MEDIUM RHCOS (Node) M24: CoreOS Kernel Arguments P3
Remediation required. This group (6 checks) fails on vanilla RHCOS 9.8 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 4.22, RHCOS 9.8) with compliance-operator v1.8.2.
Overview
Configures RHCOS kernel boot arguments for security hardening. Enables page table isolation (PTI), vsyscall emulation restrictions, page poisoning, audit subsystem, and USB device restrictions.
Profile: NIST 800-53 Moderate (rhcos4-moderate)
Compliance Checks
| Check | Description |
|---|---|
audit-backlog-limit-kernel-argument |
Set audit backlog limit via kernel arg |
audit-option |
Enable audit=1 kernel argument |
nousb-kernel-argument |
Disable USB via kernel argument |
page-poison-kernel-argument |
Enable page poisoning |
pti-kernel-argument |
Enable page table isolation (Meltdown mitigation) |
vsyscall-kernel-argument |
Set vsyscall=none (disable legacy syscall interface) |
Verification
oc debug node/<node> -- chroot /host cat /proc/cmdline | tr ' ' '\n' | grep -E 'audit|nousb|page_poison|pti|vsyscall'
Upstream Proposal
The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:
| Setting | Scope | Target Repo | Target File | Rationale | Risk |
|---|---|---|---|---|---|
audit=1, audit_backlog_limit=8192, pti=on, page_poison=1, vsyscall=none |
All OCP |
openshift/os
View Proposed Change |
Default kernel command line arguments |
KSPP-recommended boot parameters. Enable audit subsystem, kernel page table isolation, memory poisoning, vsyscall elimination.
Scope: audit=1 and KSPP kernel args (pti, page_poison, vsyscall=none) are universally beneficial security defaults with negligible performance impact. |
Low |
nousb |
RAN | openshift/os (opt-in only) | Optional hardening profile kernel arg |
Disables USB entirely. Prevents USB-based attacks but breaks BMC KVM and USB provisioning. Should be opt-in, not default.
Scope: Disabling USB entirely breaks BMC KVM and USB-based provisioning. Must be opt-in for specific hardened deployments only. |
High |