summaryrefslogtreecommitdiffstats
path: root/sec-blueprint/08-Hardening.md
diff options
context:
space:
mode:
authorRonan Le Martret <ronan.lemartret@iot.bzh>2017-07-10 18:01:53 +0200
committerRonan Le Martret <ronan.lemartret@iot.bzh>2017-07-10 18:01:53 +0200
commit12682a6df639e61132fb6b4064edf4b931f31579 (patch)
treed09369c84f17c4272e0ccd5ff8dd4d9f65618f15 /sec-blueprint/08-Hardening.md
parent947042e2e95b108ec798662863bb2ebd658d32d9 (diff)
Fix markdown lint
https://github.com/DavidAnson/markdownlint/blob/v0.5.0/doc/Rules.md MD012 - Multiple consecutive blank lines MD014 - Dollar signs used before commands without showing output MD022 - Headers should be surrounded by blank lines MD026 - Trailing punctuation in header MD029 - Ordered list item prefix MD031 - Fenced code blocks should be surrounded by blank lines MD032 - Lists should be surrounded by blank lines MD033 - Inline HTML MD034 - Bare URL used Signed-off-by: Ronan Le Martret <ronan.lemartret@iot.bzh>
Diffstat (limited to 'sec-blueprint/08-Hardening.md')
-rw-r--r--sec-blueprint/08-Hardening.md295
1 files changed, 141 insertions, 154 deletions
diff --git a/sec-blueprint/08-Hardening.md b/sec-blueprint/08-Hardening.md
index 12be18f..76f9e54 100644
--- a/sec-blueprint/08-Hardening.md
+++ b/sec-blueprint/08-Hardening.md
@@ -11,29 +11,26 @@ layout: techdoc
**Table of Content**
1. TOC
+
{:toc}
-Overview
-========
+# Overview
-Scope
------
+## Scope
The information contained in this document is applicable to systems based
on Automotive Grade Linux.
-Limitations
------------
+## Limitations
-- This document is based on knowledge and research gained from looking
- at security desktop and server versions of Linux as well as Android
- exploits and hardening.
+* This document is based on knowledge and research gained from looking
+ at security desktop and server versions of Linux as well as Android
+ exploits and hardening.
-- Some kernel configuration options can have an impact on performance.
- This will be noted where applicable.­
+* Some kernel configuration options can have an impact on performance.
+ This will be noted where applicable.­
-Document Structure
-------------------
+## Document Structure
This document has been divided into three sections; REQUIREMENTS,
RECOMMENDATIONS, and VALIDATION. The REQUIREMENTS section details
@@ -45,8 +42,7 @@ The third section, VALIDATION, provides reference scripts and test procedures th
can be used to verify adherence with the REQUIREMENTS detailed in the
first section of this guide.
-Hardening
----------
+## Hardening
The term *Hardening* refers to the tools, techniques and processes
required in order to reduce the attack surface on an embedded system,
@@ -70,30 +66,29 @@ and configuration of the root filesystem.
release of user space applications, in order to reduce the number of
attack surfaces used by potential attackers.
-Secure Boot Software Flow Steps
--------------------------------
+## Secure Boot Software Flow Steps
-1. After power on, the processor will perform the verification
- of the Stage 1 boot image, the stage 2 boot image and the Secure
- loader image.
+1. After power on, the processor will perform the verification
+ of the Stage 1 boot image, the stage 2 boot image and the Secure
+ loader image.
- a. If any of the images fail the verification process the device
- will not boot.
+ a. If any of the images fail the verification process the device
+ will not boot.
-2. Upon successful verification of all of the boot and loader images,
+1. Upon successful verification of all of the boot and loader images,
the secure process will initiate the Stage 1 boot process.
-3. The Stage 1 boot process will perform processor initialization, and
- then initiate the Stage 2 boot process.
+1. The Stage 1 boot process will perform processor initialization, and
+ then initiate the Stage 2 boot process.
-4. The Stage 2 boot process will initiate the Secure Loader, which will
- process any customer specific customizations (e.g. front panel
- of ECU, USB based image updates, etc).
+1. The Stage 2 boot process will initiate the Secure Loader, which will
+ process any customer specific customizations (e.g. front panel
+ of ECU, USB based image updates, etc).
-5. The Secure Loader will check to determine if there are any updates
- to be processed. If the update settings indicate that an upgrade
- should occur then the Secure Loader will will determine the correct
- action based on the nature of the upgrades:
+1. The Secure Loader will check to determine if there are any updates
+ to be processed. If the update settings indicate that an upgrade
+ should occur then the Secure Loader will will determine the correct
+ action based on the nature of the upgrades:
a. If the Secure Loader determines that an upgrade was performed
(or attempted), it will initiate the reboot process.
