PDA

View Full Version : SLES 11 SP4 STIG for SUSE Linux Enteprise SP4 question



reteer
09-May-2018, 20:41
I'm currently doing a DISA STIG on a SUSE Linux Enterprise Server 11 SP4 host using the SUSE Linux Enterprise Server 11 v11 for System z host checklist. I am having a problem with one of the STIG checklist items. Here is the STIG item below:

V-11999

The stock kernel has support for non-executable program stacks compiled in by default. The kernel build options can be found in the /boot/config--default file. Verify that the option was specified when the kernel was built:
# grep –i CONFIG_S390_EXEC /boot/config--default

The value “CONFIG_S390_EXEC_PROTECT=y” should be returned.

There is no /boot/config file. There is only a /boot/config-3.0.101-0.47.99-default, not sure if this file is the equivalent or not.

To activate this support, the “noexec=on” kernel parameter must be specified at boot time. The message: “Execute protection active, mvcos available” will be written in the boot log when this feature has been configured successfully. Check for the message with the following command:
# grep –i “execute protect” /var/log/boot.msg
If non-executable program stacks have not been configured, this is a finding.

Verify "randomize_va_space" has not been changed from the default "1" setting.

Procedure:


#sysctl kernel.randomize_va_space
If the return value is not:
kernel.randomize_va_space = 1
this is a finding.

I ran this command my space is set to 2.


Fix Text (F-39115r1_fix)


Edit the /etc/zipl.conf file and add “noexec=on” to the parameters line in the stanza for the kernel being used on the system. Run the ‘zipl’ command to update the boot loader configuration:
# zipl

A system restart is required to implement this change.

Examine /etc/sysctl.conf for the "kernel.randomize_va_space" entry and if found remove it. The system default of "1" enables this module.


So, there is no /etc/zipl.conf file, so I'm unable to modify the noexec parameter.

With no zipl.conf how or can I modify the parameters for this host to satisfy the STIG? Is there an alternate solution for this? Please advise.

Automatic Reply
14-May-2018, 05:30
reteer,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

- Visit http://www.suse.com/support and search the knowledgebase and/or check all
the other support options available.
- Open a service request: https://www.suse.com/support
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.suse.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.suse.com/faq.php

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot..

Good luck!

Your SUSE Forums Team
http://forums.suse.com