diff options
| author |   mudcam <v.nieutin@live.fr> | 2017-12-08 23:45:21 +0100 |
|---|---|---|
| committer | mudcam <v.nieutin@live.fr> | 2017-12-08 23:45:21 +0100 |
| commit | 89e89e757243865c1e85b72ce22240af0ed1f14f (patch) | |
| tree | f0c251e8405b827c2693ec502d6fb486383928ab /security-blueprint/part-4 | |
| parent | 687774d7352c656652128a11fc0594a3bbf23cd2 (diff) | |
| parent | df4bdd6e9e5669451e7f60ecdc5c9e0d25e3f726 (diff) | |
Merge branch 'master' of github.com:automotive-grade-linux/docs-agl into sandbox/nieutin
Diffstat (limited to 'security-blueprint/part-4')
| -rw-r--r-- | security-blueprint/part-4/1-General.md | 74 | ||||
| -rw-r--r-- | security-blueprint/part-4/2-Memory.md | 38 | ||||
| -rw-r--r-- | security-blueprint/part-4/3-Consoles.md | 20 | ||||
| -rw-r--r-- | security-blueprint/part-4/4-Debug.md | 52 | ||||
| -rw-r--r-- | security-blueprint/part-4/5-FileSystems.md | 12 |
5 files changed, 97 insertions, 99 deletions
diff --git a/security-blueprint/part-4/1-General.md b/security-blueprint/part-4/1-General.md index 2811514..10c665e 100644 --- a/security-blueprint/part-4/1-General.md +++ b/security-blueprint/part-4/1-General.md @@ -4,21 +4,21 @@ Kernel should controls access with labels and policy. -<!-- config --> +<!-- section-config --> Domain | Object | Recommendations -------------------- | ------ | ------------------------------------------ Kernel-General-MAC-1 | SMACK | Must implement a Mandatory Access Control. -<!-- endconfig --> +<!-- end-section-config --> -<!-- todo --> +<!-- section-todo --> Domain | Improvement ------------ | ---------------- Kernel-MAC-1 | Add MAC config note. -<!-- endtodo --> +<!-- end-section-todo --> -------------------------------------------------------------------------------- @@ -26,13 +26,13 @@ Kernel-MAC-1 | Add MAC config note. This prevents someone who gets root from supplanting the kernel. This can be used as a way to bypass signed kernels. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ---------------------- | -------------- | ------- Kernel-General-kexec-1 | `CONFIG_KEXEC` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -40,13 +40,13 @@ Kernel-General-kexec-1 | `CONFIG_KEXEC` | `n` It is preferable to have an IP configuration performed using a user-space tool as these tend to have more validation. We do not want the network interface coming up until the system has come up properly. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` --------------------------- | --------------- | ------- Kernel-General-IPAutoConf-1 | `CONFIG_IP_PNP` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -54,13 +54,13 @@ Kernel-General-IPAutoConf-1 | `CONFIG_IP_PNP` | `n` Enabling this will result in code being included that is hard to maintain and not well tested. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------------------- | ----------------------- | ------- Kernel-General-SysCtl_SysCall-1 | `CONFIG_SYSCTL_SYSCALL` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -68,13 +68,13 @@ Kernel-General-SysCtl_SysCall-1 | `CONFIG_SYSCTL_SYSCALL` | `n` There are some Kernel Configs which are present only to support legacy binaries. See also "Consoles" part in order to disabling support for legacy binary formats. The `uselib` system call, in particular, has no valid use in any `libc6` or `uclibc` system in recent times. This configuration is supported in **Linux 3.15 and greater** and thus should only be disabled for such versions. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ---------------------------- | --------------- | ------- Kernel-General-LegacyLinux-1 | `CONFIG_USELIB` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -82,13 +82,13 @@ Kernel-General-LegacyLinux-1 | `CONFIG_USELIB` | `n` The firmware auto loading helper, which is a utility executed by the kernel on `hotplug` events requiring firmware, needs to be set `setuid`. As a result of this, the helper utility is an attractive target for attackers with control of physical ports on the device. Disabling this configuration that is supported in **Linux 3.9 and greater**. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` --------------------------- | ------------------------------ | ------- Kernel-General-FirmHelper-1 | `CONFIG_FW_LOADER_USER_HELPER` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -98,13 +98,13 @@ When fuzzing the kernel or attempting kernel exploits attackers are likely to tr This configuration is supported in **Linux 3.5 and greater** and thus should only be enabled for such versions. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ---------------------------- | ---------------------- | ------- Kernel-General-PanicOnOOPS-1 | `CONFIG_PANIC_ON_OOPS` | `y` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -118,14 +118,14 @@ The `CONFIG_PACKET_DIAG` configuration is supported in **Linux 3.7 and greater** The `CONFIG_UNIX_DIAG` configuration is supported in **Linux 3.3 and greater** and thus should only be disabled for such versions. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` -------------------------- | -------------------- | ------- Kernel-General-SocketMon-1 | `CONFIG_PACKET_DIAG` | `n` Kernel-General-SocketMon-2 | `CONFIG_UNIX_DIAG` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -135,13 +135,13 @@ The BPF JIT can be used to create kernel-payloads from firewall table rules. This configuration for is supported in **Linux 3.16 and greater** and thus should only be disabled for such versions. -<!-- config --> +<!-- section-config --> -Domain | `Config` name | `Value` ------------------------- | ---------------- | ------- -Kernel-General-BPF_JIT-1 | `CONFIG_BPF_JIT` | `n` +Domain | `Config` name | `Value` +------------------------ | ------------- | ------- +Kernel-General-BPF_JIT-1 | `CONFIG_BPF_JIT` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -157,13 +157,13 @@ root load arbitrary kernel code via the module loader interface. This configuration is supported in **Linux 3.7 and greater** and thus should only be enabled for such versions. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------------------ | ------------------------- | ------- Kernel-General-ModuleSigning-1 | `CONFIG_MODULE_SIG_FORCE` | `y` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -173,7 +173,7 @@ Kernel-General-ModuleSigning-1 | `CONFIG_MODULE_SIG_FORCE` | `y` To reduce the attack surface, the driver enumeration, probe, and operation happen in the kernel. The driver data is parsed by the kernel, so any logic bugs in these drivers can become kernel exploits. -<!-- config --> +<!-- section-config --> Domain | Object | _State_ ------------------------ | ------------------- | ---------- @@ -181,27 +181,27 @@ Kernel-General-Drivers-1 | `USB` | _Disabled_ Kernel-General-Drivers-2 | `PCMCIA` | _Disabled_ Kernel-General-Drivers-3 | Other `hotplug` bus | _Disabled_ -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- ## Position Independent Executables -<!-- todo --> +<!-- section-todo --> Domain | Improvement -------------------------------- | ----------------------------- Kernel-General-IndependentExec-1 | Kernel or/and platform part ? -<!-- endtodo --> +<!-- end-section-todo --> -<!-- config --> +<!-- section-config --> Domain | `compiler` and `linker` options | _State_ -------------------------------- | ------------------------------- | -------- Kernel-General-IndependentExec-1 | `-pie -fpic` | _Enable_ -<!-- endconfig --> +<!-- end-section-config --> Produce a position independent executable on targets which supports it. @@ -211,14 +211,14 @@ Produce a position independent executable on targets which supports it. `-z,relro` linking option helps during program load, several ELF memory sections need to be written by the linker, but can be turned read-only before turning over control to the program. This prevents some Global Offset Table GOT overwrite attacks, or in the dtors section of the ELF binary. -<!-- config --> +<!-- section-config --> Domain | `compiler` and `linker` options | _State_ --------------------------------- | ------------------------------- | -------- Kernel-General-OverwriteAttacks-1 | `-z,relro` | _Enable_ Kernel-General-OverwriteAttacks-2 | `-z,now` | _Enable_ -<!-- endconfig --> +<!-- end-section-config --> During program load, all dynamic symbols are resolved, allowing for the complete GOT to be marked read-only (due to `-z relro` above). This prevents GOT overwrite attacks. For very large application, this can incur some performance loss during initial load while symbols are resolved, but this shouldn't be an issue for daemons. @@ -228,20 +228,20 @@ During program load, all dynamic symbols are resolved, allowing for the complete ## Library linking -<!