STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 4 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide

V-282610

CAT II (Medium)

TOSS 5 must implement nonexecutable data to protect its memory from unauthorized code execution.

Rule ID

SV-282610r1200810_rule

STIG

Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-002824

Discussion

ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware.

Check Content

Verify ExecShield is enabled on 64-bit TOSS 5 systems using the following command:

$ sudo dmesg | grep '[NX|DX]*protection' 

[ 0.000000] NX (Execute Disable) protection: active

If "dmesg" does not show "NX (Execute Disable) protection" active, this is a finding.

Fix Text

Update the GRUB 2 bootloader configuration.

Run the following command:

$ sudo grubby --update-kernel=ALL --remove-args=noexec