STIG for SUSE Linux Enteprise SP4 question

reteerreteer New or Quiet Member
I'm currently doing a DISA STIG on a SUSE Linux Enterprise Server 11 SP4 host using the SUSE Linux Enterprise Server 11 v11 for System z host checklist. I am having a problem with one of the STIG checklist items. Here is the STIG item below:


The stock kernel has support for non-executable program stacks compiled in by default. The kernel build options can be found in the /boot/config--default file. Verify that the option was specified when the kernel was built:
# grep –i CONFIG_S390_EXEC /boot/config--default

The value “CONFIG_S390_EXEC_PROTECT=y” should be returned.

There is no /boot/config file. There is only a /boot/config-3.0.101-0.47.99-default, not sure if this file is the equivalent or not.

To activate this support, the “noexec=on” kernel parameter must be specified at boot time. The message: “Execute protection active, mvcos available” will be written in the boot log when this feature has been configured successfully. Check for the message with the following command:
# grep –i “execute protect” /var/log/boot.msg
If non-executable program stacks have not been configured, this is a finding.

Verify "randomize_va_space" has not been changed from the default "1" setting.


#sysctl kernel.randomize_va_space
If the return value is not:
kernel.randomize_va_space = 1
this is a finding.

I ran this command my space is set to 2.

Fix Text (F-39115r1_fix)

Edit the /etc/zipl.conf file and add “noexec=on” to the parameters line in the stanza for the kernel being used on the system. Run the ‘zipl’ command to update the boot loader configuration:
# zipl

A system restart is required to implement this change.

Examine /etc/sysctl.conf for the "kernel.randomize_va_space" entry and if found remove it. The system default of "1" enables this module.

So, there is no /etc/zipl.conf file, so I'm unable to modify the noexec parameter.

With no zipl.conf how or can I modify the parameters for this host to satisfy the STIG? Is there an alternate solution for this? Please advise.


  • Automatic ReplyAutomatic Reply No Reply Posting Bot

    It appears that in the past few days you have not received a response to your
    posting. That concerns us, and has triggered this automated reply.

    These forums are peer-to-peer, best effort, volunteer run and that if your issue
    is urgent or not getting a response, you might try one of the following options:

    - Visit and search the knowledgebase and/or check all
    the other support options available.
    - Open a service request:
    - You could also try posting your message again. Make sure it is posted in the
    correct newsgroup. (

    Be sure to read the forum FAQ about what to expect in the way of responses:

    If this is a reply to a duplicate posting or otherwise posted in error, please
    ignore and accept our apologies and rest assured we will issue a stern reprimand
    to our posting bot..

    Good luck!

    Your SUSE Forums Team
Sign In or Register to comment.