STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 4 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide

V-269449

CAT II (Medium)

AlmaLinux OS 9 must implement nonexecutable data to protect its memory from unauthorized code execution.

Rule ID

SV-269449r1050620_rule

STIG

Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide

Version

V1R6

CCIs

CCI-002824

Discussion

ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places the memory regions of a process, such as the stack and heap, higher than this address, the hardware prevents execution in that address range.

Check Content

Verify ExecShield is enabled on 64-bit AlmaLinux OS 9 systems with the following command:

$ dmesg | grep '[NX|DX]*protection' 

[ 0.000000] NX (Execute Disable) protection: active

If "dmesg" does not show "NX (Execute Disable) protection active", this is a finding.

Fix Text

Update the GRUB 2 bootloader configuration to ensure the noexec kernel parameter is not enabled using the following command:

$ grubby --update-kernel=ALL --remove-args=noexec

Enable the NX bit execute protection in the system BIOS.