FPT_ASLR_EXT.1.1 - permit no kernel ASLR?

[jeffblank]

allow as selection?

[kgal]

Verified to exist in OSX, Linux, Windows. Not verified in Solaris.

[ajcousi]

It's in Solaris 11 http://docs.oracle.com/cd/E26502_01/html/E29015/concept-13.html#concept-aslr-1

http://docs.oracle.com/cd/E36784_01/html/E36837/conf-aslr.html

Not sure how to check that the "system wide" setting does KASLR though :(

[kgal]

I don't see kernel ASLR in that document, just ASLR and how ASLR pertains to zones.

[alexbarclay]

Solaris 11 does not have Kernel ASLR support.

There are valid criticisms re: KASLR - see https://forums.grsecurity.net/viewtopic.php?f=7&t=3367. What's the security goal and threat model for this requirement?

[kgal]

As these criticisms seem valid, I've broken out KASLR into a separate optional requirement.