1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
documentation_complete: true
title: 'Disable the selinuxuser_execheap SELinux Boolean'
description: |-
By default, the SELinux boolean <tt>selinuxuser_execheap</tt> is disabled.
When enabled this boolean is enabled it allows selinuxusers to execute code from the heap.
If this setting is enabled, it should be disabled.
{{{ describe_sebool_disable(sebool="selinuxuser_execheap") }}}
rationale: |-
Disabling code execution from the heap blocks buffer overflow attacks.
severity: medium
identifiers:
cce@rhel8: CCE-80949-1
cce@rhel9: CCE-84084-3
cce@rhel10: CCE-90413-6
cce@sle12: CCE-91577-7
cce@sle15: CCE-91424-2
references:
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e)
{{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_execheap") }}}
template:
name: sebool
vars:
seboolid: selinuxuser_execheap
|
