AlmaLinux OS 9 must implement nonexecutable data to protect its memory from unauthorized code execution.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-269449 | SRG-OS-000433-GPOS-00192 | ALMA-09-044570 | SV-269449r1050620_rule | 2026-02-27 | 1 |
Description
ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis.
When the kernel places the memory regions of a process, such as the stack and heap, higher than this address, the hardware prevents execution in that address range.
ℹ️ Check
Verify ExecShield is enabled on 64-bit AlmaLinux OS 9 systems with the following command:
$ dmesg | grep '[NX|DX]*protection'
[ 0.000000] NX (Execute Disable) protection: active
If "dmesg" does not show "NX (Execute Disable) protection active", this is a finding.
✔️ Fix
Update the GRUB 2 bootloader configuration to ensure the noexec kernel parameter is not enabled using the following command:
$ grubby --update-kernel=ALL --remove-args=noexec
Enable the NX bit execute protection in the system BIOS.