← Rules Catalog
mediumkernelverified

Ensure ExecShield (NX/no-execute memory protection) is enabled

execshield-nx-enabled · RHEL ≥ 10, UBUNTU ≥ 22 · 1 impl

Description

RHEL 10 must enable ExecShield so that no-execute (NX) memory protection is active on every processor and is not disabled by a "noexec" kernel argument.

Rationale

NX marks memory regions such as the stack and heap non-executable, preventing a broad class of buffer-overflow and code-injection attacks from executing attacker-controlled data as code. A "noexec" kernel argument that disables NX, or a processor without the nx flag, removes this protection.

Check → Remediate

Checkcommand
# A processor without the nx flag → ExecShield unavailable.
if grep '^flags' /proc/cpuinfo 2>/dev/null | grep -qvE '([^[:alnum:]])nx([^[:alnum:]]|$)'; then
  echo "FAIL: one or more processors do not expose the nx (ExecShield) flag"
  exit 1
fi
# A noexec kernel argument disables NX.
if grubby --info=ALL 2>/dev/null | grep '^args' | grep -qE '([^[:alnum:]])noexec([^[:alnum:]]|$)'; then
  echo "FAIL: a 'noexec' kernel argument is disabling NX/ExecShield"
  exit 1
fi
echo "OK: ExecShield/NX is enabled on all processors and not disabled by a kernel argument"
exit 0
expected_exit:
0
Remediatemanual
note:
ExecShield/NX is enabled by default on RHEL 10. If a processor lacks the nx flag, enable "Execute Disable Bit" / "NX" in the system firmware (BIOS/UEFI). If a "noexec" kernel argument is present, remove it from the boot loader configuration (e.g. via grubby --update-kernel=ALL --remove-args="noexec") and reboot.

Framework references

STIG

V-281321 / RHEL-10-701190V-270771 / UBTU-24-700300V-260475 / UBTU-22-213025

NIST 800-53

SC-39SI-16

Live verification

ubuntu22:checkubuntu24:check
#kernel#execshield#nx#memory-protection#stig