STIGQter: STIG Summary: Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The Ubuntu operating system must implement non-executable data to protect its memory from unauthorized code execution.

DISA Rule

SV-219341r610963_rule

Vulnerability Number

V-219341

Group Title

SRG-OS-000433-GPOS-00192

Rule Version

UBTU-18-010513

Severity

CAT II

CCI(s)

• CCI-002824 - The information system implements organization-defined security safeguards to protect its memory from unauthorized code execution.

Weight

10

Fix Recommendation

Configure the Ubuntu operating system to enable NX.

If "nx" is not showing up in /proc/cpuinfo and the system's BIOS setup configuration permits toggling the No Execution bit, then set it to "enable".

Check Contents

Verify the NX (no-execution) bit flag is set on the system.

Check that the no-execution bit flag is set with the following commands:

# dmesg | grep -i "execute disable"
[ 0.000000] NX (Execute Disable) protection: active

If "dmesg" does not show "NX (Execute Disable) protection: active", check the cpuinfo settings with the following command:

# grep flags /proc/cpuinfo | grep -w nx | sort -u
flags : fpu vme de pse tsc ms nx rdtscp lm constant_tsc

If "flags" does not contain the "nx" flag, this is a finding.

Vulnerability Number

V-219341

Documentable

False

Rule Version

UBTU-18-010513

Severity Override Guidance

Verify the NX (no-execution) bit flag is set on the system.

Check that the no-execution bit flag is set with the following commands:

# dmesg | grep -i "execute disable"
[ 0.000000] NX (Execute Disable) protection: active

If "dmesg" does not show "NX (Execute Disable) protection: active", check the cpuinfo settings with the following command:

# grep flags /proc/cpuinfo | grep -w nx | sort -u
flags : fpu vme de pse tsc ms nx rdtscp lm constant_tsc

If "flags" does not contain the "nx" flag, this is a finding.

Check Content Reference

M

Target Key

4055

Comments