Unhashed Kernel Memory Error in DMESG
Introduction
Security Technical Implementation Guides (STIGs) produced by the Defense Information Systems Agency (DISA) are heavily implemented in the Enterprise Linux ecosystem. The configurations provided allow for hardening and mitigation against cybersecurity threats.
When DISA STIG is implemented in Rocky Linux, there are occasions where you see messages in dmesg
about reduced security. This article will explain one such message in unhashed kernel memory addresses
and if any action is needed to be taken.
Problem
When looking at dmesg
you see a warning: This system shows unhashed kernel memory addresses.
Symptoms
The following messages are shown:
[ 0.012710] **********************************************************
[ 0.012710] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 0.012711] ** **
[ 0.012711] ** This system shows unhashed kernel memory addresses **
[ 0.012711] ** via the console, logs, and other interfaces. This **
[ 0.012712] ** might reduce the security of your system. **
[ 0.012712] ** **
[ 0.012712] ** If you see this message and you are not debugging **
[ 0.012712] ** the kernel, report this immediately to your system **
[ 0.012713] ** administrator! **
[ 0.012713] ** **
[ 0.012713] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 0.012713] **********************************************************
Root Cause
This is caused by the slub_debug=P
option being added to the kernel cmdline parameters during boot. This configuration is required by DISA STIG in Enterprise Linux 8 and DISA STIG in Enterprise Linux 9 to help mitigate use-after-free based attacks.
The message does not indicate any issues with the server’s operation and can be safely ignored.
References & related articles (Optional)
DISA STIG Explanation
DISA STIG Requirements for Enterprise Linux 8
DISA STIG Requirements for Enterprise Linux 9
DISA STIG SLUB Requirements for Enterprise Linux 8
DISA STIG SLUB Requirements for Enterprise Linux 9
DISA STIG for Rocky Linux 8.x