@@ -101,23 +96,22 @@ Secure Boot Software Flow Steps
b. If no upgrades were processed: then the Secure Loader will pass
control back to the Stage 2 boot process for further processing
-6. The Stage 2 boot process will continue with the boot process, by
+1. The Stage 2 boot process will continue with the boot process, by
performing a verification of the kernel image prior to the load of
that image
a. If the kernel image verification fails, the Stage 2 boot loader
will not boot
-8. The Stage 2 boot loader will load the successfully verified kernel
- and boot the linux OS
+1. The Stage 2 boot loader will load the successfully verified kernel
+ and boot the linux OS
-9. The booted Linux OS will perform the normal Linux init sequence
+1. The booted Linux OS will perform the normal Linux init sequence
-10. The Linux init process will start the required applications and
- services as described in the init process and present on the rootfs.
+1. The Linux init process will start the required applications and
+ services as described in the init process and present on the rootfs.
-Requirements
-============
+## Requirements
For the purposes of reference and explanation, we are providing guidance
on how to configure an embedded device that runs with a linux 3. 10.17
@@ -125,8 +119,7 @@ Requirements
These requirements must still be met by manufacturers that
opt to build using an alternative version of the Linux kernel.
-Hardened Boot
--------------
+## Hardened Boot
### Boot image selection
@@ -145,7 +138,7 @@ feature is available from U-Boot 2013.07 version.
To enable the secure boot feature, enable the following features:
-```
+```bash
CONFIG_FIT: enables support for Flat Image Tree (FIT) uImage format.
CONFIG_FIT_SIGNATURE: enables signature verification of FIT images.
CONFIG_RSA: enables RSA algorithm used for FIT image verifitcation.
@@ -163,7 +156,7 @@ image. It shall use RSA2048 and SHA256 for authentication.
To disable USB support in U-Boot, following configs shall not be
defined:
-```
+```bash
CONFIG_CMD_USB: enables basic USB support and the usb command
CONFIG_USB_UHCI: defines the lowlevel part.
CONFIG_USB_KEYBOARD: enables the USB Keyboard
@@ -176,7 +169,7 @@ CONFIG_USB_HOST_ETHER: enables USB ethernet adapter support
Serial console output shall be disabled. To disable console output in
U-Boot, set the following macros:
-```
+```bash
CONFIG_SILENT_CONSOLE
CONFIG_SYS_DEVICE_NULLDEV
CONFIG_SILENT_CONSOLE_UPDATE_ON_RELOC
@@ -186,7 +179,7 @@ and set “***silent”*** environment variable.
For the Secure loader, disable the traces by undefining the below macro
-```
+```bash
INC_DEBUG_PRINT
```
@@ -222,7 +215,7 @@ default environment variable and not in non-volatile memory.
Remove configuration options related to non-volatile memory such as:
-```
+```bash
#define CONFIG_ENV_IS_IN_MMC
#define CONFIG_ENV_IS_IN_EEPROM
#define CONFIG_ENV_IS_IN_FLASH
@@ -239,12 +232,11 @@ Remove configuration options related to non-volatile memory such as:
and include the following definition:
-```
+```bash
#define** CONFIG_ENV_IS_NOWHERE
```
-Kernel Hardening
-----------------
+## Kernel Hardening
The following sub-sections contain information on various kernel
configuration options to enhance the security measures in the kernel
@@ -279,7 +271,7 @@ Kernel Hardening
applications, the following kernel option should be set in the
compile-time kernel configuration:
-```
+```bash
CONFIG_DEVKMEM=n
```
@@ -439,6 +431,7 @@ Kernel Hardening
```bash
CONFIG_SWAP=n
+```
### Disable NFS file system
@@ -546,28 +539,23 @@ Kernel Hardening
```bash
CONFIG_MODULE_FORCE_LOAD=n
```
+
### System Services
#### Console & Remote Access
-- The kernel console interfaces shall be disabled. Do not pass any statements
- of the following kind (e.g. console=ttyS0 console=tty0) on the kernel
- command line. All of the console=&lt;interface&gt; statements should be
- stripped and removed from the kernel command line.
-
-- The telnet server shall be disabled.
-
-- Do not start telnetd in init scripts.
-
-- Remove telnetd from the root file system.
-
-- Root login access via the console shall be disabled.
-
-- Do not run shell or getty on /dev/ttySx or /dev/console from
- init scripts.
