STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 7 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide

V-257550

CAT II (Medium)

OpenShift must enable poisoning of SLUB/SLAB objects.

Rule ID

SV-257550r961149_rule

STIG

Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide

Version

V2R2

CCIs

CCI-001090

Discussion

By enabling poisoning of SLUB/SLAB objects, OpenShift can detect and identify use-after-free scenarios more effectively. The poisoned objects are marked as invalid or inaccessible, causing crashes or triggering alerts when an application attempts to access them. This helps identify and mitigate potential security vulnerabilities before they can be exploited.

Check Content

Verify that Red Hat Enterprise Linux CoreOS (RHCOS) is configured to enable poisoning of SLUB/SLAB objects to mitigate use-after-free vulnerabilities by executing the following:

for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME ";  grep slub_debug /boot/loader/entries/*.conf ' 2>/dev/null; done

If "slub_debug" is not set to "P" or is missing, this is a finding.

Fix Text

Apply the machine config to enable poisoning of SLUB/SLAB objects by executing the following:

for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do
echo "apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: 05-kernelarg-slub-debug-$mcpool
  labels:
    machineconfiguration.openshift.io/role: $mcpool
spec:
  config:
    ignition:
      version: 3.1.0
  kernelArguments:
  - slub_debug=P
" | oc apply -f -
done