Enable ExecShield via sysctl

An XCCDF Rule

Description

By default on SUSE Linux Enterprise 12 64-bit systems, ExecShield is enabled and can only be disabled if the hardware does not support ExecShield or is disabled in /etc/default/grub. For SUSE Linux Enterprise 12 32-bit systems, sysctl can be used to enable ExecShield.

Rationale

ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware.

ID: xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield
Severity: Medium
References: 12 15 8

APO13.01 DSS05.02

3.1.7

CCI-002530

164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e)

SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6

A.13.1.1 A.13.2.1 A.14.1.3

CM-6(a) SC-39

PR.PT-4

SRG-OS-000433-GPOS-00192

CCE-91562-9
Updated: about 1 year ago

- name: Set 32bit architecture for kernel exec-shield tasks
  set_fact:
    kexec_arch: b32
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-91562-9  - NIST-800-171-3.1.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-39
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy
  - sysctl_kernel_exec_shield

- name: Set 64bit architecture for kernel exec-shield tasks
  set_fact:
    kexec_arch: b64
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
    == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
  tags:
  - CCE-91562-9
  - NIST-800-171-3.1.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-39
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy
  - sysctl_kernel_exec_shield

- name: Ensure sysctl kernel.exec-shield is set to 1
  sysctl:
    name: kernel.exec-shield
    value: '1'
    state: present
    reload: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - kexec_arch == "b32"
  tags:
  - CCE-91562-9
  - NIST-800-171-3.1.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-39
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy
  - sysctl_kernel_exec_shield

- name: Check noexec argument exists
  command: grep '^GRUB_CMDLINE_LINUX=.*noexec=.*"' /etc/default/grub
  failed_when: false
  register: argcheck
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - kexec_arch == "b64"
  tags:
  - CCE-91562-9
  - NIST-800-171-3.1.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-39
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy
  - sysctl_kernel_exec_shield

- name: Replace existing noexec argument
  replace:
    path: /etc/default/grub
    regexp: \(^GRUB_CMDLINE_LINUX=".*\)noexec=?[^[:space:]]*\(.*"\)
    replace: \1 \2
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - argcheck is not skipped
  - argcheck.rc == 0
  - kexec_arch == "b64"
  tags:
  - CCE-91562-9
  - NIST-800-171-3.1.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-39
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy
  - sysctl_kernel_exec_shield

- name: Update grub defaults and the bootloader menu
  command: /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - kexec_arch == "b64"
  tags:
  - CCE-91562-9
  - NIST-800-171-3.1.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-39
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy
  - sysctl_kernel_exec_shield

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ "$(getconf LONG_BIT)" = "32" ] ; then
  #
  # Set runtime for kernel.exec-shield  #
  sysctl -q -n -w kernel.exec-shield=1

  #
  # If kernel.exec-shield present in /etc/sysctl.conf, change value to "1"
  #	else, add "kernel.exec-shield = 1" to /etc/sysctl.conf
  #
  # Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.exec-shield")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "1"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^kernel.exec-shield\\>" "/etc/sysctl.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^kernel.exec-shield\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
    if [[ -s "/etc/sysctl.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/sysctl.conf" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/sysctl.conf"
    fi
    cce="CCE-91562-9"
    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/sysctl.conf" >> "/etc/sysctl.conf"
    printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
fi
fi

if [ "$(getconf LONG_BIT)" = "64" ] ; then
    

# Correct the form of default kernel command line in GRUB
if grep -q '^GRUB_CMDLINE_LINUX=.*noexec=.*"'  '/etc/default/grub' ; then
       sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)noexec=?[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub'
fi
grub2-mkconfig -o /boot/grub2/grub2.cfg

fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable ExecShield via sysctl

Description

Rationale

Remediation - Ansible

Remediation - Shell Script