MIME-Version: 1.0
In-Reply-To: <CAOCOAVJGC=RCw+xiWTjGG0SssHht03B-VVWYdt5ckgn3pZp+JQ@mail.gmail.com>
References: <CAD7fdYtFPwYY3e6h=CfNLM5VULUPNk6X3sc=aqem2W6-z+=M0g@mail.gmail.com>
 <CAOCOAVJGC=RCw+xiWTjGG0SssHht03B-VVWYdt5ckgn3pZp+JQ@mail.gmail.com>
Date: Mon, 3 Mar 2014 14:16:24 -0500
Message-ID: <CAD7fdYtN0AK2qSHzCgy_ggcTnh42Xzm2+E3CCp+zFXOKqi2MSg@mail.gmail.com>
Subject: Re: OEM Policy Violation for Execute Stack
From: Jay Hostetter <hostetter.jay@gmail.com>
To: David Roberts <big.dave.roberts@googlemail.com>
Cc: oracle-l-freelists <oracle-l@freelists.org>
Content-Type: multipart/alternative; boundary=089e01493f10a21a1f04f3b89fcf
Sender: oracle-l-bounce@freelists.org
Errors-to: oracle-l-bounce@freelists.org
Precedence: normal
Reply-To: hostetter.jay@gmail.com
--089e01493f10a21a1f04f3b89fcf
Content-Type: text/plain; charset=ISO-8859-1

Thank you David.


On Sun, Mar 2, 2014 at 4:29 PM, David Roberts <
big.dave.roberts@googlemail.com> wrote:

> I think that this explains it to a greater depth than I understand it:
> http://en.wikipedia.org/wiki/NX_bit
>
> Which I found via this bilingual page:
> http://m.blog.csdn.net/blog/anddyhua/9174609
>
> As I understand it, some chips enable segregation of code from data in
> hardware as a way to eliminate buffer overrun security issues.
>
> For this to be most effective the operating system needs to make sure that
> the data written to the stack is located in an area that the chip
> understands as data and should never be executed.
>
> HTH.
>
> Dave
>
>
> On Wed, Feb 26, 2014 at 2:08 PM, Jay Hostetter <hostetter.jay@gmail.com>wrote:
>
>> I inherited an environment, and I am going through the various policy
>> violations in OEM (11.1.0.1).  The target databases are primarily
>> 11.2.0.3.  All of my hosts have a policy violation "warning" for the
>> "Execute Stack" policy, which says to "Ensure that the OS configuration
>> parameter, which enables execution of code on the user stack, is not
>> enabled."  I have been searching docs, Oracle Support, and the internet,
>> but have found almost nothing which tells me more specifics about this
>> check.  The underlying metric is "executeStackRep".  The host OS is SUSE
>> Linux Enterprise 11.  I'd appreciate it if anyone could point me in the
>> right direction for understanding this warning.
>>
>> Thank you,
>> Jay
>>
>
>

--089e01493f10a21a1f04f3b89fcf
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Thank you David.=A0 <br></div><div class=3D"gmail_extra"><=
br><br><div class=3D"gmail_quote">On Sun, Mar 2, 2014 at 4:29 PM, David Rob=
erts <span dir=3D"ltr">&lt;<a href=3D"mailto:big.dave.roberts@googlemail.co=
m" target=3D"_blank">big.dave.roberts@googlemail.com</a>&gt;</span> wrote:<=
br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div dir=3D"ltr">I think that this explains =
it to a greater depth than I understand it:=A0<a href=3D"http://en.wikipedi=
a.org/wiki/NX_bit" target=3D"_blank">http://en.wikipedia.org/wiki/NX_bit</a=
><div>
<br></div><div>Which I found via this bilingual page:=A0<a href=3D"http://m=
.blog.csdn.net/blog/anddyhua/9174609" target=3D"_blank">http://m.blog.csdn.=
net/blog/anddyhua/9174609</a></div>
<div><br></div><div>As I understand it, some chips enable segregation of co=
de from data in hardware as a way to eliminate buffer overrun security issu=
es.</div><div><br></div><div>For this to be most effective the operating sy=
stem needs to make sure that the data written to the stack is located in an=
 area that the chip understands as data and should never be executed.</div>

<div><br></div><div>HTH.</div><div><br></div><div>Dave</div></div><div clas=
s=3D"HOEnZb"><div class=3D"h5"><div class=3D"gmail_extra"><br><br><div clas=
s=3D"gmail_quote">On Wed, Feb 26, 2014 at 2:08 PM, Jay Hostetter <span dir=
=3D"ltr">&lt;<a href=3D"mailto:hostetter.jay@gmail.com" target=3D"_blank">h=
ostetter.jay@gmail.com</a>&gt;</span> wrote:<br>

<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div>I inherited an environment, and I am go=
ing through the various policy violations in OEM (11.1.0.1).=A0 The target =
databases are primarily 11.2.0.3.=A0 All of my hosts have a policy violatio=
n &quot;warning&quot; for the &quot;Execute Stack&quot; policy, which says =
to &quot;Ensure that the OS configuration parameter, which enables executio=
n of code on the user stack, is not enabled.&quot;=A0 I have been searching=
 docs, Oracle Support, and the internet, but have found almost nothing whic=
h tells me more specifics about this check.=A0 The underlying metric is &qu=
ot;executeStackRep&quot;.=A0 The host OS is SUSE Linux Enterprise 11.=A0 I&=
#39;d appreciate it if anyone could point me in the right direction for und=
erstanding this warning.</div>


<div>=A0</div>
<div>Thank you,</div>
<div>Jay</div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>

--089e01493f10a21a1f04f3b89fcf--
--
http://www.freelists.org/webpage/oracle-l