STIGQter STIGQter: STIG Summary: Oracle Linux 6 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The system must limit the ability of processes to have simultaneous write and execute access to memory.

DISA Rule

SV-208849r603263_rule

Vulnerability Number

V-208849

Group Title

SRG-OS-000480

Rule Version

OL6-00-000079

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

If the system being evaluated is running a Red Hat-compatible operating system kernel, then ensure that the "kernel.exec-shield" kernel parameter is set to "1". If the system is running an Oracle Unbreakable Enterprise Kernel, this parameter does not exist. When an Unbreakable Enterprise Kernel is booted, Oracle's Data Execution Prevention (DEP) feature will leverage the hardware-enforced NX (never execute) bit of compatible CPUs to protect against code being executed from the stack. By default, DEP is enabled. If DEP is not enabled, ensure that the string "noexec=off" does not appear in /boot/grub/grub.conf.

First, determine if the system is operating an Oracle Unbreakable Enterprise Kernel (UEK):

# uname -r | grep uek

If no value is returned, the system is running a Red Hat-compatible kernel. Edit (or add if necessary) the entry in /etc/sysctl.conf for the "kernel.exec-shield" kernel parameter. Ensure that this parameter is set to "1" as in:

kernel.exec-shield = 1

If this was not already the default, reboot the system for the change to take effect.

If the system was found to be running an Unbreakable Enterprise Kernel, then ensure that the string "noexec=off" is not found in /boot/grub/grub.conf:

# grep noexec=off /boot/grub/grub.conf

If found, remove the offending kernels from /boot/grub/grub.conf.

Check Contents

If the system being evaluated is running a Red Hat-compatible operating system kernel, check that the "kernel.exec-shield" kernel parameter is set to "1" in /etc/sysctl.conf. If the system is running an Oracle Unbreakable Enterprise kernel, verify that Oracle's Data Execution Prevention is enabled.

First, determine if the system is operating an Oracle Unbreakable Enterprise Kernel (UEK):

# uname -r | grep uek

If no value is returned, the system is running a Red Hat-compatible kernel. Verify that the "kernel.exec-shield" kernel parameter is set to "1" in the running kernel and /etc/sysctl.conf:

# sysctl kernel.exec-shield
# grep ^kernel\.exec-shield /etc/sysctl.conf | awk -F= '{ print $2 }'
kernel.exec-shield = 1

If there is no value returned, or if a value is returned that is not "1", this is a finding.

If the system was found to be running an Unbreakable Enterprise Kernel, verify that DEP is enabled:

# dmesg | grep 'NX.*protection:'

If there is no value returned, or if a value is returned that is not "NX (Execute Disable) protection: active", this is a finding.

Note that this is not a finding when the underlying processor architecture does not support the "Execute Disable" (NX) capability. To determine if the processor supports the NX capability, run the following:

# grep nx /proc/cpuinfo

If there is no value returned, this is not applicable.

Vulnerability Number

V-208849

Documentable

False

Rule Version

OL6-00-000079

Severity Override Guidance

If the system being evaluated is running a Red Hat-compatible operating system kernel, check that the "kernel.exec-shield" kernel parameter is set to "1" in /etc/sysctl.conf. If the system is running an Oracle Unbreakable Enterprise kernel, verify that Oracle's Data Execution Prevention is enabled.

First, determine if the system is operating an Oracle Unbreakable Enterprise Kernel (UEK):

# uname -r | grep uek

If no value is returned, the system is running a Red Hat-compatible kernel. Verify that the "kernel.exec-shield" kernel parameter is set to "1" in the running kernel and /etc/sysctl.conf:

# sysctl kernel.exec-shield
# grep ^kernel\.exec-shield /etc/sysctl.conf | awk -F= '{ print $2 }'
kernel.exec-shield = 1

If there is no value returned, or if a value is returned that is not "1", this is a finding.

If the system was found to be running an Unbreakable Enterprise Kernel, verify that DEP is enabled:

# dmesg | grep 'NX.*protection:'

If there is no value returned, or if a value is returned that is not "NX (Execute Disable) protection: active", this is a finding.

Note that this is not a finding when the underlying processor architecture does not support the "Execute Disable" (NX) capability. To determine if the processor supports the NX capability, run the following:

# grep nx /proc/cpuinfo

If there is no value returned, this is not applicable.

Check Content Reference

M

Target Key

2928

Comments