mitigate use-after-free vulnerabilities by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep slub_debug /boot/loader/entries/*.conf ' 2>/dev/null; done If "slub_debug" is not set to "P" or is missing, this is a finding.

Fix Text (F-61209r921592_fix)

Apply the machine config to enable poisoning of SLUB/SLAB objects by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig metadata: name: 05-kernelarg-slub-debug-$mcpool labels: machineconfiguration.openshift.io/role: $mcpool spec: config: ignition: version: 3.1.0 kernelArguments: - slub_debug=P " | oc apply -f - done