Description
This article describes how to check Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) status on the FortiGate.
Solution
FortiOS has this features enabled on most of the devices (except low end units).
FortiOS fulfills this requirements starting from 5.4.0 (ASLR) and 5.4.1 (DEP)).
Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) can be checked with the following in the CLI:
[ASLR]
# fnsysctl cat /proc/sys/kernel/randomize_va_space
2
(2 random all, 0 disable aslr, 1 partially random)
[DEP]
Two types of DEP are used - hardware-enforced and software-emulated for units with INTEL processors, software-emulated for System On a Chip (SOC) units.
DEP hardware-enforced - (INTEL Cores have NX flag, for VM the value is inherited from the physical server CPU) can be checked with:
# fnsysctl cat /proc/cpuinfo
flags : ... nx ...
DEP software-emulated - check x (execute) in the stack line for each PID associated with running processes (no X in stack means no execution rights - Stack protection ok)
Get pid for running processes with:
fnsysctl ps
PID UID GID STATE CMD
1 0 0 S /bin/initXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2 0 0 S [kthreadd]
3 0 0 S [ksoftirqd/0]
4 0 0 S [kworker/0:0]
6 0 0 S [migration/0]
7 0 0 S [migration/1]
9 0 0 S [ksoftirqd/1]
10 0 0 S [migration/2]
11 0 0 S [kworker/2:0]
Replace <pid> in the following command with the associated PID value column from the output above - ensure no x bit set in the [stack] line.
# fnsysctl cat /proc/<pid>/maps
Ex: fnsysctl cat /proc/1/maps
7fff8d6c8000-7fff8d6e9000 rw-p 00000000 00:00 0 [stack]
Related linux kernel support for DEP and ASLR.
https://docs.oracle.com/html/E36387_03/ol_kernel_sec.html
