1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
documentation_complete: true
title: 'Configure the deny_execmem SELinux Boolean'
description: |-
By default, the SELinux boolean <tt>deny_execmem</tt> is disabled.
This setting should be configured to {{{ xccdf_value("var_deny_execmem") }}}.
<br/>{{{ describe_sebool_var(sebool="deny_execmem") }}}
rationale: |-
Allowing user domain applications to map a memory region as both writable and
executable makes them more susceptible to data execution attacks.
severity: medium
identifiers:
cce@rhel8: CCE-83307-9
cce@rhel9: CCE-84082-7
cce@rhel10: CCE-87708-4
cce@sle12: CCE-91575-1
cce@sle15: CCE-91265-9
{{{ complete_ocil_entry_sebool_var(sebool="deny_execmem") }}}
warnings:
- general: |-
This rule doesn't come with a remediation, as enabling this SELinux boolean can cause
applications to malfunction, for example Graphical login managers and Firefox.
- functionality: |-
Proper function and stability should be assessed before applying enabling the SELinux
boolean in production systems.
template:
name: sebool
vars:
seboolid: deny_execmem
backends:
bash: "off"
ansible: "off"
|
