Enable ExecShield via sysctl

An XCCDF Rule

Description

By default on Red Hat Enterprise Linux 8 64-bit systems, ExecShield is enabled and can only be disabled if the hardware does not support ExecShield or is disabled in /etc/default/grub.

Rationale

ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware.

ID: xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield
Severity: Medium
References: 12 15 8

APO13.01 DSS05.02

3.1.7

CCI-002530

164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e)

SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6

A.13.1.1 A.13.2.1 A.14.1.3

CM-6(a) SC-39

PR.PT-4

SRG-OS-000433-GPOS-00192

CCE-80914-5
Updated: about 1 year ago

- name: Update grub defaults and the bootloader menu
  command: /sbin/grubby --update-kernel=ALL --remove-args="noexec"
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80914-5
  - NIST-800-171-3.1.7  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-39
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy
  - sysctl_kernel_exec_shield

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

grubby --update-kernel=ALL --remove-args=noexec --env=/boot/grub2/grubenv

else    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable ExecShield via sysctl

Description

Rationale

Remediation - Ansible

Remediation - Shell Script