diff options
author | Ronan Le Martret <ronan.lemartret@iot.bzh> | 2017-07-10 18:01:53 +0200 |
---|---|---|
committer | Ronan Le Martret <ronan.lemartret@iot.bzh> | 2017-07-10 18:01:53 +0200 |
commit | 12682a6df639e61132fb6b4064edf4b931f31579 (patch) | |
tree | d09369c84f17c4272e0ccd5ff8dd4d9f65618f15 /sec-blueprint/08-Hardening.md | |
parent | 947042e2e95b108ec798662863bb2ebd658d32d9 (diff) |
Fix markdown lint
https://github.com/DavidAnson/markdownlint/blob/v0.5.0/doc/Rules.md
MD012 - Multiple consecutive blank lines
MD014 - Dollar signs used before commands without showing output
MD022 - Headers should be surrounded by blank lines
MD026 - Trailing punctuation in header
MD029 - Ordered list item prefix
MD031 - Fenced code blocks should be surrounded by blank lines
MD032 - Lists should be surrounded by blank lines
MD033 - Inline HTML
MD034 - Bare URL used
Signed-off-by: Ronan Le Martret <ronan.lemartret@iot.bzh>
Diffstat (limited to 'sec-blueprint/08-Hardening.md')
-rw-r--r-- | sec-blueprint/08-Hardening.md | 295 |
1 files changed, 141 insertions, 154 deletions
diff --git a/sec-blueprint/08-Hardening.md b/sec-blueprint/08-Hardening.md index 12be18f..76f9e54 100644 --- a/sec-blueprint/08-Hardening.md +++ b/sec-blueprint/08-Hardening.md @@ -11,29 +11,26 @@ layout: techdoc **Table of Content** 1. TOC + {:toc} -Overview -======== +# Overview -Scope ------ +## Scope The information contained in this document is applicable to systems based on Automotive Grade Linux. -Limitations ------------ +## Limitations -- This document is based on knowledge and research gained from looking - at security desktop and server versions of Linux as well as Android - exploits and hardening. +* This document is based on knowledge and research gained from looking + at security desktop and server versions of Linux as well as Android + exploits and hardening. -- Some kernel configuration options can have an impact on performance. - This will be noted where applicable. +* Some kernel configuration options can have an impact on performance. + This will be noted where applicable. -Document Structure ------------------- +## Document Structure This document has been divided into three sections; REQUIREMENTS, RECOMMENDATIONS, and VALIDATION. The REQUIREMENTS section details @@ -45,8 +42,7 @@ The third section, VALIDATION, provides reference scripts and test procedures th can be used to verify adherence with the REQUIREMENTS detailed in the first section of this guide. -Hardening ---------- +## Hardening The term *Hardening* refers to the tools, techniques and processes required in order to reduce the attack surface on an embedded system, @@ -70,30 +66,29 @@ and configuration of the root filesystem. release of user space applications, in order to reduce the number of attack surfaces used by potential attackers. -Secure Boot Software Flow Steps -------------------------------- +## Secure Boot Software Flow Steps -1. After power on, the processor will perform the verification - of the Stage 1 boot image, the stage 2 boot image and the Secure - loader image. +1. After power on, the processor will perform the verification + of the Stage 1 boot image, the stage 2 boot image and the Secure + loader image. - a. If any of the images fail the verification process the device - will not boot. + a. If any of the images fail the verification process the device + will not boot. -2. Upon successful verification of all of the boot and loader images, +1. Upon successful verification of all of the boot and loader images, the secure process will initiate the Stage 1 boot process. -3. The Stage 1 boot process will perform processor initialization, and - then initiate the Stage 2 boot process. +1. The Stage 1 boot process will perform processor initialization, and + then initiate the Stage 2 boot process. -4. The Stage 2 boot process will initiate the Secure Loader, which will - process any customer specific customizations (e.g. front panel - of ECU, USB based image updates, etc). +1. The Stage 2 boot process will initiate the Secure Loader, which will + process any customer specific customizations (e.g. front panel + of ECU, USB based image updates, etc). -5. The Secure Loader will check to determine if there are any updates - to be processed. If the update settings indicate that an upgrade - should occur then the Secure Loader will will determine the correct - action based on the nature of the upgrades: +1. The Secure Loader will check to determine if there are any updates + to be processed. If the update settings indicate that an upgrade + should occur then the Secure Loader will will determine the correct + action based on the nature of the upgrades: a. If the Secure Loader determines that an upgrade was performed (or attempted), it will initiate the reboot process. @@ -101,23 +96,22 @@ Secure Boot Software Flow Steps b. If no upgrades were processed: then the Secure Loader will pass control back to the Stage 2 boot process for further processing -6. The Stage 2 boot process will continue with the boot process, by +1. The Stage 2 boot process will continue with the boot process, by performing a verification of the kernel image prior to the load of that image a. If the kernel image verification fails, the Stage 2 boot loader will not boot -8. The Stage 2 boot loader will load the successfully verified kernel - and boot the linux OS +1. The Stage 2 boot loader will load the successfully verified kernel + and boot the linux OS -9. The booted Linux OS will perform the normal Linux init sequence +1. The booted Linux OS will perform the normal Linux init sequence -10. The Linux init process will start the required applications and - services as described in the init process and present on the rootfs. +1. The Linux init process will start the required applications and + services as described in the init process and present on the rootfs. -Requirements -============ +## Requirements For the purposes of reference and explanation, we are providing guidance on how to configure an embedded device that runs with a linux 3. 10.17 @@ -125,8 +119,7 @@ Requirements These requirements must still be met by manufacturers that opt to build using an alternative version of the Linux kernel. -Hardened Boot -------------- +## Hardened Boot ### Boot image selection @@ -145,7 +138,7 @@ feature is available from U-Boot 2013.07 version. To enable the secure boot feature, enable the following features: -``` +```bash CONFIG_FIT: enables support for Flat Image Tree (FIT) uImage format. CONFIG_FIT_SIGNATURE: enables signature verification of FIT images. CONFIG_RSA: enables RSA algorithm used for FIT image verifitcation. @@ -163,7 +156,7 @@ image. It shall use RSA2048 and SHA256 for authentication. To disable USB support in U-Boot, following configs shall not be defined: -``` +```bash CONFIG_CMD_USB: enables basic USB support and the usb command CONFIG_USB_UHCI: defines the lowlevel part. CONFIG_USB_KEYBOARD: enables the USB Keyboard @@ -176,7 +169,7 @@ CONFIG_USB_HOST_ETHER: enables USB ethernet adapter support Serial console output shall be disabled. To disable console output in U-Boot, set the following macros: -``` +```bash CONFIG_SILENT_CONSOLE CONFIG_SYS_DEVICE_NULLDEV CONFIG_SILENT_CONSOLE_UPDATE_ON_RELOC @@ -186,7 +179,7 @@ and set “***silent”*** environment variable. For the Secure loader, disable the traces by undefining the below macro -``` +```bash INC_DEBUG_PRINT ``` @@ -222,7 +215,7 @@ default environment variable and not in non-volatile memory. Remove configuration options related to non-volatile memory such as: -``` +```bash #define CONFIG_ENV_IS_IN_MMC #define CONFIG_ENV_IS_IN_EEPROM #define CONFIG_ENV_IS_IN_FLASH @@ -239,12 +232,11 @@ Remove configuration options related to non-volatile memory such as: and include the following definition: -``` +```bash #define** CONFIG_ENV_IS_NOWHERE ``` -Kernel Hardening ----------------- +## Kernel Hardening The following sub-sections contain information on various kernel configuration options to enhance the security measures in the kernel @@ -279,7 +271,7 @@ Kernel Hardening applications, the following kernel option should be set in the compile-time kernel configuration: -``` +```bash CONFIG_DEVKMEM=n ``` @@ -439,6 +431,7 @@ Kernel Hardening ```bash CONFIG_SWAP=n +``` ### Disable NFS file system @@ -546,28 +539,23 @@ Kernel Hardening ```bash CONFIG_MODULE_FORCE_LOAD=n ``` + ### System Services #### Console & Remote Access -- The kernel console interfaces shall be disabled. Do not pass any statements - of the following kind (e.g. console=ttyS0 console=tty0) on the kernel - command line. All of the console=<interface> statements should be - stripped and removed from the kernel command line. - -- The telnet server shall be disabled. - -- Do not start telnetd in init scripts. - -- Remove telnetd from the root file system. - -- Root login access via the console shall be disabled. - -- Do not run shell or getty on /dev/ttySx or /dev/console from - init scripts. - -- Root