{"description": "The SMEP is used to prevent the supervisor mode from executing user space code,\nit is enabled by default since Linux kernel 3.0. But it could be disabled through\nkernel boot parameters.\n\nEnsure that Supervisor Mode Execution Prevention (SMEP) is not disabled by\nthe <tt>nosmep</tt> boot parameter option.\n\nCheck that the line <pre>GRUB_CMDLINE_LINUX=\"...\"</pre> within <tt>/etc/default/grub</tt>\ndoesn't contain the argument <tt>nosmep</tt>.\nRun the following command to update command line for already installed kernels:\n<pre># grubby --update-kernel=ALL --remove-args=\"nosmep\"</pre>", "rationale": "Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows\nthe kernel to unintentionally execute code in less privileged memory space.", "severity": "medium", "references": {"anssi": ["R1"]}, "control_references": {"anssi": ["R1"]}, "components": [], "identifiers": {}, "ocil_clause": "the kernel is configured to disable SMEP", "ocil": "Make sure that the kernel is not disabling SMEP with the following\ncommands.\n<pre>grep -q nosmep /boot/config-`uname -r`</pre>\nIf the command returns a line, it means that SMEP is being disabled.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["grub2 and system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["grub2_and_system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure SMEP is not disabled during boot", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml", "template": {"name": "grub2_bootloader_argument_absent", "vars": {"arg_name": "nosmep"}, "backends": {}}}