AlmaLinux OS 9 must implement nonexecutable data to protect its memory from unauthorized code execution.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-269449 | ALMA-09-044570 | SV-269449r1050620_rule | Medium |
| Description |
| ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places the memory regions of a process, such as the stack and heap, higher than this address, the hardware prevents execution in that address range. |
| STIG | Date |
| CloudLinux AlmaLinux OS 9 Security Technical Implementation Guide | 2025-05-22 |
Details
| Check Text (C-73480r1049725_chk) |
| Verify ExecShield is enabled on 64-bit AlmaLinux OS 9 systems with the following command: $ dmesg | grep '[NX|DX]*protection' [ 0.000000] NX (Execute Disable) protection: active If "dmesg" does not show "NX (Execute Disable) protection active", this is a finding. |
| Fix Text (F-73381r1048724_fix) |
| Update the GRUB 2 bootloader configuration to ensure the noexec kernel parameter is not enabled using the following command: $ grubby --update-kernel=ALL --remove-args=noexec Enable the NX bit execute protection in the system BIOS. |