fix markdown sec-blueprint

Signed-off-by: Ronan <ronan.lemartret@iot.bzh>

1 files changed, 139 insertions, 115 deletions

diff --git a/sec-blueprint/08-Hardening.md b/sec-blueprint/08-Hardening.md
index 7a6077b..8e2b582 100644
--- a/sec-blueprint/08-Hardening.md
+++ b/sec-blueprint/08-Hardening.md
@@ -14,7 +14,7 @@ Limitations
     at security desktop and server versions of Linux as well as Android
     exploits and hardening.
 
--   Some kernel configuration options can have an impact on performance.
+-   Some kernel configuration options can have an impact on performance.  
     This will be noted where applicable.­
 
 Document Structure
@@ -23,9 +23,10 @@ Document Structure
 This document has been divided into three sections; REQUIREMENTS,
 RECOMMENDATIONS, and VALIDATION. The REQUIREMENTS section details
 explicit requirements that must be adhered to for the embedded
-device**.** The RECOMMENDATIONS section details best practices, and some
-recommended security settings for the embedded device. The third
-section, VALIDATION, provides reference scripts and test procedures that
+device.  
+The RECOMMENDATIONS section details best practices, and some
+recommended security settings for the embedded device.   
+The third section, VALIDATION, provides reference scripts and test procedures that
 can be used to verify adherence with the REQUIREMENTS detailed in the
 first section of this guide.
 
@@ -34,11 +35,11 @@ Hardening
 
 The term *Hardening* refers to the tools, techniques and processes
 required in order to reduce the attack surface on an embedded system,
-such as an embedded control unit (ECU) or other managed device. The
-target for all hardening activities is to prevent the execution of
+such as an embedded control unit (ECU) or other managed device.  
+The target for all hardening activities is to prevent the execution of
 invalid binaries on the device, and to prevent copying of security
-related data from the device. There are three main areas of focus for
-hardening an embedded device:
+related data from the device.  
+There are three main areas of focus for hardening an embedded device:
 
 
 Requirements
@@ -46,7 +47,8 @@ Requirements
 
   For the purposes of reference and explanation, we are providing guidance
   on how to configure an embedded device that runs with a linux 3. 10.17
-  Linux kernel. These requirements must still be met by manufacturers that
+  Linux kernel.  
+  These requirements must still be met by manufacturers that
   opt to build using an alternative version of the Linux kernel.
 
 Kernel Hardening
@@ -55,17 +57,18 @@ Kernel Hardening
   The following sub-sections contain information on various kernel
   configuration options to enhance the security measures in the kernel
   and also for applications compiled to take advantage of these security
-  features. Additionally, there are also configuration options that
-  close known vulnerable configuration options. Here’s a high level
-  summary of various kernel configurations that shall be required for
-  deployment.
+  features.  
+  Additionally, there are also configuration options that
+  close known vulnerable configuration options.  
+  Here’s a high level summary of various kernel configurations that 
+  shall be required for deployment.
 
 ### Disable the serial console
 
   The serial console should be disabled to prevent an attacker from
   accessing this powerful interface.
 
-```
+```bash
   CONFIG_SERIAL_8250=n
   CONFIG_SERIAL_8250_CONSOLE=n
   CONFIG_SERIAL_CORE=n
@@ -75,7 +78,8 @@ Kernel Hardening
 ### Restrict access to kernel memory through device file
 
   The /dev/kmem file in Linux systems is directly mapped to kernel
-  virtual memory. This can be disastrous if an attacker gains root
+  virtual memory.  
+  This can be disastrous if an attacker gains root
   access, as the attacker would have direct access to kernel virtual
   memory.
 
@@ -94,14 +98,14 @@ Kernel Hardening
 
   The kernel command-line is used to control many aspects of the booting
   kernel, and is prone to tampering as they are passed in RAM with
-  little to no reverse validation on these parameters. To prevent this
-  type of attack, the kernel shall be configured to ignore command line
+  little to no reverse validation on these parameters.  
+  To prevent this type of attack, the kernel shall be configured to ignore command line
   arguments, and use pre-configured (compile time) options instead.
 
   Set the kernel command line in the CONFIG\_CMDLINE KConfig item and
   then pass no arguments from the bootloader.
 
-```
+```bash
   CONFIG_CMDLINE_BOOL=y
   CONFIG_CMDLINE=”<*insert kernel command line here*>”
   CONFIG_CMDLINE_OVERRIDE=y
@@ -117,13 +121,14 @@ Kernel Hardening
   Debug symbols should always be removed from production kernels as they
   provide a lot of information to attackers.
 
