Detections
Analytics
RHEL-10-701050 - RHEL 10 must prevent the loading of a new kernel for later execution.
Information
Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and has been provided by a trusted vendor.Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used to subvert the entire secureboot process and should be avoided at all costs, especially because it can load unsigned kernel images.
Solution
Configure RHEL 10 to disable kernel image loading.Create a drop-in if it does not already exist:
$ sudo vi /etc/sysctl.d/99-kernel_kexec_load_disabled.conf
Add the following to the file:
kernel.kexec_load_disabled = 1
Reload settings from all system configuration files with the following command:
$ sudo sysctl --system
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_10_V1R1_STIG.zip
Item Details
Audit Name: DISA Red Hat Enterprise Linux 10 STIG v1r1
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-5(3), CAT|I, CCI|CCI-003992, Rule-ID|SV-281307r1184629_rule, STIG-ID|RHEL-10-701050, Vuln-ID|V-281307
Plugin: Unix
Control ID: e58d42a525a9cf5e398a30c9e10d51b6a5d7a6f6cd95d8b654b16c5ce0951477