login access through remote access such as SSH shall - be disabled or completely removed +* The kernel console interfaces shall be disabled. Do not pass any statements + of the following kind (e.g. console=ttyS0 console=tty0) on the kernel + command line. All of the console=<interface> statements should be + stripped and removed from the kernel command line. +* The telnet server shall be disabled. +* Do not start telnetd in init scripts. +* Remove telnetd from the root file system. +* Root login access via the console shall be disabled. +* Do not run shell or getty on /dev/ttySx or /dev/console from + init scripts. +* Root login access through remote access such as SSH shall + be disabled or completely removed #### Disable *sudo* for other users @@ -587,46 +575,46 @@ Kernel Hardening #### User Account Management - All user accounts shall have strong, non-default passwords. A strong - password is described to have all of the following attributes: +All user accounts shall have strong, non-default passwords. +A strong password is described to have all of the following attributes: -- At least one upper-case letter +* At least one upper-case letter -- At least one numeric character +* At least one numeric character -- At least one lower-case letter +* At least one lower-case letter -- Password shall be eight or more characters in length +* Password shall be eight or more characters in length -- Shall not use a known, common pattern (e.g. Xxxxxxx\# - or Xxxxxxx\#\#) +* Shall not use a known, common pattern (e.g. Xxxxxxx\# + or Xxxxxxx\#\#) #### Remove known insecure services The following legacy services are inherently insecure and should be avoided: -- rlogind +* rlogind -- rshd +* rshd -- rcmd +* rcmd -- rexecd +* rexecd -- rbootd +* rbootd -- rquotad +* rquotad -- rstatd +* rstatd -- rusersd +* rusersd -- rwalld +* rwalld -- rhosts +* rhosts -- rexd +* rexd These services offer insufficient authentication, no encryption, and are not considered secure. They shall be removed along with their @@ -640,51 +628,51 @@ Kernel Hardening non-exhaustive sample of commonly used utilities that are part of the mtd-utils package: -- flash\_erase +* flash\_erase -- flash\_eraseall +* flash\_eraseall -- flashcp +* flashcp -- flash\_lock +* flash\_lock -- flash\_otp\_dump +* flash\_otp\_dump -- flash\_otp\_info +* flash\_otp\_info -- flash\_unlock +* flash\_unlock -- mkfs.jffs2 +* mkfs.jffs2 -- mkfs.ubifs +* mkfs.ubifs -- nanddump +* nanddump -- nandtest +* nandtest -- nandwrite +* nandwrite -- ubiattach +* ubiattach -- ubicrc32 +* ubicrc32 -- ubidetach +* ubidetach -- ubiformat +* ubiformat -- ubimkvol +* ubimkvol -- ubinfo +* ubinfo -- ubinize +* ubinize -- ubirename +* ubirename -- ubirmvol +* ubirmvol -- ubirsvol +* ubirsvol -- ubiupdatevol +* ubiupdatevol The mtd-utils package as a whole (including all of its executable binaries) shall not be present on the file system. Including these @@ -721,7 +709,6 @@ Kernel Hardening The following flags shall be used for mounting common filesystems: - | Partition | Notes | |------------------------------|---------------------------------------------------------------------------------------------| | /boot | Use nosuid and nodev and consider using noexec. | @@ -734,10 +721,8 @@ Kernel Hardening | | Note: if CONFIG\_DEVTMPFS\_MOUNT is set then the kernel will mount /dev and will not apply | | | the nosuid, noexec options. Either disable CONFIG\_DEVTMPFS\_MOUNT or add a remount with | | | noexec and nosuid options to system startup. | - -Recommendations -=============== +## Recommendations The following sections detail best practices that should be applied in order to secure a device. @@ -746,8 +731,7 @@ requirements, they may be upgraded to requirements status in the future. In addition, specific operators may change some of these recommendations into requirements based on their specific needs and objectives. -Hardened Boot -------------- +### Hardened Boot The boot loader consists of the Primary boot loader residing in OTP memory, sboot, U-Boot and Secure loader residing in external flash (NAND @@ -762,7 +746,7 @@ Kernel/system image before passing control to it. In U-Boot, following commands shall be disabled to avoid memory dumps -``` +```bash md : Memory Display command mm : Memory modify command – auto incrementing address @@ -794,8 +778,7 @@ to be disabled. Similarly sboot should disable flash access support through command line if any. -Hardened System ---------------- +## Hardened System ### Network @@ -805,7 +788,7 @@ Hardened System enabled services should be restricted to only those described in the STB’s functional description. -### Remove or Disable Unnecessary Services, Ports, and Devices. +### Remove or Disable Unnecessary Services, Ports, and Devices Services and utilities that do not have a defined purpose on a system should be removed. If removal is not possible, but the service or @@ -829,8 +812,7 @@ Hardened System Whether or not the filesystems are mounted in userspace(FUSE), restricted mount options should be observed. -Kernel Hardening ----------------- +## Kernel Hardening The following sub-sections contain information on various kernel configuration options that will require updating to a newer kernel @@ -896,6 +878,7 @@ Kernel Hardening This configuration is supported in Linux 3.5 and greater and thus should only be disabled for such versions. + ```bash CROSS_MEMORY_ATTACH=n ``` @@ -1025,35 +1008,43 @@ applications to avoid stack smashing, buffer overflow attacks. ### Stack Smashing Attacks - **-fstack-protector-all** - - Emit extra code to check for buffer overflows, such as stack smashing - attacks +```c +**-fstack-protector-all** +``` + +Emit extra code to check for buffer overflows, such as stack smashing attacks ### Position Independent Executables - **-pie –fpic** - - Produce a position independent executable on targets which supports - it. +```c +**-pie –fpic**: +``` + +Produce a position independent executable on targets which supports it. ### Detect Buffer Overflows - **-D\_FORTIFY\_SOURCE=2** - - Helps detect some buffer overflow errors. +```c +**-D\_FORTIFY\_SOURCE=2**: +``` + +Helps detect some buffer overflow errors. ### Prevent Overwrite Attacks - **–z,relro** - +```c +**–z,relro** +``` + This linking option helps during program load, several ELF memory sections need to be written by the linker, but can be turned read-only before turning over control to the program. This prevents some Global Offset Table GOT overwrite attacks, or in the dtors section of the ELF binary. - - **-z,now** + +```c +**-z,now** +``` During program load, all dynamic symbols are resolved, allowing for the complete GOT to be marked read-only (due to -z relro above). This @@ -1063,14 +1054,15 @@ resolved, but this shouldn't be an issue for daemons. ### Library linking - **–static** +```c +**–static** +``` It is recommended that dynamic linking should not be allowed. This will avoid user from replacing a library with malicious library. All libraries should be linked statically. -Removal or Non-Inclusion of Utilities -------------------------------------- +## Removal or Non-Inclusion of Utilities Table below lists utilities that are typically present in an embedded device, along with the normal path of each utility. The table has @@ -1119,8 +1111,7 @@ utilities are not required by the device then those should be removed. **sed, awk, cut, df, dmesg, echo, fdisk, grep, mkdir, mount (vfat), printf, tail, tee, test (directory), test (file)** -Root Access ------------- +## Root Access The main applications, those that provide the principal functionality of the embedded device, **should not execute** with root identity or any @@ -1143,7 +1134,7 @@ the same resources at the same time. Root access **should not be allowed** for the following utilities: -``` +```bash login su ssh @@ -1158,8 +1149,7 @@ user accounts. Switching to elevated privileges shall be allowed in the development environment via sudo. -Network Hardening ------------------ +## Network Hardening ### Disable IPv4 Forwarding @@ -1234,14 +1224,11 @@ Network Hardening SYN requests with the appropriate SYN+ACK reply, but it does not store the connection in its backlog queue. +## Validation -Validation -========== - -Hardened System ---------------- +### Hardened System -### Image Security Analysis Framework (ISAFW) +#### Image Security Analysis Framework (ISAFW) **meta-security-isafw** is an OE layer that allows enabling the Image Security Analysis Framework (isafw) for your image builds. @@ -1251,12 +1238,12 @@ framework for analysing different security aspects of images during the build process. The isafw project itself can be found at - https://github.com/01org/isafw + <https://github.com/01org/isafw> This layer can be added to your builds to produce an analysis report, including a kernel config analysis. -### Usage +#### Usage In order to enable the isafw during the image build, please add the following line to your build/conf/local.conf file: |