{"description": "This feature puts, at the beginning of functions, a canary value on the stack just before the\nreturn address, and validates the value just before actually returning.\nThis configuration is available from kernel 4.18.\n\nThe configuration that was used to build kernel is available at <tt>/boot/config-*</tt>.\n    To check the configuration value for <tt>CONFIG_STACKPROTECTOR</tt>, run the following command:\n    <tt>grep CONFIG_STACKPROTECTOR /boot/config-*</tt>\n    \n    For each kernel installed, a line with value \"y\" should be returned.\n    ", "rationale": "This halts the program when a stack overflow is detected, potentially reducing the impact of\nexploits.", "severity": "medium", "references": {"anssi": ["R15"]}, "control_references": {"anssi": ["R15"]}, "components": [], "identifiers": {}, "ocil_clause": "the kernel was not built with the required value", "ocil": "To determine the config value the kernel was built with, run the following command:\n    <pre>$ grep CONFIG_STACKPROTECTOR /boot/config.*</pre>\n    \n    For each kernel installed, a line with value \"y\" should be returned.\n    ", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Stack Protector buffer overflow detection", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/kernel_build_config/kernel_config_stackprotector/rule.yml", "template": {"name": "kernel_build_config", "vars": {"config": "CONFIG_STACKPROTECTOR", "value": "y"}, "backends": {}}}