本文共 4410 字，大约阅读时间需要 14 分钟。

Oracle EM GRID CONTROL报 Category        Security Description    Ensure that the OS configuration parameter, which enables execution of code on the user stack, is not enabled 官方文档： Oracle® Enterprise Manager Policy Reference Manual 10g Release 5 (10.2.0.5) 5.2 Security Policies

5.2 Security Policies

The security policies for the Host target are:

----------------------------------------------------------------------------   华丽的分隔线    ----------------------------------------------------------------------------------------- PAE  Physical_Address_Extension 这是操作系统上扩展内存的，32位的系统理论最大支持4G，使用PAE就可以打破4G，64位最大支持一般因操作系统版本，有的支持上T的内存 当然也需要CPU芯片的支持 NX bit 而oracle认为在32位系统上开启此特性会造成安全问题，容易造成space overflow被一些malicious software利用，比方 可以在linux 模拟突破C++的虚拟指针－－C++程序的缓冲区溢出攻击 policy默认级别critical 扩展阅读：《内核漏洞的利用与防范》:  http://book.51cto.com/art/201203/324044.htm

AIX官方有对这个解释

http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.security/doc/security/stack_exec_disable.htm

   There is increasing likelihood of computer systems falling prey to sophisticated attacks, resulting in disruption to the daily operations of businesses and government agencies. While no security measure can provide foolproof protection against attacks, you should deploy multiple security mechanisms to thwart security attacks. This section covers a security mechanism that is used with AIX® to thwart attacks due to buffer overflow based execution.     Security breaches occur in many forms, but one of the most common methods is to monitor the system-provided administrative tools, look for, and exploit buffer overflows. Buffer overflow attacks occur when an internal program buffer is overwritten because data was not properly validated (such as command line, environmental variable, disk or terminal I/O). Attack code is inserted into a running process through the buffer overflow, changing the execution path of the running process. The return address is overwritten and redirected to the inserted-code location. Common causes of breaches include improper or nonexistent bounds checking, or incorrect assumptions about the validity of data sources. For example, a buffer overflow can occur when a data object is large enough to hold 1 KB of data, but the program does not check the bounds of the input and hence can be made to copy more than 1 KB into that data object.     The intruder's goal is to attack a command and/or tool that provides root privileges to a regular user. Control of the program is gained with all the privileges enabled, permitting overflow of the buffers. Attacks are typically focused on a root owned UID set or programs leading to the execution of a shell, thereby gaining root-based shell access to the system.   You can prevent these attacks by blocking execution of attack code entering through the buffer overflow. Disable execution on the memory areas of a process where execution commonly does not take place (stack and heap memory areas).

解决方法：

1. 打non executable patch

2. 就是对于自己熟悉的share lib或者shell用execstack进行静态的绑定，避免其占用overflow的exec stack以及 heap memory areas

execstack的使用方法，

Usage: execstack [OPTION...] execstack -- program to query or set executable stack flag   -c, --clear-execstack      Clear executable stack flag bit   -q, --query                Query executable stack flag bit   -s, --set-execstack        Set executable stack flag bit   -?, --help                 Give this help list       --usage                Give a short usage message   -V, --version              Print program version