Ensure SMEP is not disabled during boot
An XCCDF Rule
Description
The SMEP is used to prevent the supervisor mode from executing user space code, it is enabled by default since Linux kernel 3.0. But it could be disabled through kernel boot parameters. Ensure that Supervisor Mode Execution Prevention (SMEP) is not disabled by thenosmep boot paramenter option.
Check that the line GRUB_CMDLINE_LINUX="..."within
/etc/default/grub
doesn't contain the argument nosmep.
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --remove-args="nosmep"
Rationale
Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows the kernel to unintentionally execute code in less privileged memory space.
- ID
- xccdf_org.ssgproject.content_rule_grub2_nosmep_argument_absent
- Severity
- Medium
- References
- Updated