-- todo --> +<!-- section-todo --> Domain | Improvement ------------------------------- | --------------- Kernel-General-LibraryLinking-1 | Keep this part? -<!-- endtodo --> +<!-- end-section-todo --> It is recommended that dynamic linking should generally not be allowed. This will avoid the user from replacing a library with malicious library. All libraries should be linked statically, but this is difficult to implement. -<!-- config --> +<!-- section-config --> Domain | `compiler` and `linker` options | _State_ ------------------------------- | ------------------------------- | -------- Kernel-General-LibraryLinking-1 | `-static` | _Enable_ -<!-- endconfig --> +<!-- end-section-config --> diff --git a/security-blueprint/part-4/2-Memory.md b/security-blueprint/part-4/2-Memory.md index c6e4bb5..9cc9c16 100644 --- a/security-blueprint/part-4/2-Memory.md +++ b/security-blueprint/part-4/2-Memory.md @@ -6,13 +6,13 @@ The /dev/kmem file in Linux systems is directly mapped to kernel virtual memory. To disable the /dev/kmem file, which is very infrequently used by applications, the following kernel option should be set in the compile-time kernel configuration: -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------------------ | ---------------- | ------- Kernel-Memory-RestrictAccess-1 | `CONFIG_DEVKMEM` | `n` -<!-- endconfig --> +<!-- end-section-config --> In case applications in userspace need /dev/kmem support, it should be available only for authenticated applications. @@ -22,13 +22,13 @@ In case applications in userspace need /dev/kmem support, it should be available This kernel configuration disables access to a kernel core dump from user space. If enabled, it gives attackers a useful view into kernel memory. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------------ | ------------------- | ------- Kernel-Memory-CoreDump-1 | `CONFIG_PROC_KCORE` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -36,13 +36,13 @@ Kernel-Memory-CoreDump-1 | `CONFIG_PROC_KCORE` | `n` If not disabled, attackers can enable swap at runtime, add pressure to the memory subsystem and then scour the pages written to swap for useful information. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` -------------------- | ------------- | ------- Kernel-Memory-Swap-1 | `CONFIG_SWAP` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -54,14 +54,14 @@ There is a /proc/kallsyms file which exposes the kernel memory space address of Both `KALLSYMS_ALL` and `KALLSYMS` shall be disabled; -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------------------ | --------------------- | ------- Kernel-Memory-LoadAllSymbols-1 | `CONFIG_KALLSYMS` | `n` Kernel-Memory-LoadAllSymbols-2 | `CONFIG_KALLSYMS_ALL` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -73,15 +73,13 @@ This configuration is supported in **Linux 3.11 and greater** and thus should on This configuration also requires building the kernel with the **gcc compiler 4.2 or greater**. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` --------------------- | -------------------------- | ------- Kernel-Memory-Stack-1 | `CONFIG_CC_STACKPROTECTOR` | `y` -<!-- endconfig --> - -Other defenses include things like shadow stacks. +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -91,13 +89,13 @@ The /dev/mem file in Linux systems is directly mapped to physical memory. This c This configuration is supported in **Linux 4.0 and greater** and thus should only be disabled for such versions. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ---------------------- | --------------- | ------- Kernel-Memory-Access-1 | `CONFIG_DEVMEM` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -109,25 +107,25 @@ Disable the process_vm_*v syscalls which allow one process to peek/poke the virt This configuration is supported in **Linux 3.5 and greater** and thus should only be disabled for such versions. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------------------ | --------------------- | ------- Kernel-Memory-CrossMemAttach-1 | `CROSS_MEMORY_ATTACH` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- ## Stack Smashing Attacks -<!-- config --> +<!