AlmaLinux OS 9 must implement nonexecutable data to protect its memory from unauthorized code execution.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-269449	SRG-OS-000433-GPOS-00192	ALMA-09-044570	SV-269449r1050620_rule	2025-02-20	1

Description
ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places the memory regions of a process, such as the stack and heap, higher than this address, the hardware prevents execution in that address range.

Description

ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places the memory regions of a process, such as the stack and heap, higher than this address, the hardware prevents execution in that address range.

ℹ️ Check
Verify ExecShield is enabled on 64-bit AlmaLinux OS 9 systems with the following command: $ dmesg \| grep '[NX\|DX]*protection' [ 0.000000] NX (Execute Disable) protection: active If "dmesg" does not show "NX (Execute Disable) protection active", this is a finding.

✔️ Fix
Update the GRUB 2 bootloader configuration to ensure the noexec kernel parameter is not enabled using the following command: $ grubby --update-kernel=ALL --remove-args=noexec Enable the NX bit execute protection in the system BIOS.