Stack Protector buffer overlow detection

An XCCDF Rule

Details
Profiles
Prose

Description

This feature puts, at the beginning of functions, a canary value on the stack just before the return address, and validates the value just before actually returning. This configuration is available from kernel 4.18. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_STACKPROTECTOR, run the following command: grep CONFIG_STACKPROTECTOR /boot/config-* For each kernel installed, a line with value "y" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

This halts the program when a stack overflow is detected, potentially reducing the impact of exploits.

ID: xccdf_org.ssgproject.content_rule_kernel_config_stackprotector
Severity: Medium
References: BP28(R15)

CCE-88055-9
Updated: about 1 year ago