MEDIUM RHCOS (Node) M24: CoreOS Kernel Arguments P3
Remediation required. This group (6 checks) fails on vanilla RHCOS 10.2 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 5.0, RHCOS 10.2) with compliance-operator v1.8.2.
Overview
Configures RHCOS kernel boot arguments for security hardening. Enables page table isolation (PTI), vsyscall emulation restrictions, page poisoning, audit subsystem, and USB device restrictions.
Profile: NIST 800-53 Moderate (rhcos4-moderate)
Compliance Checks
| Check | Description |
|---|---|
audit-backlog-limit-kernel-argument |
Set audit backlog limit via kernel arg |
audit-option |
Enable audit=1 kernel argument |
nousb-kernel-argument |
Disable USB via kernel argument |
page-poison-kernel-argument |
Enable page poisoning |
pti-kernel-argument |
Enable page table isolation (Meltdown mitigation) |
vsyscall-kernel-argument |
Set vsyscall=none (disable legacy syscall interface) |
Verification
oc debug node/<node> -- chroot /host cat /proc/cmdline | tr ' ' '\n' | grep -E 'audit|nousb|page_poison|pti|vsyscall'
Upstream Proposal
The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:
audit=1, audit_backlog_limit=8192, pti=on, page_poison=1, vsyscall=none
All OCP
Low
KSPP-recommended boot parameters. Enable audit subsystem, kernel page table isolation, memory poisoning, vsyscall elimination.
Scope: audit=1 and KSPP kernel args (pti, page_poison, vsyscall=none) are universally beneficial security defaults with negligible performance impact.
Scope: audit=1 and KSPP kernel args (pti, page_poison, vsyscall=none) are universally beneficial security defaults with negligible performance impact.
nousb
RAN
High
openshift/os (opt-in only)
Optional hardening profile kernel arg
Disables USB entirely. Prevents USB-based attacks but breaks BMC KVM and USB provisioning. Should be opt-in, not default.
Scope: Disabling USB entirely breaks BMC KVM and USB-based provisioning. Must be opt-in for specific hardened deployments only.
Scope: Disabling USB entirely breaks BMC KVM and USB-based provisioning. Must be opt-in for specific hardened deployments only.
PR History
audit=1, audit_backlog_limit=8192, pti=on, page_poison=1, vsyscall=none
Mostly redundant with existing defaults. pti=on is already the default on x86_64 for Meltdown-vulnerable CPUs. audit=1 is already effective — audit messages flood console on fresh FCOS boot (fedora-coreos-tracker#220). page_poison=1 is a legacy KSPP recommendation superseded by init_on_alloc/init_on_free in modern kernels. vsyscall=none may already be the default on modern builds. audit_backlog_limit=8192 is operational tuning. CoreOS hardening discussion (fedora-coreos-tracker#805) focused on GRUB passwords, not kernel args.