Question posted in 
I am setting up my own web server at home using Ubuntu 22.04 and trying to understand a setting. I am trying to learn about securing/hardening the system and I am getting a little confused about a setting in the sysctl.conf file.
I understand that it is a good idea to secure the kernel.exec-shield setting and see that it can be assigned four different values: 0-3.
I can understand that 0 always disables it while 3 always enables it. I am just a little confused about setting it to either 1 or 2. I have seen that it should be used along with kernel.randomize_va_space
From my research, I have seen that both should be set to 1. Going through the /etc/sysctl.conf file, it says to set both to either 1 0r 2. Setting it to 1 disables it except binaries that enable it while 2 enables it except binaries that disable it.
So, what I would like to know is shouldn’t both be set to 2?
If someone could please explain if I should set both to 1 or 2 and why I should do this.
Thanks for your replies.
2
Answers
The Exec-Shield can no longer be managed via sysctl, it is enabled by default with no option to disable. In older systems the kernel.exec-shield key had a value of 1 to enable it and 0 to disable it. To know if your CPU support NX protection you could do
and watch for nx in flags.
If your CPU has the NX feature you don’t have do do nothing. Exec-Shield is for NX emulation in the kernel. You should read this about Non-Executable Memory in Ubuntu.
The randomize_va_space controls Address Space Layout Randomization (ASLR) that is used in preventing exploitation of memory corruption vulnerabilities like buffer overflow attacks. There is a little old but good artice that explains this.
If you want to know all the Ububtu security features there is a Matrix with them.
The Exec-Shield can no longer be managed via sysctl, it is enabled by default with no option to disable. In older systems the kernel.exec-shield key had a value of 1 to enable it and 0 to disable it. To know if your CPU support NX protection you could do