UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Red Hat Enterprise Linux CoreOS (RHCOS) must implement nonexecutable data to protect its memory from unauthorized code execution.


Overview

Finding ID Version Rule ID IA Controls Severity
V-257568 CNTR-OS-000860 SV-257568r921647_rule Medium
Description
The NX bit is a hardware feature that prevents the execution of code from data memory regions. By enabling NX bit execute protection, OpenShift ensures that malicious code or exploits cannot execute from areas of memory that are intended for data storage. This helps protect against various types of buffer overflow attacks, where an attacker attempts to inject and execute malicious code in data memory.
STIG Date
Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide 2023-08-28

Details

Check Text ( C-61303r921645_chk )
Verify the NX (no-execution) bit flag is set on the system by executing the following:

for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; dmesg | grep Execute ' 2>/dev/null; done

Example Output:([ 0.000000] NX (Execute Disable) protection: active)

If "dmesg" does not show "NX (Execute Disable) protection active", check the cpuinfo settings by executing the following command:

for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; less /proc/cpuinfo | grep 'nx' /proc/cpuinfo | uniq' 2>/dev/null; done

(Example Output: flags : fpu vme de pse tsc ms nx rdtscp lm constant_tsc...)

If "flags" does not contain the "nx" flag, this is a finding.
Fix Text (F-61227r921646_fix)
The NX bit execute protection must be enabled in the system BIOS. The nodes must be reinstalled. Follow the steps found here for more information:
https://access.redhat.com/solutions/2936741