STIGQter STIGQter: STIG Summary: Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 10 Mar 2021:

The Ubuntu operating system must implement non-executable data to protect its memory from unauthorized code execution.

DISA Rule

SV-238368r654279_rule

Vulnerability Number

V-238368

Group Title

SRG-OS-000433-GPOS-00192

Rule Version

UBTU-20-010447

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the Ubuntu operating system to enable NX.

If "nx" is not showing up in "/proc/cpuinfo", and the system's BIOS setup configuration permits toggling the No Execution bit, set it to "enable".

Check Contents

Verify the NX (no-execution) bit flag is set on the system with the following commands:

$ dmesg | grep -i "execute disable"
[ 0.000000] NX (Execute Disable) protection: active

If "dmesg" does not show "NX (Execute Disable) protection: active", check the cpuinfo settings with the following command:

$ grep flags /proc/cpuinfo | grep -w nx | sort -u
flags : fpu vme de pse tsc ms nx rdtscp lm constant_tsc

If "flags" does not contain the "nx" flag, this is a finding.

Vulnerability Number

V-238368

Documentable

False

Rule Version

UBTU-20-010447

Severity Override Guidance

Verify the NX (no-execution) bit flag is set on the system with the following commands:

$ dmesg | grep -i "execute disable"
[ 0.000000] NX (Execute Disable) protection: active

If "dmesg" does not show "NX (Execute Disable) protection: active", check the cpuinfo settings with the following command:

$ grep flags /proc/cpuinfo | grep -w nx | sort -u
flags : fpu vme de pse tsc ms nx rdtscp lm constant_tsc

If "flags" does not contain the "nx" flag, this is a finding.

Check Content Reference

M

Target Key

5318

Comments