{"description": "By default on Ubuntu 22.04 64-bit systems, ExecShield is\nenabled and can only be disabled if the hardware does not support\nExecShield or is disabled in <tt>/etc/default/grub</tt>.\n\n\n\nFor Ubuntu 22.04  32-bit systems, <tt>sysctl</tt> can be used to enable\nExecShield.", "rationale": "ExecShield uses the segmentation feature on all x86 systems to prevent\nexecution in memory higher than a certain address. It writes an address as\na limit in the code segment descriptor, to control where code can be\nexecuted, on a per-process basis. When the kernel places a process's memory\nregions such as the stack and heap higher than this address, the hardware\nprevents execution in that address range. This is enabled by default on the\nlatest Red Hat and Fedora systems if supported by the hardware.", "severity": "medium", "references": {"cis-csc": ["12", "15", "8"], "cobit5": ["APO13.01", "DSS05.02"], "cui": ["3.1.7"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.308(a)(3)", "164.308(a)(4)", "164.310(b)", "164.310(c)", "164.312(a)", "164.312(e)"], "isa-62443-2013": ["SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.13.1.1", "A.13.2.1", "A.14.1.3"], "nist": ["SC-39", "CM-6(a)"], "nist-csf": ["PR.PT-4"], "srg": ["SRG-OS-000433-GPOS-00192"], "ism": ["1409"]}, "control_references": {"ism": ["1409"]}, "components": [], "identifiers": {}, "ocil_clause": "ExecShield is not supported by the hardware, is not enabled, or has been disabled by the kernel configuration.", "ocil": "To verify ExecShield is enabled on 64-bit Ubuntu 22.04 systems,\nrun the following command:\n<pre>$ dmesg | grep '[NX|DX]*protection'</pre>\nThe output should not contain <tt>'disabled by kernel command line option'</tt>.\nInspect the form of default GRUB 2 command line for the Linux operating system\nin <tt>/etc/default/grub</tt>. If it includes <tt>noexec=off</tt>,\nthen the parameter will be configured for newly installed kernels.\nFirst check if the GRUB recovery is enabled:\n<pre>$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>\nIf this option is set to true, then check that a line is output by the following command:\n<pre>$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*noexec=off.*' /etc/default/grub</pre>\nIf the recovery is disabled, check the line with\n<pre>$ sudo grep 'GRUB_CMDLINE_LINUX.*noexec=off.*' /etc/default/grub</pre>.Moreover, current Grub config file <tt>grub.cfg</tt> must be checked. The file can be found\neither in <tt>/boot/grub</tt> in case of legacy BIOS systems, or in <tt>/boot/grub</tt> in case of UEFI systems.\nIf they include <tt>noexec=off</tt>, then the parameter\nis configured at boot time.\n<pre>$ sudo grep vmlinuz GRUB_CFG_FILE_PATH | grep -v 'noexec=off'</pre>\nFill in <tt>GRUB_CFG_FILE_PATH</tt> based on information above.\nThis command should not return any output.\n\n\n\nFor 32-bit Ubuntu 22.04 systems, run the following command:\n<pre>$ sysctl kernel.exec-shield</pre>\nThe output should be:\nTo set the runtime status of the <code>kernel.exec-shield</code> kernel parameter,\nrun the following command:\n<pre>$ sudo sysctl -w kernel.exec-shield=1</pre>\n\nTo make sure that the setting is persistent,\nadd the following line to a file in the directory <tt>/etc/sysctl.d</tt>:\n<pre>kernel.exec-shield = 1</pre>", "oval_external_content": null, "fixtext": "On a 64-bit Ubuntu 22.04 system update the GRUB bootloader configuration.\n\nUpdate the GRUB_CMDLINE_LINUX line in '/etc/default/grub' so that it does not contain any occurrence of noexec using the following command:\n\n$ sudo sed -i 's/\\(^GRUB_CMDLINE_LINUX=\".*\\)noexec=?[^[:space:]]*\\(.*\"\\)/\\1 \\2/' '/etc/default/grub'Run the following command:\n\n$ sudo update-grub \n\n\nOn a 32-bit Ubuntu 22.04 system, run the following command:\n\n$ sudo sysctl -q -n -w kernel.exec-shield=1\n\nThen, add or edit the following line in \"/etc/sysctl.conf\":\n\nkernel.exec-shield = 1", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must implement nonexecutable data to protect its memory from unauthorized code execution.", "vuldiscussion": "ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware.\n\nChecking dmesg will return a false-positive if the system has generated enough kernel messages that the \"(Execute Disable) protection: active\" line is no longer present in the output from dmesg(1). A better way to ensure that ExecShield is enabled is to first ensure all processors support the NX feature, and then to check that noexec was not passed to the kernel command line.", "checktext": "Verify ExecShield is enabled on 64-bit Ubuntu 22.04 systems.\n\nRun the following command:\n\n$ grep ^flags /proc/cpuinfo | grep -Ev '([^[:alnum:]])(nx)([^[:alnum:]]|$)'\n\nIf any output is returned, this is a finding.\n\nNext, run the following command:\n\n$ sudo grubby --info=ALL | grep args | grep -E '([^[:alnum:]])(noexec)([^[:alnum:]])'\n\nIf any output is returned, this is a finding.", "fixtext": "If /proc/cpuinfo shows that one or more processors do not enable ExecShield (lack the \"nx\" feature flag), verify that the NX/XD feature is not disabled in the BIOS or UEFI. If it is disabled, enable it.\n\nIf the noexec option is present on the kernel command line, update the GRUB 2 bootloader configuration to remove it by running the following command:\n\n$ sudo grubby --update-kernel=ALL --remove-args=noexec"}}, "platform": "system_with_kernel and x86_64_arch", "platforms": ["system_with_kernel and x86_64_arch"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel_and_x86_64_arch"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Enable ExecShield via sysctl", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml", "template": null}