diff options
| author |   mudcam <v.nieutin@live.fr> | 2018-04-16 15:26:11 +0200 |
|---|---|---|
| committer | mudcam <v.nieutin@live.fr> | 2018-04-16 15:26:11 +0200 |
| commit | 4aac2f4590d9ae7ffa707a662c41b7e460a0ea3a (patch) | |
| tree | 2b9efb022e3bb2b2ab1371a0f0543dd3bc1accf5 /security-blueprint/part-4 | |
| parent | f690453c2b2d87161755500fe3f7735975c2963a (diff) | |
Integration of Eli Mordechai's comments.
Diffstat (limited to 'security-blueprint/part-4')
| -rw-r--r-- | security-blueprint/part-4/1-General.md | 42 | ||||
| -rw-r--r-- | security-blueprint/part-4/2-Memory.md | 20 | ||||
| -rw-r--r-- | security-blueprint/part-4/4-Debug.md | 6 |
3 files changed, 56 insertions, 12 deletions
diff --git a/security-blueprint/part-4/1-General.md b/security-blueprint/part-4/1-General.md index f279b17..444c97d 100644 --- a/security-blueprint/part-4/1-General.md +++ b/security-blueprint/part-4/1-General.md @@ -24,7 +24,7 @@ Kernel-MAC-1 | Add MAC config note. ## Disable kexec -This prevents someone who gets root from supplanting the kernel. This can be used as a way to bypass signed kernels. +**Kexec** is a system call that enables you to load and boot into another kernel from the currently running kernel. This feature is not required in a production environment. <!-- section-config --> @@ -34,6 +34,12 @@ Kernel-General-kexec-1 | `CONFIG_KEXEC` | `n` <!-- end-section-config --> +<!-- section-note --> + +**kexec** can load arbitrary kernels but signing of new kernel can be enforced like it is can be enforced for new modules. + +<!-- end-section-note --> + -------------------------------------------------------------------------------- ## Disable kernel IP auto-configuration @@ -80,7 +86,7 @@ Kernel-General-LegacyLinux-1 | `CONFIG_USELIB` | `n` ## Disable firmware auto-loading user mode helper -The firmware auto loading helper, which is a utility executed by the kernel on `hotplug` events requiring firmware, needs to be set `setuid`. As a result of this, the helper utility is an attractive target for attackers with control of physical ports on the device. Disabling this configuration that is supported in **Linux 3.9 and greater**. +The firmware auto loading helper, which is a utility executed by the kernel on `hotplug` events requiring firmware, can to be set `setuid`. As a result of this, the helper utility is an attractive target for attackers with control of physical ports on the device. Disabling this configuration that is supported in **Linux 3.9 and greater**. <!-- section-config --> @@ -90,6 +96,12 @@ Kernel-General-FirmHelper-1 | `CONFIG_FW_LOADER_USER_HELPER` | `n` <!-- end-section-config --> +<!-- section-note --> + +It doesn't strictly need to be `setuid`, there is an option of shipping firmware builtin into kernel without initrd/filesystem. + +<!-- end-section-note --> + -------------------------------------------------------------------------------- ## Enable Kernel Panic on OOPS @@ -152,7 +164,7 @@ since that would provide a facility to unexpectedly extend the available attack To protect against even privileged users, systems may need to either disable module loading entirely, or provide signed modules -(e.g. CONFIG_MODULE_SIG_FORCE, or dm-crypt with LoadPin), to keep from having +(e.g. `CONFIG_MODULE_SIG_FORCE`, or dm-crypt with LoadPin), to keep from having root load arbitrary kernel code via the module loader interface. This configuration is supported in **Linux 3.7 and greater** and thus should only be enabled for such versions. @@ -165,6 +177,16 @@ Kernel-General-ModuleSigning-1 | `CONFIG_MODULE_SIG_FORCE` | `y` <!-- end-section-config --> +It is also possible to block the loading of modules after startup with "kernel.modules_disabled". + +<!-- section-config --> + +Domain | `Variable` name | `Value` +------------------------------ | ------------------------- | ------- +Kernel-General-ModuleSigning-2 | `kernel.modules_disabled` | `1` + +<!