-```
+```bash
   CONFIG_DEBUG_INFO=n
 ```
 
   These kernel debug symbols are enabled by other config items in the
-  kernel. Care should be taken to disable those also. If
-  CONFIG\_DEBUG\_INFO cannot be disabled then enabling
+  kernel.  
+  Care should be taken to disable those also.  
+  If CONFIG\_DEBUG\_INFO cannot be disabled then enabling
   CONFIG\_DEBUG\_INFO\_REDUCED is second best.
 
 ### Disable access to a kernel core dump
@@ -132,7 +137,7 @@ Kernel Hardening
   user space -- if enabled it gives attackers a useful view into kernel
   memory.
 
-```
+```bash
   CONFIG_PROC_KCORE=n
 ```
 
@@ -140,40 +145,42 @@ Kernel Hardening
 
   The Linux kernel supports KGDB over USB and console ports. These
   mechanisms are controlled by the kgdbdbgp and kgdboc kernel
-  command-line parameters. It is important to ensure that no shipping
+  command-line parameters.  
+  It is important to ensure that no shipping
   product contains a kernel with KGDB compiled-in.
 
-```
+```bash
   CONFIG_KGDB=n
 ```
 
 ### Disable Kprobes
 
   Kprobes enables you to dynamically break into any kernel routine and
-  collect debugging and performance information non-disruptively. You
-  can trap at almost any kernel code address, specifying a handler
+  collect debugging and performance information non-disruptively.  
+  You can trap at almost any kernel code address, specifying a handler
   routine to be invoked when the breakpoint is hit.
 
-```
+```bash
   CONFIG_KPROBES=n
 ```
 
 ### Disable Tracing
 
-  FTrace enables the kernel to trace every kernel function. Providing kernel
-  trace functionality would assist an attacker in discovering attack vectors.
+  FTrace enables the kernel to trace every kernel function.  
+  Providing kernel trace functionality would assist an attacker in discovering attack vectors.
 
-```
+```bash
   CONFIG_FTRACE=n
 ```
 
 ### Disable Profiling
 
   Profiling and OProfile enables profiling the whole system, include the kernel,
-  kernel modules, libraries, and applications.Providing profiling functionality
+  kernel modules, libraries, and applications.  
+  Providing profiling functionality
   would assist an attacker in discovering attack vectors.
 
-```
+```bash
   CONFIG_OPROFILE=n
   CONFIG_PROFILING=n
 ```
@@ -181,12 +188,12 @@ Kernel Hardening
 ### Disable magic sysrq support
 
   On a few architectures, you can access a powerful debugger interface
-  from the keyboard. The same powerful interface can be present on the
-  serial console – responding to serial break – of Linux on other
-  architectures. Disable to avoid potentially exposing this powerful
-  backdoor.
+  from the keyboard.  
+  The same powerful interface can be present on the serial console 
+  – responding to serial break – of Linux on other architectures.  
+  Disable to avoid potentially exposing this powerful backdoor.
 
-```
+```bash
   CONFIG_MAGIC_SYSRQ=n
 ```
 
@@ -196,37 +203,39 @@ Kernel Hardening
   Programming (ROP) when trying to determine the effectives of an
   exploit.
 
-```
+```bash
   CONFIG_DEBUG_BUGVERBOSE=n
 ```
 
 ### Disable kexec
 
-  This prevents someone who gets root from supplanting the kernel. This
-  can be used as a way to bypass signed kernels.
+  This prevents someone who gets root from supplanting the kernel.  
+  This can be used as a way to bypass signed kernels.
 
-```
+```bash
   CONFIG_KEXEC=n
 ```
 
 ### Disable kernel IP autoconfiguration
 
   It is preferable to have IP configuration performed using a user-space
-  tool as these tend to have more validation. We do not want the network
+  tool as these tend to have more validation.  
+  We do not want the network
   interface coming up until the system has come up properly.
 
-```
+```bash
   CONFIG_IP_PNP=n
 ```
 
 ### Disable /proc/config.gz
 
   It is extremely important to not expose the kernel configuration used
-  on a production device to a potential attacker. With access to the
+  on a production device to a potential attacker.  
+  With access to the
   kernel config, it could be possible for an attacker to build a custom
   kernel for the device that may disable critical security features.
 
