STIGQter STIGQter: STIG Summary: VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Sep 2018: The SLES for vRealize must implement non-executable data to protect its memory from unauthorized code execution.

DISA Rule

SV-99349r1_rule

Vulnerability Number

V-88699

Group Title

SRG-OS-000433-GPOS-00192

Rule Version

VROM-SL-001310

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Edit the "/boot/grub/menu.lst" file and add "noexec=on" to the end of each kernel line entry. A system restart is required to implement this change.

Check Contents

The stock kernel has support for non-executable program stacks compiled in by default. Verify that the option was specified when the kernel was built:

# grep -i "execute" /var/log/boot.msg

The message: "NX (Execute Disable) protection: active" will be written in the boot log when compiled in the kernel. This is the default for x86_64.

To activate this support, the "noexec=on" kernel parameter must be specified at boot time. Check for a message with the following command:

# grep –i "noexec" /var/log/boot.msg

The message: "Kernel command line: <boot parameters> noexec=on" will be written to the boot log when properly appended to the "/boot/grub/menu.lst" file.

If non-executable program stacks have not been configured, this is a finding.

Vulnerability Number

V-88699

Documentable

False

Rule Version

VROM-SL-001310

Severity Override Guidance

The stock kernel has support for non-executable program stacks compiled in by default. Verify that the option was specified when the kernel was built:

# grep -i "execute" /var/log/boot.msg

The message: "NX (Execute Disable) protection: active" will be written in the boot log when compiled in the kernel. This is the default for x86_64.

To activate this support, the "noexec=on" kernel parameter must be specified at boot time. Check for a message with the following command:

# grep –i "noexec" /var/log/boot.msg

The message: "Kernel command line: <boot parameters> noexec=on" will be written to the boot log when properly appended to the "/boot/grub/menu.lst" file.

If non-executable program stacks have not been configured, this is a finding.

Check Content Reference

M

Target Key

3461

Comments