STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← Back to Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide

V-257548

CAT II (Medium)

OpenShift must prevent unauthorized and unintended information transfer via shared system resources and enable page poisoning.

Rule ID

SV-257548r1156737_rule

STIG

Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide

Version

V2R5

CCIs

CCI-001090

Discussion

Enabling page poisoning in OpenShift improves memory safety, mitigates memory corruption vulnerabilities, aids in fault isolation, assists with debugging. It enhances the overall security and stability of the platform, reducing the risk of memory-related exploits and improving the resilience of applications running on OpenShift.

Check Content

1. Check the current CoreOS boot loader configuration has page poisoning enabled by executing the following:
 for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME ";  grep page_poison /boot/loader/entries/*.conf|| echo "not found"' 2>/dev/null; done

If "page_poison" is not set to "1" or returns "not found", this is a finding.

2. Where OpenShift Virtualization is enabled, execute the following:
$ oc get hyperconvergeds kubevirt-hyperconverged -n openshift-cnv
-ojsonpath='{.spec.ksmConfiguration}'

If this is set to anything other than "false", this is a finding.

3. Where OpenShift Virtualization is enabled, execute the following:
$ oc get vm -ojson -A | jq '.items[] |
select(.spec.template.spec.domain.devices.disks[].shareable == true)|
.metadata.namespace + "/" + .metadata.name'

If these results show disks flagged the shareable, this is a finding.

4. Where OpenShift Virtualization is enabled, and Windows SCF is not in use:
$ oc get hyperconverged kubevirt-hyperconverged -n openshift-cnv
-ojsonpath='{.spec.featureGates.persistentReservation}'

If this is set to anything other than "false", this is a finding.

Fix Text

Apply the machine config to enable page poisoning by executing the following: 

 for mcpool in $(oc get mcp -oname | sed 's:.*/::' ); do
echo 'apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
 name: 05-kernelarg-page-poison-$mcpool
 labels:
 machineconfiguration.openshift.io/role: $mcpool
spec:
 config:
 ignition:
 version: 3.1.0
 kernelArguments:
 - page_poison=1
' | oc apply -f -
done 

Where OpenShift Virtualization is enabled and Windows SCF is not in use execute the following:
$ oc patch hyperconverged kubevirt-hyperconverged -n openshift-cnv
--type='json' -p='[
{"op": "replace", "path":
"/spec/featureGates/persistentReservation", "value": false },
]'

Where OpenShift Virtualization is enabled:
Edit the object and set the field to false: 
'oc edit hyperconverged kubevirt-hyperconverged -n openshift-cnv'

To set a shareable flag to false on every disk, this (experimental) command can be used:
$ oc get vm <vm-name> -o json | jq
'.spec.template.spec.domain.devices.disks[] += {"shareable":false}' |
oc apply -f -