STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← SI-16 — Memory Protection

CCI-002824

Definition

Implement organization-defined controls to protect the system memory from unauthorized code execution.

Parent Control

SI-16Memory ProtectionSystem and Information Integrity

Linked STIG Checks (90)

V-274003CAT IIAmazon Linux 2023 must restrict exposed kernel pointer addresses access.Amazon Linux 2023 Security Technical Implementation Guide V-274006CAT IIAmazon Linux 2023 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.Amazon Linux 2023 Security Technical Implementation Guide V-274184CAT IIAmazon Linux 2023 must implement nonexecutable data to protect its memory from unauthorized code execution.Amazon Linux 2023 Security Technical Implementation Guide V-268160CAT IINixOS must implement nonexecutable data to protect its memory from unauthorized code execution.Anduril NixOS Security Technical Implementation Guide V-268161CAT IINixOS must implement address space layout randomization to protect its memory from unauthorized code execution.Anduril NixOS Security Technical Implementation Guide V-222612CAT IThe application must not be vulnerable to overflow attacks.Application Security and Development Security Technical Implementation Guide V-219341CAT IIThe Ubuntu operating system must implement non-executable data to protect its memory from unauthorized code execution.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-219342CAT IIThe Ubuntu operating system must implement address space layout randomization to protect its memory from unauthorized code execution.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238368CAT IIThe Ubuntu operating system must implement nonexecutable data to protect its memory from unauthorized code execution.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-238369CAT IIThe Ubuntu operating system must implement address space layout randomization to protect its memory from unauthorized code execution.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260474CAT IIUbuntu 22.04 LTS must implement address space layout randomization to protect its memory from unauthorized code execution.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-260475CAT IIUbuntu 22.04 LTS must implement nonexecutable data to protect its memory from unauthorized code execution.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270771CAT IIUbuntu 24.04 LTS must implement nonexecutable data to protect its memory from unauthorized code execution.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270772CAT IIUbuntu 24.04 LTS must implement address space layout randomization to protect its memory from unauthorized code execution.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-269449CAT IIAlmaLinux OS 9 must implement nonexecutable data to protect its memory from unauthorized code execution.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269450CAT IIAlmaLinux OS 9 must enable mitigations against processor-based vulnerabilities.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269451CAT IIAlmaLinux OS 9 must clear memory when it is freed to prevent use-after-free attacks.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269452CAT IIAlmaLinux OS 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233229CAT IIThe container platform must implement organization-defined security safeguards to protect system CPU and memory from resource depletion and unauthorized code execution.Container Platform Security Requirements Guide V-203753CAT IIThe operating system must implement non-executable data to protect its memory from unauthorized code execution.General Purpose Operating System Security Requirements Guide V-203754CAT IIThe operating system must implement address space layout randomization to protect its memory from unauthorized code execution.General Purpose Operating System Security Requirements Guide V-215398CAT IIAIX must set Stack Execution Disable (SED) system wide mode to all.IBM AIX 7.x Security Technical Implementation Guide V-205588CAT IIThe Mainframe Product must implement security safeguards to protect its memory from unauthorized code execution.Mainframe Product Security Requirements Guide V-220726CAT IData Execution Prevention (DEP) must be configured to at least OptOut.Microsoft Windows 10 Security Technical Implementation Guide V-220727CAT IStructured Exception Handling Overwrite Protection (SEHOP) must be enabled.Microsoft Windows 10 Security Technical Implementation Guide V-220837CAT IIExplorer Data Execution Prevention must be enabled.Microsoft Windows 10 Security Technical Implementation Guide V-253284CAT IStructured Exception Handling Overwrite Protection (SEHOP) must be enabled.Microsoft Windows 11 Security Technical Implementation Guide V-253396CAT IIExplorer Data Execution Prevention must be enabled.Microsoft Windows 11 Security Technical Implementation Guide V-224941CAT IIExplorer Data Execution Prevention must be enabled.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205830CAT IIWindows Server 2019 Explorer Data Execution Prevention must be enabled.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254362CAT IIWindows Server 2022 Explorer Data Execution Prevention must be enabled.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254506CAT IIWindows Server 2022 lock pages in memory user right must not be assigned to any groups or accounts.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278109CAT IIWindows Server 2025 Explorer Data Execution Prevention must be enabled.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278256CAT IIThe Windows Server 2025 "Lock pages in memory" user right must not be assigned to any groups or accounts.Microsoft Windows Server 2025 Security Technical Implementation Guide V-260925CAT IICPU priority must be set appropriately on all containers.Mirantis Kubernetes Engine Security Technical Implementation Guide V-254234CAT IINutanix AOS must implement nonexecutable data to protect its memory from unauthorized code execution.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-254235CAT IINutanix AOS must implement address space layout randomization to protect its memory from unauthorized code execution.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-279631CAT IINutanix OS must implement nonexecutable data to protect its memory from unauthorized code execution.Nutanix Acropolis GPOS Security Technical Implementation Guide V-279632CAT IINutanix OS must implement address space layout randomization to protect its memory from unauthorized code execution.Nutanix Acropolis GPOS Security Technical Implementation Guide V-221846CAT IIThe Oracle Linux operating system must implement virtual address space randomization.Oracle Linux 7 Security Technical Implementation Guide V-248589CAT IIOL 8 must implement non-executable data to protect its memory from unauthorized code execution.Oracle Linux 8 Security Technical Implementation Guide V-248594CAT IIOL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.Oracle Linux 8 Security Technical Implementation Guide V-271734CAT IIOL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks.Oracle Linux 9 Security Technical Implementation Guide V-271735CAT IIIOL 9 must enable mitigations against processor-based vulnerabilities.Oracle Linux 9 Security Technical Implementation Guide V-271747CAT IIOL 9 must restrict exposed kernel pointer addresses access.Oracle Linux 9 Security Technical Implementation Guide V-271760CAT IIOL 9 must implement nonexecutable data to protect its memory from unauthorized code execution.Oracle Linux 9 Security Technical Implementation Guide V-271761CAT IIOL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.Oracle Linux 9 Security Technical Implementation Guide V-253529CAT IThe configuration integrity of the container platform must be ensured and runtime policies must be configured.