-- section-config --> Domain | `compiler` and `linker` options | _State_ ----------------------------- | ------------------------------- | -------- Kernel-Memory-StackSmashing-1 | `-fstack-protector-all` | _Enable_ -<!-- endconfig --> +<!-- end-section-config --> Emit extra code to check for buffer overflows, such as stack smashing attacks. @@ -135,12 +133,12 @@ Emit extra code to check for buffer overflows, such as stack smashing attacks. ## Detect Buffer Overflows -<!-- config --> +<!-- section-config --> Domain | `compiler` and `linker` options | `Value` ------------------------------- | ------------------------------- | ------- Kernel-Memory-BufferOverflows-1 | `-D_FORTIFY_SOURCE` | `2` -<!-- endconfig --> +<!-- end-section-config --> Helps detect some buffer overflow errors. diff --git a/security-blueprint/part-4/3-Consoles.md b/security-blueprint/part-4/3-Consoles.md index 5cb2298..c6cf80a 100644 --- a/security-blueprint/part-4/3-Consoles.md +++ b/security-blueprint/part-4/3-Consoles.md @@ -4,7 +4,7 @@ The serial console should be disabled to prevent an attacker from accessing this powerful interface. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------------ | ---------------------------- | ------- @@ -13,7 +13,7 @@ Kernel-Consoles-Serial-2 | `CONFIG_SERIAL_8250_CONSOLE` | `n` Kernel-Consoles-Serial-3 | `CONFIG_SERIAL_CORE` | `n` Kernel-Consoles-Serial-4 | `CONFIG_SERIAL_CORE_CONSOLE` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -23,7 +23,7 @@ The kernel command-line is used to control many aspects of the booting kernel, a Set the kernel command line in the `CONFIG_CMDLINE KConfig` item and then pass no arguments from the bootloader. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ----------------------------- | ------------------------- | ----------------------------------- @@ -31,7 +31,7 @@ Kernel-Consoles-CommandLine-1 | `CONFIG_CMDLINE_BOOL` | `y` Kernel-Consoles-CommandLine-2 | `CONFIG_CMDLINE` | `"insert kernel command line here"` Kernel-Consoles-CommandLine-3 | `CONFIG_CMDLINE_OVERRIDE` | `y` -<!-- endconfig --> +<!-- end-section-config --> It is recommended that any per-device settings (e.g: MAC addresses, serial numbers, etc.) be stored and accessed from read-only memory (or files), and that any such parameters be verified (signature checking) prior to their use. @@ -41,13 +41,13 @@ It is recommended that any per-device settings (e.g: MAC addresses, serial numbe The Linux kernel supports KGDB over USB and console ports. These mechanisms are controlled by the `kgdbdbgp` and `kgdboc` kernel command-line parameters. It is important to ensure that no shipping product contains a kernel with KGDB compiled-in. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ---------------------- | ------------- | ------- Kernel-Consoles-KDBG-1 | `CONFIG_KGDB` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -55,13 +55,13 @@ Kernel-Consoles-KDBG-1 | `CONFIG_KGDB` | `n` On a few architectures, you can access a powerful debugger interface from the keyboard. The same powerful interface can be present on the serial console (responding to serial break) of Linux on other architectures. Disable to avoid potentially exposing this powerful backdoor. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ----------------------- | -------------------- | ------- Kernel-Consoles-SysRQ-1 | `CONFIG_MAGIC_SYSRQ` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -69,10 +69,10 @@ Kernel-Consoles-SysRQ-1 | `CONFIG_MAGIC_SYSRQ` | `n` This will make possible to plug wrapper-driven binary formats into the kernel. It enables support for binary formats other than ELF. Providing the ability to use alternate interpreters would assist an attacker in discovering attack vectors. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------------------ | -------------------- | ------- Kernel-Consoles-BinaryFormat-1 | `CONFIG_BINFMT_MISC` | `n` -<!-- endconfig --> +<!-- end-section-config --> diff --git a/security-blueprint/part-4/4-Debug.md b/security-blueprint/part-4/4-Debug.md index c8d5de0..5a1eb24 100644 --- a/security-blueprint/part-4/4-Debug.md +++ b/security-blueprint/part-4/4-Debug.md @@ -6,13 +6,13 @@ No debuggers shall be present on the file system. This includes, but is not limi Debug symbols should always be removed from production kernels as they provide a lot of information to attackers. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ---------------------- | ------------------- | ------- Kernel-Debug-Symbols-1 | `CONFIG_DEBUG_INFO` | `n` -<!-- endconfig --> +<!-- end-section-config --> These kernel debug symbols are enabled by other config items in the kernel. Care should be taken to disable those also. If `CONFIG_DEBUG_INFO` cannot be disabled, then enabling `CONFIG_DEBUG_INFO_REDUCED` is second best. @@ -22,13 +22,13 @@ These kernel debug symbols are enabled by other config items in the kernel. Care Kprobes enables you to dynamically break into any kernel routine and collect debugging and performance information non-disruptively. You can trap at almost any kernel code address, specifying a handler routine to be invoked when the breakpoint is hit. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ---------------------- | ---------------- | ------- Kernel-Debug-Kprobes-1 | `CONFIG_KPROBES` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -36,13 +36,13 @@ Kernel-Debug-Kprobes-1 | `CONFIG_KPROBES` | `n` FTrace enables the kernel to trace every kernel function. Providing kernel trace functionality would assist an attacker in discovering attack vectors. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ---------------------- | --------------- | ------- Kernel-Debug-Tracing-1 | `CONFIG_FTRACE` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -50,14 +50,14 @@ Kernel-Debug-Tracing-1 | `CONFIG_FTRACE` | `n` Profiling and OProfile enables profiling the whole system, include the kernel, kernel modules, libraries, and applications. Providing profiling functionality would assist an attacker in discovering attack vectors. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------------ | ------------------ | ------- Kernel-Debug-Profiling-1 | `CONFIG_OPROFILE` | `n` Kernel-Debug-Profiling-2 | `CONFIG_PROFILING` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -65,13 +65,13 @@ Kernel-Debug-Profiling-2 | `CONFIG_PROFILING` | `n` The output from OOPS print can be helpful in Return Oriented Programming (ROP) when trying to determine the effectiveness of an exploit. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------------ | ------------------------- | ------- Kernel-Debug-OOPSOnBUG-1 | `CONFIG_DEBUG_BUGVERBOSE` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -79,14 +79,14 @@ Kernel-Debug-OOPSOnBUG-1 | `CONFIG_DEBUG_BUGVERBOSE` | `n` There are development-only branches of code in the kernel enabled by the `DEBUG_KERNEL` conf. This should be disabled to compile-out these branches. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------ | --------------------- | ------- Kernel-Debug-Dev-1 | `CONFIG_DEBUG_KERNEL` | `n` Kernel-Debug-Dev-2 | `CONFIG_EMBEDDED` | `n` -<!-- endconfig --> +<!-- end-section-config --> In some kernel versions, disabling this requires also disabling `CONFIG_EMBEDDED`, and `CONFIG_EXPERT`. Disabling `CONFIG_EXPERT` makes it impossible to disable `COREDUMP`, `DEBUG_BUGVERBOSE`, `NAMESPACES`, `KALLSYMS` and `BUG`. In which case it is better to leave this enabled than enable the others. @@ -98,13 +98,13 @@ In some kernel versions, disabling this requires also disabling `CONFIG_EMBEDDED The kernel debug filesystem presents a lot of useful information and means of manipulation of the kernel to an attacker. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------------- | ----------------- | ------- Kernel-Debug-FileSystem-1 | `CONFIG_DEBUG_FS` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -112,13 +112,13 @@ Kernel-Debug-FileSystem-1 | `CONFIG_DEBUG_FS` | `n` The kernel will display backtrace and register information for BUGs and WARNs in kernel space, making it easier for attackers to develop exploits. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------ | ------------- | ------- Kernel-Debug-BUG-1 | `CONFIG_BUG` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -128,13 +128,13 @@ Core dumps provide a lot of debug information for hackers. So disabling core dum This configuration is supported in **Linux 3.7 and greater** and thus should only be disabled for such versions. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------------ | ----------------- | ------- Kernel-Debug-CoreDumps-1 | `CONFIG_COREDUMP` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -146,17 +146,17 @@ When attackers try to develop "run anywhere" exploits for kernel vulnerabilities **/proc/sys/kernel/kptr_restrict is set to "1"** to block the reporting of known kernel address leaks. -<!