The system must use available memory address randomization techniques.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22576	GEN008420	SV-38831r1_rule	ECSC-1	Low

Description
Successful exploitation of buffer overflow vulnerabilities relies in some measure to having a predictable address structure of the executing program. Address randomization techniques reduce the probability of a successful exploit.

STIG	Date
AIX 6.1 SECURITY TECHNICAL IMPLEMENTATION GUIDE	2017-12-08

Details

Check Text ( C-37086r1_chk )
Running the sedmgr command without any options will show the settings currently in effect. #sedmgr If the value returned for the sedmgr mode is off, this is a finding.

Fix Text (F-32358r1_fix)
Configure the system to use any available memory address randomization techniques. Recommended settings are either to enable stack execution disablement for all suid files or select system executables. Set sedmgr to enforce on selected files and terminate processes violating stack execution boundaries. # sedmgr -m select -o off OR Set sedmgr to enforce on setid files and terminate processes violating stack execution boundaries. # sedmgr -m setidfiles -o off After a global system change to the sed, the system should be rebooted. # shutdown -Fr

Fix Text (F-32358r1_fix)

Configure the system to use any available memory address randomization techniques. Recommended settings are either to enable stack execution disablement for all suid files or select system executables.

Set sedmgr to enforce on selected files and terminate processes violating stack execution boundaries.
# sedmgr -m select -o off

OR

Set sedmgr to enforce on setid files and terminate processes violating stack execution boundaries.
# sedmgr -m setidfiles -o off

After a global system change to the sed, the system should be rebooted.
# shutdown -Fr