STIG for SUSE Linux Enteprise SP4 question

I’m currently doing a DISA STIG on a SUSE Linux Enterprise Server 11 SP4 host using the SUSE Linux Enterprise Server 11 v11 for System z host checklist. I am having a problem with one of the STIG checklist items. Here is the STIG item below:


The stock kernel has support for non-executable program stacks compiled in by default. The kernel build options can be found in the /boot/config–default file. Verify that the option was specified when the kernel was built:

grep –i CONFIG_S390_EXEC /boot/config–default

The value “CONFIG_S390_EXEC_PROTECT=y” should be returned.

There is no /boot/config file. There is only a /boot/config-3.0.101-0.47.99-default, not sure if this file is the equivalent or not.

To activate this support, the “noexec=on” kernel parameter must be specified at boot time. The message: “Execute protection active, mvcos available” will be written in the boot log when this feature has been configured successfully. Check for the message with the following command:

grep –i “execute protect” /var/log/boot.msg

If non-executable program stacks have not been configured, this is a finding.

Verify “randomize_va_space” has not been changed from the default “1” setting.


#sysctl kernel.randomize_va_space
If the return value is not:
kernel.randomize_va_space = 1
this is a finding.

I ran this command my space is set to 2.

Fix Text (F-39115r1_fix)

Edit the /etc/zipl.conf file and add “noexec=on” to the parameters line in the stanza for the kernel being used on the system. Run the ‘zipl’ command to update the boot loader configuration:


A system restart is required to implement this change.

Examine /etc/sysctl.conf for the “kernel.randomize_va_space” entry and if found remove it. The system default of “1” enables this module.

So, there is no /etc/zipl.conf file, so I’m unable to modify the noexec parameter.

With no zipl.conf how or can I modify the parameters for this host to satisfy the STIG? Is there an alternate solution for this? Please advise.


It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

Be sure to read the forum FAQ about what to expect in the way of responses:

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot…

Good luck!

Your SUSE Forums Team