{"description": "Linux can allow user programs to install a per-process x86 Local Descriptor Table (LDT) using\nthe modify_ldt(2) system call. This is required to run 16-bit or segmented code such as DOSEMU\nor some Wine programs. It is also used by some very old threading libraries.\nThis configuration is available from kernel 4.3, but may be available if backported\nby distros.\n\nDisable LDT if 16-bit program emulation is not necessary.\n\nThe configuration that was used to build kernel is available at <tt>/boot/config-*</tt>.\n    To check the configuration value for <tt>CONFIG_MODIFY_LDT_SYSCALL</tt>, run the following command:\n    <tt>grep CONFIG_MODIFY_LDT_SYSCALL /boot/config-*</tt>\n    \n    Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n    lines should be returned.\n    ", "rationale": "Disabling support for unnecessary code reduces attack surface.", "severity": "medium", "references": {"anssi": ["R25"]}, "control_references": {"anssi": ["R25"]}, "components": [], "identifiers": {}, "ocil_clause": "the kernel was not built with the required value", "ocil": "To determine the config value the kernel was built with, run the following command:\n    <pre>$ grep CONFIG_MODIFY_LDT_SYSCALL /boot/config.*</pre>\n    \n    Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n    lines should be returned.\n    ", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "x86_64_arch", "platforms": ["x86_64_arch"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["x86_64_arch"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Disable the LDT (local descriptor table)", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/kernel_build_config/kernel_config_modify_ldt_syscall/rule.yml", "template": {"name": "kernel_build_config", "vars": {"config": "CONFIG_MODIFY_LDT_SYSCALL", "value": "n"}, "backends": {}}}