1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
documentation_complete: true
title: 'Ensure SMEP is not disabled during boot'
description: |-
The SMEP is used to prevent the supervisor mode from executing user space code,
it is enabled by default since Linux kernel 3.0. But it could be disabled through
kernel boot parameters.
Ensure that Supervisor Mode Execution Prevention (SMEP) is not disabled by
the <tt>nosmep</tt> boot paramenter option.
{{{ describe_grub2_argument_absent("nosmep") | indent(4) }}}
rationale: |-
Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows
the kernel to unintentionally execute code in less privileged memory space.
severity: medium
identifiers:
cce@rhel8: CCE-85989-2
cce@rhel9: CCE-86089-0
cce@rhel10: CCE-89827-0
ocil_clause: 'the kernel is configured to disable SMEP'
ocil: |-
Make sure that the kernel is not disabling SMEP with the following
commands.
<pre>grep -q nosmep /boot/config-`uname -r`</pre>
If the command returns a line, it means that SMEP is being disabled.
template:
name: grub2_bootloader_argument_absent
vars:
arg_name: nosmep
|