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-281171CAT IIRHEL 10 must assign a home directory for local interactive user accounts upon creation.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281293CAT IIRHEL 10 must implement nonexecutable data to protect its memory from unauthorized code execution.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281304CAT IIRHEL 10 must enable mitigations against processor-based vulnerabilities.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281308CAT IIRHEL 10 must restrict exposed kernel pointer address access.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281315CAT IIRHEL 10 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281321CAT IIRHEL 10 must implement nonexecutable data to protect its memory from unauthorized code execution.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281337CAT IIRHEL 10 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time compiler.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-230276CAT IIRHEL 8 must implement non-executable data to protect its memory from unauthorized code execution.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230280CAT IIRHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-257794CAT IIRHEL 9 must clear memory when it is freed to prevent use-after-free attacks.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257795CAT IIIRHEL 9 must enable mitigations against processor-based vulnerabilities.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257800CAT IIRHEL 9 must restrict exposed kernel pointer addresses access.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257809CAT IIRHEL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257817CAT IIRHEL 9 must implement nonexecutable data to protect its memory from unauthorized code execution.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257568CAT IIRed Hat Enterprise Linux CoreOS (RHCOS) must implement nonexecutable data to protect its memory from unauthorized code execution.Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide V-257569CAT IIRed Hat Enterprise Linux CoreOS (RHCOS) must implement ASLR (Address Space Layout Randomization) from unauthorized code execution.Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide V-257566CAT IIOpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by defining resource quotas on a namespace.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-257568CAT IIRed Hat Enterprise Linux CoreOS (RHCOS) must implement nonexecutable data to protect its memory from unauthorized code execution.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-257569CAT IIRed Hat Enterprise Linux CoreOS (RHCOS) must implement ASLR (Address Space Layout Randomization) from unauthorized code execution.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-275569CAT IIUbuntu OS must implement address space layout randomization to protect its memory from unauthorized code execution.Riverbed NetIM OS Security Technical Implementation Guide V-275570CAT IIUbuntu OS must implement nonexecutable data to protect its memory from unauthorized code execution.Riverbed NetIM OS Security Technical Implementation Guide V-261271CAT IIAddress space layout randomization (ASLR) must be implemented by SLEM 5 to protect memory from unauthorized code execution.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-261272CAT IISLEM 5 must implement kptr-restrict to prevent the leaking of internal kernel addresses.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217283CAT IIThe SUSE operating system must implement kptr-restrict to prevent the leaking of internal kernel addresses.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-217284CAT IIAddress space layout randomization (ASLR) must be implemented by the SUSE operating system to protect memory from unauthorized code execution.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-241169CAT IITrend Deep Security must implement organization-defined security safeguards to protect its memory from unauthorized code execution.Trend Micro Deep Security 9.x Security Technical Implementation Guide V-253093CAT IITOSS must implement non-executable data to protect its memory from unauthorized code execution.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282473CAT IIITOSS 5 must enable mitigations against processor-based vulnerabilities.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282507CAT IITOSS 5 must restrict exposed kernel pointer addresses access.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282610CAT IITOSS 5 must implement nonexecutable data to protect its memory from unauthorized code execution.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-240520CAT IIThe SLES for vRealize must implement non-executable data to protect its memory from unauthorized code execution.VMware vRealize Automation 7.x SLES Security Technical Implementation Guide V-240521CAT IIThe SLES for vRealize must implement address space layout randomization to protect its memory from unauthorized code execution.VMware vRealize Automation 7.x SLES Security Technical Implementation Guide V-239614CAT IIThe SLES for vRealize must implement non-executable data to protect its memory from unauthorized code execution.VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide V-239615CAT IIThe SLES for vRealize must implement address space layout randomization to protect its memory from unauthorized code execution.VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide V-256535CAT IIThe Photon operating system must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide V-258848CAT IIThe Photon operating system must implement address space layout randomization to protect its memory from unauthorized code execution.VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide V-207503CAT IIThe VMM must implement non-executable data to protect its memory from unauthorized code execution.Virtual Machine Manager Security Requirements Guide V-207504CAT IIThe VMM must implement address space layout randomization to protect its memory from unauthorized code execution.Virtual Machine Manager Security Requirements Guide V-73561CAT IIExplorer Data Execution Prevention must be enabled.Windows Server 2016 Security Technical Implementation Guide V-73561CAT IIExplorer Data Execution Prevention must be enabled.Windows Server 2016 Security Technical Implementation Guide V-93563CAT IIWindows Server 2019 Explorer Data Execution Prevention must be enabled.Windows Server 2019 Security Technical Implementation Guide V-93565CAT IIWindows Server 2019 Exploit Protection system-level mitigation, Randomize memory allocations (Bottom-Up ASLR), must be on.Windows Server 2019 Security Technical Implementation Guide