On OpenBSD:
I want to harden an OpenBSD install. For this imho:
sysctl -w kern.wxabort=1
would be more secure, the default is 0.
W^X violations are no longer permitted by default. A kernel log message
is generated, and mprotect/mmap return ENOTSUP. If the sysctl(8) flag
kern.wxabort is set then a SIGABRT occurs instead, for gdb use or
coredump creation.
so:
SIGABRT Abnormal termination
ENOTSUP Operation not supported (POSIX.1)
so for me (not a programmer) means that maybe SIGABRT is better, since it will kill (?) the process, not just an informational message. From security perspective, killing the badly behaving process is more secure.
Question: Is this true? Is using SIGABRT is more secure? Does SIGABRT really kills the process? Or they (SIGABRT vs. ENOTSUP) are almost the same and doesn't kill the process?
Preventing the operation is where you get security. Killing the process is bonus punishment. We're talking about processes not people, though, so punishment isn't necessary.
The question is whether the processes you're interested in handle errors well. If getting an error code back causes them to derail and do undesirable things, then you may want to send them a signal. Or, as the documentation says, if you want a coredump or want to break in with a debugger, SIGABRT would be useful.
Keep in mind that SIGABRT can be caught. Processes can ignore the signal if they want.
Bottom line, there's no real added security from enabling this option.