AlmaLinux OS 9 must implement nonexecutable data to protect its memory from unauthorized code execution.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-269449 | ALMA-09-044570 | SV-269449r1050620_rule | CCI-002824 | medium |
| Description | ||||
| ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places the memory regions of a process, such as the stack and heap, higher than this address, the hardware prevents execution in that address range. | ||||
| STIG | Date | |||
| CloudLinux AlmaLinux OS 9 Security Technical Implementation Guide | 2025-05-22 | |||
Details
Check Text (C-269449r1050620_chk)
Verify ExecShield is enabled on 64-bit AlmaLinux OS 9 systems with the following command:
$ dmesg | grep '[NX|DX]*protection'
[ 0.000000] NX (Execute Disable) protection: active
If "dmesg" does not show "NX (Execute Disable) protection active", this is a finding.
Fix Text (F-73381r1048724_fix)
Update the GRUB 2 bootloader configuration to ensure the noexec kernel parameter is not enabled using the following command:
$ grubby --update-kernel=ALL --remove-args=noexec
Enable the NX bit execute protection in the system BIOS.