UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

RHEL 9 must implement nonexecutable data to protect its memory from unauthorized code execution.


Overview

Finding ID Version Rule ID IA Controls Severity
V-257817 RHEL-09-213110 SV-257817r958928_rule Medium
Description
ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware.
STIG Date
Red Hat Enterprise Linux 9 Security Technical Implementation Guide 2024-06-04

Details

Check Text ( C-61558r925436_chk )
Verify ExecShield is enabled on 64-bit RHEL 9 systems with the following command:

$ sudo dmesg | grep '[NX|DX]*protection'

[ 0.000000] NX (Execute Disable) protection: active

If "dmesg" does not show "NX (Execute Disable) protection" active, this is a finding.
Fix Text (F-61482r925437_fix)
Update the GRUB 2 bootloader configuration.

Run the following command:

$ sudo grubby --update-kernel=ALL --remove-args=noexec