Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
System Settings
Kernel Configuration
Disable the LDT (local descriptor table)
Disable the LDT (local descriptor table)
An XCCDF Rule
Details
Profiles
Prose
Disable the LDT (local descriptor table)
Medium Severity
Linux can allow user programs to install a per-process x86 Local Descriptor Table (LDT) using the modify_ldt(2) system call. This is required to run 16-bit or segmented code such as DOSEMU or some Wine programs. It is also used by some very old threading libraries. This configuration is available from kernel 4.3, but may be available if backported by distros. Disable LDT if 16-bit program emulation is not necessary. The configuration that was used to build kernel is available at
/boot/config-*
. To check the configuration value for
CONFIG_MODIFY_LDT_SYSCALL
, run the following command:
grep CONFIG_MODIFY_LDT_SYSCALL /boot/config-*
Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.