-- end-section-config --> + -------------------------------------------------------------------------------- <!-- pagebreak --> @@ -236,12 +258,18 @@ Kernel-General-LibraryLinking-1 | Keep this part? <!-- end-section-todo --> -It is recommended that dynamic linking should generally not be allowed. This will avoid the user from replacing a library with malicious library. All libraries should be linked statically, but this is difficult to implement. +It is recommended that dynamic linking should generally not be allowed. This will avoid the user from replacing a library with malicious library. <!-- section-config --> -Domain | `compiler` and `linker` options | _State_ -------------------------------- | ------------------------------- | -------- -Kernel-General-LibraryLinking-1 | `-static` | _Enable_ +Domain | Object | Recommendations +------------------------------- | --------------- | -------------------------------- +Kernel-General-LibraryLinking-1 | Dynamic linking | Should generally not be allowed. <!-- end-section-config --> + +<!-- section-note --> + +Linking everything statically doesn't change anything wrt security as binaries will live under same user:group as libraries and setuid executables ignore `LD_PRELOAD/LD_LIBRARY_PATH`. It also increases RSS footprint and creates problems with upgrading. + +<!-- end-section-note --> diff --git a/security-blueprint/part-4/2-Memory.md b/security-blueprint/part-4/2-Memory.md index 822c928..d7af446 100644 --- a/security-blueprint/part-4/2-Memory.md +++ b/security-blueprint/part-4/2-Memory.md @@ -44,6 +44,15 @@ Kernel-Memory-Swap-1 | `CONFIG_SWAP` | `n` <!-- end-section-config --> +<!-- section-note --> + +- Enabling swap at runtime require `CAP_SYS_ADMIN`. +- Swap block device is usually under root:disk. +- Linux never swaps kernel pages. +- If swap disabling is not possible, swap encryption should be enabled. + +<!-- end-section-note --> + -------------------------------------------------------------------------------- <!-- pagebreak --> @@ -79,10 +88,10 @@ Domain | `Config` name | `Value` --------------------- | -------------------------- | ------- Kernel-Memory-Stack-1 | `CONFIG_CC_STACKPROTECTOR` | `y` -Other defenses include things like shadow stacks. - <!-- end-section-config --> +Other defenses include things like shadow stacks. + -------------------------------------------------------------------------------- ## Disable access to /dev/mem @@ -137,9 +146,10 @@ Emit extra code to check for buffer overflows, such as stack smashing attacks. <!-- section-config --> -Domain | `compiler` and `linker` options | `Value` -------------------------------- | ------------------------------- | ------- -Kernel-Memory-BufferOverflows-1 | `-D_FORTIFY_SOURCE` | `2` +Domain | `compiler` options and `config` name | `Value` +------------------------------- | ------------------------------------ | ------- +Kernel-Memory-BufferOverflows-1 | `-D_FORTIFY_SOURCE` | `2` +Kernel-Memory-BufferOverflows-2 | `CONFIG_FORTIFY_SOURCE` | `y` <!-- end-section-config --> diff --git a/security-blueprint/part-4/4-Debug.md b/security-blueprint/part-4/4-Debug.md index 5a1eb24..cce5fc0 100644 --- a/security-blueprint/part-4/4-Debug.md +++ b/security-blueprint/part-4/4-Debug.md @@ -16,6 +16,12 @@ Kernel-Debug-Symbols-1 | `CONFIG_DEBUG_INFO` | `n` These kernel debug symbols are enabled by other config items in the kernel. Care should be taken to disable those also. If `CONFIG_DEBUG_INFO` cannot be disabled, then enabling `CONFIG_DEBUG_INFO_REDUCED` is second best. +<!-- section-note --> + +At least `CONFIG_DEBUG_INFO_REDUCED` should be always enabled for developers to convert addresses in oops messages to line numbers. + +<!-- end-section-note --> + -------------------------------------------------------------------------------- ## Disable Kprobes |