Check if NX/XD support is enabled.

Hi. We are using the CIS Benchmarck for SLES 12 for our lockdown. The 1.5.2 control has one check to see if NX/XD support is enabled by running the following command.

# dmesg | grep NX NX (Execute Disable) protection: active

This works fine, except if the dmesg log fills up and NX protection line rotates off the log. Is there an alternative way one can use to show NX is enabled?

I know it’s on by default on 64-bit kernels, but due to audits, we must have a way to show that it is enabled. Thank you.

Hi and welcome to the forum :slight_smile:
Perhaps save the boot log…? Or configure the journal to stay on disk for the boot logs…

journalctl --list-boots

journalctl -b --no-pager |grep "NX ("
Aug 15 18:54:26 fozzie-bear kernel: NX (Execute Disable) protection: active

grep nx /proc/cpuinfo

Since it only appears at boot, if it goes, the only thing you can do is a reboot :frowning: Seems to be a no win type of thing…

I think using…

journalctl -b --no-pager |grep "NX ("

…seems to be the best method for showing what the control is looking for. It matches what using dmesg would show and the entry is still there while the dmesg log entry is gone. Thank you for the quick response!