STIGQter STIGQter: STIG Summary: VMware vRealize Automation 7.x SLES Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Sep 2018:

The SLES for vRealize must implement non-executable data to protect its memory from unauthorized code execution.

DISA Rule

SV-100467r1_rule

Vulnerability Number

V-89817

Group Title

SRG-OS-000433-GPOS-00192

Rule Version

VRAU-SL-001335

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Edit the /boot/grub/menu.lst file and add “noexec=on” to the end of each kernel line entry. A system restart is required to implement this change.

Check Contents

The stock kernel has support for non-executable program stacks compiled in by default. Verify that the option was specified when the kernel was built:

# grep -i "execute" /var/log/boot.msg

The message: "NX (Execute Disable) protection: active" will be written in the boot log when compiled in the kernel. This is the default for x86_64.

To activate this support, the “noexec=on” kernel parameter must be specified at boot time. Check for a message with the following command:

# grep –i "noexec" /var/log/boot.msg

The message: "Kernel command line: <boot parameters> noexec=on" will be written to the boot log when properly appended to the /boot/grub/menu.lst file.

If non-executable program stacks have not been configured, this is a finding.

Vulnerability Number

V-89817

Documentable

False

Rule Version

VRAU-SL-001335

Severity Override Guidance

The stock kernel has support for non-executable program stacks compiled in by default. Verify that the option was specified when the kernel was built:

# grep -i "execute" /var/log/boot.msg

The message: "NX (Execute Disable) protection: active" will be written in the boot log when compiled in the kernel. This is the default for x86_64.

To activate this support, the “noexec=on” kernel parameter must be specified at boot time. Check for a message with the following command:

# grep –i "noexec" /var/log/boot.msg

The message: "Kernel command line: <boot parameters> noexec=on" will be written to the boot log when properly appended to the /boot/grub/menu.lst file.

If non-executable program stacks have not been configured, this is a finding.

Check Content Reference

M

Target Key

3459

Comments