diff --git a/controls/sysctl_spec.rb b/controls/sysctl_spec.rb index 7532df4..a5cd7c2 100644 --- a/controls/sysctl_spec.rb +++ b/controls/sysctl_spec.rb @@ -337,12 +337,18 @@ control 'sysctl-33' do impact 1.0 title 'CPU No execution Flag or Kernel ExecShield' desc 'Kernel features and CPU flags provide a protection against buffer overflows. The CPU NX Flag and the kernel parameter exec-shield prevents code execution on a per memory page basis. If the CPU supports the NX-Flag then this should be used instead of the kernel parameter exec-shield.' - flags = parse_config_file('/proc/cpuinfo', assignment_re: /^([^:]*?)\s+:\s+(.*?)$/).flags.to_s.split(' ') + describe '/proc/cpuinfo' do it 'Flags should include NX' do expect(flags).to include('nx') end end + + # parse for cpu flags + flags = parse_config_file('/proc/cpuinfo', assignment_re: /^([^:]*?)\s+:\s+(.*?)$/).flags + flags ||= '' + flags = flags.split(' ') + unless flags.include?('nx') # if no nx flag is present, we require exec-shield describe kernel_parameter('kernel.exec-shield') do