-
-- Root login access through remote access such as SSH shall
- be disabled or completely removed
+* The kernel console interfaces shall be disabled. Do not pass any statements
+ of the following kind (e.g. console=ttyS0 console=tty0) on the kernel
+ command line. All of the console=&lt;interface&gt; statements should be
+ stripped and removed from the kernel command line.
+* The telnet server shall be disabled.
+* Do not start telnetd in init scripts.
+* Remove telnetd from the root file system.
+* Root login access via the console shall be disabled.
+* Do not run shell or getty on /dev/ttySx or /dev/console from
+ init scripts.
+* Root login access through remote access such as SSH shall
+ be disabled or completely removed
#### Disable *sudo* for other users
@@ -587,46 +575,46 @@ Kernel Hardening
#### User Account Management
- All user accounts shall have strong, non-default passwords. A strong
- password is described to have all of the following attributes:
+All user accounts shall have strong, non-default passwords.
+A strong password is described to have all of the following attributes:
-- At least one upper-case letter
+* At least one upper-case letter
-- At least one numeric character
+* At least one numeric character
-- At least one lower-case letter
+* At least one lower-case letter
-- Password shall be eight or more characters in length
+* Password shall be eight or more characters in length
-- Shall not use a known, common pattern (e.g. Xxxxxxx\#
- or Xxxxxxx\#\#)
+* Shall not use a known, common pattern (e.g. Xxxxxxx\#
+ or Xxxxxxx\#\#)
#### Remove known insecure services
The following legacy services are inherently insecure and should be
avoided:
-- rlogind
+* rlogind
-- rshd
+* rshd
-- rcmd
+* rcmd
-- rexecd
+* rexecd
-- rbootd
+* rbootd
-- rquotad
+* rquotad
-- rstatd
+* rstatd
-- rusersd
+* rusersd
-- rwalld
+* rwalld
-- rhosts
+* rhosts
-- rexd
+* rexd
These services offer insufficient authentication, no encryption, and
are not considered secure. They shall be removed along with their
@@ -640,51 +628,51 @@ Kernel Hardening
non-exhaustive sample of commonly used utilities that are part of the
mtd-utils package:
-- flash\_erase
+* flash\_erase
-- flash\_eraseall
+* flash\_eraseall
-- flashcp
+* flashcp
-- flash\_lock
+* flash\_lock
-- flash\_otp\_dump
+* flash\_otp\_dump
-- flash\_otp\_info
+* flash\_otp\_info
-- flash\_unlock
+* flash\_unlock
-- mkfs.jffs2
+* mkfs.jffs2
-- mkfs.ubifs
+* mkfs.ubifs
-- nanddump
+* nanddump
-- nandtest
+* nandtest
-- nandwrite
+* nandwrite
-- ubiattach
+* ubiattach
-- ubicrc32
+* ubicrc32
-- ubidetach
+* ubidetach
-- ubiformat
+* ubiformat
-- ubimkvol
+* ubimkvol
-- ubinfo
+* ubinfo
-- ubinize
+* ubinize
-- ubirename
+* ubirename
-- ubirmvol
+* ubirmvol
-- ubirsvol
+* ubirsvol
-- ubiupdatevol
+* ubiupdatevol
The mtd-utils package as a whole (including all of its executable
binaries) shall not be present on the file system. Including these
@@ -721,7 +709,6 @@ Kernel Hardening
The following flags shall be used for mounting common filesystems:
-
| Partition | Notes |
|------------------------------|---------------------------------------------------------------------------------------------|
| /boot | Use nosuid and nodev and consider using noexec. |
@@ -734,10 +721,8 @@ Kernel Hardening
| | Note: if CONFIG\_DEVTMPFS\_MOUNT is set then the kernel will mount /dev and will not apply |
| | the nosuid, noexec options. Either disable CONFIG\_DEVTMPFS\_MOUNT or add a remount with |
| | noexec and nosuid options to system startup. |
-
-Recommendations
-===============
+## Recommendations
The following sections detail best practices that should be applied in
order to secure a device.
@@ -746,8 +731,7 @@ requirements, they may be upgraded to requirements status in the future.
In addition, specific operators may change some of these recommendations
into requirements based on their specific needs and objectives.
-Hardened Boot
--------------
+### Hardened Boot
The boot loader consists of the Primary boot loader residing in OTP
memory, sboot, U-Boot and Secure loader residing in external flash (NAND
@@ -762,7 +746,7 @@ Kernel/system image before passing control to it.
In U-Boot, following commands shall be disabled to avoid memory dumps
-```
+```bash
md : Memory Display command
mm : Memory modify command – auto incrementing address
@@ -794,8 +778,7 @@ to be disabled.
