CCE-90850-9Platform: rhel7,centos7 | Date: (C)2017-06-29 (M)2022-10-10 |
Enable ExecShield
By default on Red Hat Enterprise Linux 7 64-bit systems, ExecShield
is enabled and can only be disabled if the hardware does not support ExecShield
or is disabled in '/etc/default/grub'. For Red Hat Enterprise Linux 7
32-bit systems, 'sysctl' can be used to enable ExecShield.
Parameter:
Technical Mechanism:
ExecShield uses the segmentation feature on all x86 systems
to prevent execution in memory higher than a certain address. It
writes an address as a limit in the code segment descriptor, to
control where code can be executed, on a per-process basis. When
the kernel places a process's memory regions such as the stack and
heap higher than this address, the hardware prevents execution in that
address range. This is enabled by default on the latest Red Hat and Fedora
systems if supported by the hardware.
Fix:
#
# Set runtime for kernel.exec-shield
#
sysctl -q -n -w kernel.exec-shield=1
#
# If kernel.exec-shield present in /etc/sysctl.conf, change value to "1"
# else, add "kernel.exec-shield = 1" to /etc/sysctl.conf
#
if grep --silent ^kernel.exec-shield /etc/sysctl.conf ; then sed -i 's/^kernel.exec-shield.*/kernel.exec-shield = 1/g' /etc/sysctl.conf
else echo "" >> /etc/sysctl.conf echo "# Set kernel.exec-shield to 1 per security requirements" >> /etc/sysctl.conf echo "kernel.exec-shield = 1" >> /etc/sysctl.conf
fi
CCSS Severity: | CCSS Metrics: |
CCSS Score : | Attack Vector: |
Exploit Score: | Attack Complexity: |
Impact Score: | Privileges Required: |
Severity: | User Interaction: |
Vector: | Scope: |
| Confidentiality: |
| Integrity: |
| Availability: |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:30524 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:31247 |