Enable ExecShield via sysctl
An XCCDF Rule
Description
By default on SUSE Linux Enterprise 15 64-bit systems, ExecShield is
enabled and can only be disabled if the hardware does not support
ExecShield or is disabled in /etc/default/grub
.
For SUSE Linux Enterprise 15 32-bit systems, sysctl
can be used to enable
ExecShield.
Rationale
ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware.
- ID
- xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if [ "$(getconf LONG_BIT)" = "32" ] ; then
#
# Set runtime for kernel.exec-shield
Remediation - Ansible
- name: Set 32bit architecture for kernel exec-shield tasks
set_fact:
kexec_arch: b32
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-91417-6