Similarly sboot should disable flash access support through command line
if any.
-Hardened System
----------------
+## Hardened System
### Network
@@ -805,7 +788,7 @@ Hardened System
enabled services should be restricted to only those described in the
STB’s functional description.
-### Remove or Disable Unnecessary Services, Ports, and Devices.
+### Remove or Disable Unnecessary Services, Ports, and Devices
Services and utilities that do not have a defined purpose on a system
should be removed. If removal is not possible, but the service or
@@ -829,8 +812,7 @@ Hardened System
Whether or not the filesystems are mounted in userspace(FUSE), restricted
mount options should be observed.
-Kernel Hardening
-----------------
+## Kernel Hardening
The following sub-sections contain information on various kernel
configuration options that will require updating to a newer kernel
@@ -896,6 +878,7 @@ Kernel Hardening
This configuration is
supported in Linux 3.5 and greater and thus should only be disabled
for such versions.
+
```bash
CROSS_MEMORY_ATTACH=n
```
@@ -1025,35 +1008,43 @@ applications to avoid stack smashing, buffer overflow attacks.
### Stack Smashing Attacks
- **-fstack-protector-all**
-
- Emit extra code to check for buffer overflows, such as stack smashing
- attacks
+```c
+**-fstack-protector-all**
+```
+
+Emit extra code to check for buffer overflows, such as stack smashing attacks
### Position Independent Executables
- **-pie –fpic**
-
- Produce a position independent executable on targets which supports
- it.
+```c
+**-pie –fpic**:
+```
+
+Produce a position independent executable on targets which supports it.
### Detect Buffer Overflows
- **-D\_FORTIFY\_SOURCE=2**
-
- Helps detect some buffer overflow errors.
+```c
+**-D\_FORTIFY\_SOURCE=2**:
+```
+
+Helps detect some buffer overflow errors.
### Prevent Overwrite Attacks
- **–z,relro**
-
+```c
+**–z,relro**
+```
+
This linking option helps during program load, several ELF memory
sections need to be written by the linker, but can be turned read-only
before turning over control to the program. This prevents some Global
Offset Table GOT overwrite attacks, or in the dtors section of the ELF
binary.
-
- **-z,now**
+
+```c
+**-z,now**
+```
During program load, all dynamic symbols are resolved, allowing for the
complete GOT to be marked read-only (due to -z relro above). This
@@ -1063,14 +1054,15 @@ resolved, but this shouldn't be an issue for daemons.
### Library linking
- **–static**
+```c
+**–static**
+```
It is recommended that dynamic linking should not be allowed. This will
avoid user from replacing a library with malicious library. All libraries
should be linked statically.
-Removal or Non-Inclusion of Utilities
--------------------------------------
+## Removal or Non-Inclusion of Utilities
Table below lists utilities that are typically present in an embedded
device, along with the normal path of each utility. The table has
@@ -1119,8 +1111,7 @@ utilities are not required by the device then those should be removed.
**sed, awk, cut, df, dmesg, echo, fdisk, grep, mkdir, mount (vfat),
printf, tail, tee, test (directory), test (file)**
-Root Access
-------------
+## Root Access
The main applications, those that provide the principal functionality of
the embedded device, **should not execute** with root identity or any
@@ -1143,7 +1134,7 @@ the same resources at the same time.
Root access **should not be allowed** for the following utilities:
-```
+```bash
login
su
ssh
@@ -1158,8 +1149,7 @@ user accounts.
Switching to elevated privileges shall be allowed in the development
environment via sudo.
-Network Hardening
------------------
+## Network Hardening
### Disable IPv4 Forwarding
@@ -1234,14 +1224,11 @@ Network Hardening
SYN requests with the appropriate SYN+ACK reply, but it does not store
the connection in its backlog queue.
+## Validation
-Validation
-==========
-
-Hardened System
----------------
+### Hardened System
-### Image Security Analysis Framework (ISAFW)
+#### Image Security Analysis Framework (ISAFW)
**meta-security-isafw** is an OE layer that allows enabling the Image
Security Analysis Framework (isafw) for your image builds.
@@ -1251,12 +1238,12 @@ framework for analysing different security aspects of images
during the build process.
The isafw project itself can be found at
- https://github.com/01org/isafw
+ <https://github.com/01org/isafw>
This layer can be added to your builds to produce an analysis report,
including a kernel config analysis.
-### Usage
+#### Usage
In order to enable the isafw during the image build, please add
the following line to your build/conf/local.conf file: