Detections
Analytics
ALMA-09-044570 - AlmaLinux OS 9 must implement nonexecutable data to protect its memory from unauthorized code execution.
Information
ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis.When the kernel places the memory regions of a process, such as the stack and heap, higher than this address, the hardware prevents execution in that address range.
Solution
Update the GRUB 2 bootloader configuration to ensure the noexec kernel parameter is not enabled using the following command:$ grubby --update-kernel=ALL --remove-args=noexec
Enable the NX bit execute protection in the system BIOS.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CL_AlmaLinux_OS_9_V1R6_STIG.zip
Item Details
Audit Name: DISA Cloud Linux AlmaLinux OS 9 STIG v1r6
Category: SYSTEM AND INFORMATION INTEGRITY
References: 800-53|SI-16, CAT|II, CCI|CCI-002824, Rule-ID|SV-269449r1050620_rule, STIG-ID|ALMA-09-044570, Vuln-ID|V-269449
Plugin: Unix
Control ID: fdb12074fd4e6649858088ad56bb7f9d3d37739576d9e671adaad53a2cebc26c