Make the kernel text and rodata read-only

An XCCDF Rule

Details
Profiles
Prose

Description

When set, kernel text and rodata memory will be made read-only, and non-text memory will be made non-executable. This configuration is available from kernel 4.11. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_STRICT_KERNEL_RWX, run the following command: grep CONFIG_STRICT_KERNEL_RWX /boot/config-* For each kernel installed, a line with value "y" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

This provides protection against certain security exploits (e.g. executing the heap or modifying text)

ID: xccdf_org.ssgproject.content_rule_kernel_config_strict_kernel_rwx
Severity: Medium
References: BP28(R15)
Updated: about 1 year ago