Check if NX/XD support is enabled.

jmlutz · August 16, 2017, 9:15pm

Hi. We are using the CIS Benchmarck for SLES 12 for our lockdown. The 1.5.2 control has one check to see if NX/XD support is enabled by running the following command.

# dmesg | grep NX NX (Execute Disable) protection: active

This works fine, except if the dmesg log fills up and NX protection line rotates off the log. Is there an alternative way one can use to show NX is enabled?

I know it’s on by default on 64-bit kernels, but due to audits, we must have a way to show that it is enabled. Thank you.

malcolmlewis · August 16, 2017, 11:05pm

Hi and welcome to the forum
Perhaps save the boot log…? Or configure the journal to stay on disk for the boot logs…

journalctl --list-boots

journalctl -b --no-pager |grep "NX ("
Aug 15 18:54:26 fozzie-bear kernel: NX (Execute Disable) protection: active

grep nx /proc/cpuinfo

Since it only appears at boot, if it goes, the only thing you can do is a reboot Seems to be a no win type of thing…

jmlutz · August 17, 2017, 7:01pm

I think using…

journalctl -b --no-pager |grep "NX ("

…seems to be the best method for showing what the control is looking for. It matches what using dmesg would show and the entry is still there while the dmesg log entry is gone. Thank you for the quick response!

Topic		Replies	Views
No eXecute bit or Data execution prevention SLES SAP Applications	0	544	December 8, 2020
SLED 12 - Fail to boot (installer) SLED Install-Boot	6	408	October 30, 2014
Confirm Secure Boot Enabled General Discussion	5	466	January 21, 2021
no more processes left in this runlevel SLES Install-Boot	4	261	May 21, 2015
Detection of modes of NVMe devices in SLES SLES Hardware	7	944	October 23, 2020

Check if NX/XD support is enabled.

Related topics