-```
+```bash
   CONFIG_IKCONFIG=n
 ```
 
@@ -236,17 +245,17 @@ Kernel Hardening
   the memory subsystem and then scour the pages written to swap for
   useful information.
 
-```
+```bash
   CONFIG_SWAP=n
 ```
 
 ### Disable namespace support
 
   Do not allow namespace support to prevent duplicates of dev nodes,
-  pids and mount points. This may be used in virtualization and
-  container solutions like LXC, so in some cases it cannot be disabled.
+  pids and mount points.  
+  This may be used in virtualization and container solutions like LXC, so in some cases it cannot be disabled.
 
-```
+```bash
   CONFIG_NAMESPACES=n
 ```
 
@@ -256,7 +265,7 @@ Kernel Hardening
   builds this can be a very useful way for an attacker to get files onto
   and off of an STB.
 
-```
+```bash
   CONFIG_NFSD=n
   CONFIG_NFS_FS=n
 ```
@@ -264,25 +273,26 @@ Kernel Hardening
 ### Disable support for binary formats other than ELF
 
   This will make possible to plug wrapper-driven binary formats into
-  the kernel. It enables support for binary formats other than ELF. Providing
-  the ability to use alternate interpreters would assist an attacker in
+  the kernel.  
+  It enables support for binary formats other than ELF.  
+  Providing the ability to use alternate interpreters would assist an attacker in
   discovering attack vectors
 
-```
+```bash
   CONFIG_BINFMT_MISC=n
 ```
 
 ### Disable “Load All Symbols”
 
   There is a /proc/kallsyms file which exposes the kernel memory space
-  address of many kernel symbols (functions, variables, etc.). This
-  information is useful to attackers in identifying kernel
+  address of many kernel symbols (functions, variables, etc.).  
+  This information is useful to attackers in identifying kernel
   versions/configurations and in preparing payloads for exploits of
   kernel space.
 
   Both KALLSYMS\_ALL and KALLSYMS shall be disabled;
 
-```
+```bash
   CONFIG_KALLSYMS=n
   CONFIG_KALLSYMS_ALL=n
 ```
@@ -290,17 +300,18 @@ Kernel Hardening
 ### Disable Kernel Debugging
 
   There are development-only branches of code in the kernel enabled by
-  the DEBUG\_KERNEL conf. This should be disabled to compile-out these
-  branches.
+  the DEBUG\_KERNEL conf.  
+  This should be disabled to compile-out these branches.
 
-```
+```bash
   CONFIG_DEBUG_KERNEL=n
 ```
 
   In some kernel versions, disabling this requires also disabling
   CONFIG\_EMBEDDED, and CONFIG\_EXPERT Disabling CONFIG\_EXPERT makes it
   impossible to disable \_COREDUMP, DEBUG\_BUGVERBOSE, \_NAMESPACES,
-  \_KALLSYMS and \_BUG. In which case it is better to leave this enabled
+  \_KALLSYMS and \_BUG.  
+  In which case it is better to leave this enabled
   than enable the others.
 
 ### Disable the kernel debug filesystem
@@ -308,7 +319,7 @@ Kernel Hardening
   The kernel debug filesystem presents a lot of useful information and
   means of manipulation of the kernel to an attacker.
 
-```
+```bash
   CONFIG_DEBUG_FS=n
 ```
 
@@ -318,7 +329,7 @@ Kernel Hardening
   and WARNs in kernel space, making it easier for attackers to develop
   exploits.
 
-```
+```bash
   CONFIG_BUG=n
 ```
 
@@ -327,7 +338,7 @@ Kernel Hardening
   Enabling this will result in code being included that is hard to
   maintain and not well tested.
 
-```
+```bash
   CONFIG_SYSCTL_SYSCALL=n
 ```
 
@@ -335,23 +346,23 @@ Kernel Hardening
 
 ### Disable module unloading
 
-  This stops an attacker unloading security focused kernel modules. It
-  will also prevent the attacker from removing evidence of any attempted
+  This stops an attacker unloading security focused kernel modules.  
+  It will also prevent the attacker from removing evidence of any attempted
   kernel tampering that may have been initiated by loading of a kernel
   module.
 
-```
+```bash
   CONFIG_MODULE_UNLOAD=n
 ```
 
 ### Disable Forced Module Loading
 
   If enabled, then modules without version information or with
-  mismatched version information may be forcibly loaded into the kernel.
+  mismatched version information may be forcibly loaded into the kernel.  
   Disabling this configuration forces the attackers to build modules
   with matched kernel sources and configuration in order to load them.
 
-```
+```bash
   CONFIG_MODULE_FORCE_LOAD=n
 ```
 
@@ -359,7 +370,8 @@ Recommendations
 ===============
 
 The following sections detail best practices that should be applied in
-order to secure a device. Although they are not currently listed as hard
+order to secure a device.  
+Although they are not currently listed as hard
 requirements, they may be upgraded to requirements status in the future.
 
 
@@ -371,10 +383,11 @@ Kernel Hardening
   configuration options that will require updating to a newer kernel
   version in order to enhance the security measures in the kernel and
   also for applications compiled to take advantage of these security
-  features.
+  features.  
 
   Additionally, there are also configuration options that close known
-  vulnerable configuration options. Here’s a high level summary of the
+  vulnerable configuration options.  
+  Here’s a high level summary of the
   various kernel configurations and which kernel version they pertain:
 
 |  Kernel Configuration                 | Kernel Version |
@@ -395,84 +408,91 @@ Kernel Hardening
 ### Build with Stack Protection
 
   Similar to the stack protector used for ELF programs in user-space,
-  the kernel can protect its internal stacks as well. This configuration
-  for the MIPS architecture is supported in Linux 3.11 and greater and
-  thus should only be enabled for such versions. This configuration also
+  the kernel can protect its internal stacks as well.  
+  This configuration for the MIPS architecture is supported in Linux 3.11 and greater and
+  thus should only be enabled for such versions.  
+  This configuration also
   requires building the kernel with the gcc compiler 4.2 or greater.
 
-```
+```bash
   CONFIG_CC_STACKPROTECTOR=y
 ```
 
 ### Disable access to /dev/mem
 
   The /dev/mem file in Linux systems is directly mapped to physical
-  memory. This can be disastrous if an attacker gains root access, as
+  memory.  
+  This can be disastrous if an attacker gains root access, as
   the attacker would have direct access to physical memory through this
-  convenient device file. It may not always be possible to disable such
-  file, as some applications might need such support. In that case then
+  convenient device file.  
+  It may not always be possible to disable such
+  file, as some applications might need such support.  
+  In that case then
   this device file should be available only for authenticated
-  applications. This configuration is supported in Linux 4.0 and greater
+  applications.  
+  This configuration is supported in Linux 4.0 and greater
   and thus should only be disabled for such versions.
 
-```
+```bash
   CONFIG_DEVMEM=n
 ```
 
 ### Disable cross-memory attach
 
   Disable the process\_vm\_\*v syscalls which allow one process to
-  peek/poke the virtual memory of another. This configuration is
+  peek/poke the virtual memory of another.  
+  This configuration is
   supported in Linux 3.5 and greater and thus should only be disabled
   for such versions.
-```
+```bash
   CROSS_MEMORY_ATTACH=n
 ```
 
 ### Disable core dumps
 
-  Core dumps provide lot of debug information for hackers. So disabling
-  core dumps is recommended in production builds. This configuration is
+  Core dumps provide lot of debug information for hackers.  
+  So disabling core dumps is recommended in production builds.  
+  This configuration is
   supported in Linux 3.7 and greater and thus should only be disabled
   for such versions.
 
-```
+```bash
   CONFIG_COREDUMP=n
 ```
 
 ### Disable Legacy Linux Support
 
   There are some Kernel Configs which are present only to support legacy
-  binaries. See also section 2.2.2.18 for disabling support for legacy
-  binary formats. The uselib system call, in particular, has no valid
-  use in any libc6 or uclibc system in recent times. This configuration
-  is supported in Linux 3.15 and greater and thus should only be
+  binaries.  
+  See also section 2.2.2.18 for disabling support for legacy binary formats.  
+  The uselib system call, in particular, has no valid use in any libc6 or uclibc system in recent times.  
+  This configuration is supported in Linux 3.15 and greater and thus should only be
   disabled for such versions.
 
-```
+```bash
   CONFIG_USELIB=n
 ```
 
 ### Disable firmware auto-loading user mode helper
 
   The firmware auto loading helper, which is a utility executed by the
-  kernel on hotplug events requiring firmware, needs to be set setuid.
+  kernel on hotplug events requiring firmware, needs to be set setuid.  
   As a result of this, the helper utility is an attractive target for
-  attackers with control of physical ports on the device. Disabling this
-  configuration is supported in Linux 3.9 and greater.
+  attackers with control of physical ports on the device.  
+  Disabling this configuration is supported in Linux 3.9 and greater.
 
-```
+```bash
   CONFIG_FW_LOADER_USER_HELPER=n
 ```
 
 ### Enable Kernel Panic on OOPS
 
   When fuzzing the kernel or attempting kernel exploits attackers are
-  likely to trigger kernel OOPSes. Setting the behavior on OOPS to PANIC
-  can impede their progress. This configuration is supported in Linux
-  3.5 and greater and thus should only be enabled for such versions.
+  likely to trigger kernel OOPSes.  
+  Setting the behavior on OOPS to PANIC can impede their progress.  
+  This configuration is supported in Linux 3.5 and greater and thus should only be enabled for such versions.
 
