Warn on W+X mappings found at boot

An XCCDF Rule

Description

Generate a warning if any W+X mappings are found at boot. This configuration is available from kernel 5.8. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_DEBUG_WX, run the following command: grep CONFIG_DEBUG_WX /boot/config-* For each kernel installed, a line with value "y" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

This is useful for discovering cases where the kernel is leaving W+X mappings after applying NX, as such mappings are a security risk. Note that even if the check fails, your kernel is possibly still fine, as W+X mappings are not a security hole in themselves, what they do is that they make the exploitation of other unfixed kernel bugs easier.

ID: xccdf_org.ssgproject.content_rule_kernel_config_debug_wx
Severity: Medium
References: BP28(R15)
Updated: about 1 year ago