-- config --> +<!-- section-config --> Domain | `File` name | `Value` ---------------------------- | -------------------------------- | ------- Kernel-Debug-AdressDisplay-1 | `/proc/sys/kernel/kptr_restrict` | `1` -<!-- endconfig --> +<!-- end-section-config --> Additionally, various files and directories should be readable only by the root user: `/boot/vmlinuz*`, `/boot/System.map*`, `/sys/kernel/debug/`, `/proc/slabinfo` -<!-- config --> +<!-- section-config --> Domain | `File` or `Directorie` name | _State_ ---------------------------- | --------------------------- | ----------------------------- @@ -165,7 +165,7 @@ Kernel-Debug-AdressDisplay-2 | `/boot/System.map*` | _Readable Only for Kernel-Debug-AdressDisplay-3 | `/sys/kernel/debug/` | _Readable Only for root user_ Kernel-Debug-AdressDisplay-4 | `/proc/slabinfo` | _Readable Only for root user_ -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -175,13 +175,13 @@ When attackers try to develop "run anywhere" exploits for vulnerabilities, they **/proc/sys/kernel/dmesg_restrict can be set to "1"** to treat dmesg output as sensitive. -<!-- config --> +<!-- section-config --> Domain | `File` name | `Value` -------------------- | --------------------------------- | ------- Kernel-Debug-DMESG-1 | `/proc/sys/kernel/dmesg_restrict` | `1` -<!-- endconfig --> +<!-- end-section-config --> Enable the below compiler and linker options when building user-space applications to avoid stack smashing, buffer overflow attacks. @@ -193,10 +193,10 @@ Enable the below compiler and linker options when building user-space applicatio It is extremely important to not expose the kernel configuration used on a production device to a potential attacker. With access to the kernel config, it could be possible for an attacker to build a custom kernel for the device that may disable critical security features. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` --------------------- | ----------------- | ------- Kernel-Debug-Config-1 | `CONFIG_IKCONFIG` | `n` -<!-- endconfig --> +<!-- end-section-config --> diff --git a/security-blueprint/part-4/5-FileSystems.md b/security-blueprint/part-4/5-FileSystems.md index e5ef733..78f2050 100644 --- a/security-blueprint/part-4/5-FileSystems.md +++ b/security-blueprint/part-4/5-FileSystems.md @@ -8,14 +8,14 @@ To reduce the attack surface, file system data is parsed by the kernel, so any l NFS FileSystems are useful during development phases, but this can be a very helpful way for an attacker to get files when you are in production mode, so we must disable them. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------------ | --------------- | ------- Kernel-FileSystems-NFS-1 | `CONFIG_NFSD` | `n` Kernel-FileSystems-NFS-2 | `CONFIG_NFS_FS` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -35,7 +35,7 @@ There are several security restrictions that can be set on a filesystem when it The following flags shall be used for mounting common filesystems: -<!-- config --> +<!-- section-config --> Domain | `Partition` | `Value` -------------------------- | ------------------- | ----------------------------------------------------------------- @@ -47,14 +47,14 @@ Kernel-FileSystems-Mount-5 | _Temporary storage_ | Add `nosuid`, `nodev` and `no Kernel-FileSystems-Mount-6 | `/dev/shm` | Add `nosuid`, `nodev` and `noexec`. Kernel-FileSystems-Mount-7 | `/dev` | Add `nosuid` and `noexec`. -<!-- endconfig --> <!-- note --> +<!-- end-section-config --> <!-- section-note --> If `CONFIG_DEVTMPFS_MOUNT` is set, then the kernel will mount /dev and will not apply the `nosuid`, `noexec` options. Either disable `CONFIG_DEVTMPFS_MOUNT` or add a remount with `noexec` and `nosuid` options to system startup. -<!-- endnote --> <!-- config --> +<!-- end-section-note --> <!-- section-config --> Domain | `Config` name | _State_ or `Value` -------------------------- | ----------------------- | ----------------------------------------------------------------------- Kernel-FileSystems-Mount-1 | `CONFIG_DEVTMPFS_MOUNT` | _Disabled_ or add remount with `noexec` and `nosuid` to system startup. -<!-- endconfig --> +<!-- end-section-config --> |