{"description": "Reboot the system and enter the BIOS or Setup configuration menu.\nNavigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located\nunder a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX)\non AMD-based systems.", "rationale": "Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will\nallow users to turn the feature on or off at will.", "severity": "medium", "references": {"cis-csc": ["11", "3", "9"], "cobit5": ["BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05"], "cui": ["3.1.7"], "isa-62443-2009": ["4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 7.6"], "iso27001-2013": ["A.12.1.2", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4"], "nist": ["SC-39", "CM-6(a)"], "nist-csf": ["PR.IP-1"], "srg": ["SRG-OS-000433-GPOS-00192", "SRG-APP-000450-CTR-001105"], "pcidss4": ["2.2.1", "2.2"], "stigid": ["UBTU-22-213025"], "stigref": ["SV-260475r958928_rule"]}, "control_references": {"pcidss4": ["2.2.1", "2.2"], "stigid": ["UBTU-22-213025"]}, "components": [], "identifiers": {}, "ocil_clause": "NX is disabled", "ocil": "Verify the NX (no-execution) bit flag is set on the system.\n\nCheck that the no-execution bit flag is set with the following commands:\n\n$ sudo dmesg | grep NX\n\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf \"dmesg\" does not show \"NX (Execute Disable) protection\" active, check the cpuinfo settings with the following command:\n\n$ sudo grep flags /proc/cpuinfo\nflags : fpu vme de pse tsc ms nx rdtscp lm constant_ts\n\nThe output should contain the \"nx\" flag.", "oval_external_content": null, "fixtext": "The NX bit execute protection must be enabled in the system BIOS.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must implement non-executable data to protect its memory from unauthorized code execution.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must implement non-executable data to protect its memory from unauthorized code execution.", "vuldiscussion": "ExecShield uses the segmentation feature on all x86 systems to prevent\nexecution in memory higher than a certain address. It writes an address as\na limit in the code segment descriptor, to control where code can be\nexecuted, on a per-process basis. When the kernel places a process's memory\nregions such as the stack and heap higher than this address, the hardware\nprevents execution in that address range. This is enabled by default on the\nlatest Red Hat and Fedora systems if supported by the hardware.", "checktext": "Verify the NX (no-execution) bit flag is set on the system.\n\nCheck that the no-execution bit flag is set with the following commands:\n\n$ sudo dmesg | grep NX\n\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf \"dmesg\" does not show \"NX (Execute Disable) protection\" active, check the cpuinfo settings with the following command:\n\n$ sudo grep -i flags /proc/cpuinfo\nflags : fpu vme de pse tsc ms nx rdtscp lm constant_tsc\n\nIf \"flags\" does not contain the \"nx\" flag, this is a finding.", "fixtext": "Update the GRUB 2 bootloader configuration.\n\nRun the following command:\n\n$ sudo grubby --update-kernel=ALL --remove-args=noexec"}}, "platform": "machine", "platforms": ["machine"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["machine"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Enable NX or XD Support in the BIOS", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml", "template": null}