RHEL 10 must prevent the loading of a new kernel for later execution.

STIG ID: RHEL-10-701050  |  SRG: SRG-OS-000366-GPOS-00153 |  Severity: high (CAT I)  |  CCI: CCI-003992 |  Vulnerability Id: V-281307

Vulnerability Discussion

Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and has been provided by a trusted vendor.

Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used to subvert the entire secureboot process and should be avoided at all costs, especially because it can load unsigned kernel images.

Check

Verify RHEL 10 is configured to disable kernel image loading.

Check the status of the "kernel.kexec_load_disabled" kernel parameter with the following command:

$ sudo sysctl kernel.kexec_load_disabled
kernel.kexec_load_disabled = 1

If "kernel.kexec_load_disabled" is not set to "1" or is missing, this is a finding.

Fix

Configure RHEL 10 to disable kernel image loading.

Create a drop-in if it does not already exist:

$ sudo vi /etc/sysctl.d/99-kernel_kexec_load_disabled.conf

Add the following to the file:

kernel.kexec_load_disabled = 1

Reload settings from all system configuration files with the following command:

$ sudo sysctl --system
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.