I'm currently doing a DISA STIG on a SUSE Linux Enterprise Server 11 SP4 host using the SUSE Linux Enterprise Server 11 v11 for System z host checklist. I am having a problem with one of the STIG checklist items. Here is the STIG item below:


The stock kernel has support for non-executable program stacks compiled in by default. The kernel build options can be found in the /boot/config--default file. Verify that the option was specified when the kernel was built:
# grep –i CONFIG_S390_EXEC /boot/config--default

The value “CONFIG_S390_EXEC_PROTECT=y” should be returned.

There is no /boot/config file. There is only a /boot/config-3.0.101-0.47.99-default, not sure if this file is the equivalent or not.

To activate this support, the “noexec=on” kernel parameter must be specified at boot time. The message: “Execute protection active, mvcos available” will be written in the boot log when this feature has been configured successfully. Check for the message with the following command:
# grep –i “execute protect” /var/log/boot.msg
If non-executable program stacks have not been configured, this is a finding.

Verify "randomize_va_space" has not been changed from the default "1" setting.


#sysctl kernel.randomize_va_space
If the return value is not:
kernel.randomize_va_space = 1
this is a finding.

I ran this command my space is set to 2.

Fix Text (F-39115r1_fix)

Edit the /etc/zipl.conf file and add “noexec=on” to the parameters line in the stanza for the kernel being used on the system. Run the ‘zipl’ command to update the boot loader configuration:
# zipl

A system restart is required to implement this change.

Examine /etc/sysctl.conf for the "kernel.randomize_va_space" entry and if found remove it. The system default of "1" enables this module.

So, there is no /etc/zipl.conf file, so I'm unable to modify the noexec parameter.

With no zipl.conf how or can I modify the parameters for this host to satisfy the STIG? Is there an alternate solution for this? Please advise.