I’m currently doing a DISA STIG on a SUSE Linux Enterprise Server 11 SP4 host using the SUSE Linux Enterprise Server 11 v11 for System z host checklist. I am having a problem with one of the STIG checklist items. Here is the STIG item below:
V-11999
The stock kernel has support for non-executable program stacks compiled in by default. The kernel build options can be found in the /boot/config–default file. Verify that the option was specified when the kernel was built:
grep âi CONFIG_S390_EXEC /boot/config–default
The value âCONFIG_S390_EXEC_PROTECT=yâ should be returned.
There is no /boot/config file. There is only a /boot/config-3.0.101-0.47.99-default, not sure if this file is the equivalent or not.
To activate this support, the ânoexec=onâ kernel parameter must be specified at boot time. The message: âExecute protection active, mvcos availableâ will be written in the boot log when this feature has been configured successfully. Check for the message with the following command:
grep âi âexecute protectâ /var/log/boot.msg
If non-executable program stacks have not been configured, this is a finding.
Verify “randomize_va_space” has not been changed from the default “1” setting.
Procedure:
#sysctl kernel.randomize_va_space
If the return value is not:
kernel.randomize_va_space = 1
this is a finding.
I ran this command my space is set to 2.
Fix Text (F-39115r1_fix)
Edit the /etc/zipl.conf file and add ânoexec=onâ to the parameters line in the stanza for the kernel being used on the system. Run the âziplâ command to update the boot loader configuration:
zipl
A system restart is required to implement this change.
Examine /etc/sysctl.conf for the “kernel.randomize_va_space” entry and if found remove it. The system default of “1” enables this module.
So, there is no /etc/zipl.conf file, so I’m unable to modify the noexec parameter.
With no zipl.conf how or can I modify the parameters for this host to satisfy the STIG? Is there an alternate solution for this? Please advise.