-```
+```bash
   CONFIG_PANIC_ON_OOPS=y
 ```
 
@@ -480,13 +500,14 @@ Kernel Hardening
 
   These monitors can be used to inspect shared file descriptors on Unix
   Domain sockets or traffic on ‘localhost’ which is otherwise assumed to
-  be confidential. The **CONFIG\_PACKET\_DIAG** configuration is
-  supported in Linux 3.7 and greater and thus should only be disabled
-  for such versions. The **CONFIG\_UNIX\_DIAG** configuration is
+  be confidential.  
+  The **CONFIG\_PACKET\_DIAG** configuration is supported in Linux 3.7 and greater and thus should only be disabled
+  for such versions.  
+  The **CONFIG\_UNIX\_DIAG** configuration is
   supported in Linux 3.3 and greater and thus should only be disabled
   for such versions.
 
-```
+```bash
   CONFIG_PACKET_DIAG=n
   CONFIG_UNIX_DIAG=n
 ```
@@ -494,21 +515,24 @@ Kernel Hardening
 ### Disable BPF JIT
 
   The BPF JIT can be used to create kernel-payloads from firewall table
-  rules. This configuration for the MIPS architecture is supported in
+  rules.  
+  This configuration for the MIPS architecture is supported in
   Linux 3.16 and greater and thus should only be disabled for such
   versions.
-```
+
+```bash
   BPF_JIT=n
 ```
 
 ### Disable checkpoint/restore
 
   The checkpoint/restore service can take a process, freeze it and
-  migrate it. This results in providing more info than a core dump. This
-  configuration is supported in Linux 3.3 and greater and thus should
+  migrate it.  
+  This results in providing more info than a core dump.  
+  This configuration is supported in Linux 3.3 and greater and thus should
   only be disabled for such versions.
 
-```
+```bash
   CONFIG_CHECKPOINT_RESTORE=n
 ```
 
@@ -517,15 +541,15 @@ Kernel Hardening
   This configuration is supported in Linux 3.7 and greater and thus
   should only be enabled for such versions.
 
-```
+```bash
   CONFIG_MODULE_SIG_FORCE=y
 ```
 
 ### Disable all USB, PCMCIA (and other hotplug bus) drivers that aren’t needed
 
   To reduce the attack surface, the driver enumeration, probe, and
-  operation happen in the kernel. The driver data is parsed by the
-  kernel, so any logic bugs in these drivers can become kernel exploits.
+  operation happen in the kernel.  
+  The driver data is parsed by the kernel, so any logic bugs in these drivers can become kernel exploits.
 
 ### Disable all file systems not needed
 
@@ -536,8 +560,8 @@ Kernel Hardening
 
   When attackers try to develop "run anywhere" exploits for kernel
   vulnerabilities, they frequently need to know the location of internal
-  kernel structures. By treating kernel addresses as sensitive
-  information, those locations are not visible to regular local users.
+  kernel structures.  
+  By treating kernel addresses as sensitive information, those locations are not visible to regular local users.
 
   /proc/sys/kernel/kptr\_restrict is set to "1" to block the reporting
   of known kernel address leaks.
@@ -549,8 +573,8 @@ Kernel Hardening
 ### DMESG Restrictions
 
   When attackers try to develop "run anywhere" exploits for
-  vulnerabilties, they frequently will use dmesg output. By treating
-  dmesg output as sensitive information, this output is not available to
+  vulnerabilties, they frequently will use dmesg output.  
+  By treating dmesg output as sensitive information, this output is not available to
   the attacker.
 
   /proc/sys/kernel/dmesg\_restrict can be set to "1" to treat dmesg
@@ -562,7 +586,7 @@ Kernel Hardening
   options should be enabled to prevent SELlinux from being disabled at
   either runtime or boot time.
 
-```
+```bash
   CONFIG_SECURITY_SELINUX_DEVELOP=n
   CONFIG_SECURITY_SELINUX_DISABLE=n
   CONFIG_SECURITY_SELINUX_BOOTPARAM=n