diff options
| author |   Sebastien Douheret <sebastien.douheret@iot.bzh> | 2018-05-28 15:47:24 +0200 |
|---|---|---|
| committer |   ronan [iot.bzh] <ronan.lemartret@iot.bzh> | 2018-06-01 09:36:24 +0200 |
| commit | 8dcffe52a5c600b8d78ad90f2fd8a533b0934415 (patch) | |
| tree | 17432571d674303b98baba798500b1db192eb74d /security-blueprint | |
| parent | 2f2f30a324510494c091d88429b343784aa592a6 (diff) | |
Updated MAC Kernel configuration [SPEC-1453]
- added Kernel configs to enable MAC / SMACK support.
- added links to refer MAC in Platform part and other useful externals links.
Signed-off-by: Sebastien Douheret <sebastien.douheret@iot.bzh>
Diffstat (limited to 'security-blueprint')
| -rw-r--r-- | security-blueprint/annexes/ConfigNotes.md | 22 | ||||
| -rw-r--r-- | security-blueprint/annexes/todoNotes.md | 4 | ||||
| -rw-r--r-- | security-blueprint/part-4/1-General.md | 23 |
3 files changed, 27 insertions, 22 deletions
diff --git a/security-blueprint/annexes/ConfigNotes.md b/security-blueprint/annexes/ConfigNotes.md index 23b202a..b3770fa 100644 --- a/security-blueprint/annexes/ConfigNotes.md +++ b/security-blueprint/annexes/ConfigNotes.md @@ -98,9 +98,16 @@ Boot-Consoles-MemDump-7 | `mdc` | _Disabled_ Boot-Consoles-MemDump-8 | `mtest` | _Disabled_ Boot-Consoles-MemDump-9 | `loopw` | _Disabled_ -Domain | Object | Recommendations --------------------- | ------ | ------------------------------------------ -Kernel-General-MAC-1 | SMACK | Must implement a Mandatory Access Control. +Domain | `Config` name | `Value` +-------------------- | -------------- | -------------------------------------- +Kernel-General-MAC-1 | CONFIG_IP_NF_SECURITY | m +Kernel-General-MAC-2 | CONFIG_IP6_NF_SECURITY | m +Kernel-General-MAC-3 | CONFIG_EXT2_FS_SECURITY | y +Kernel-General-MAC-4 | CONFIG_EXT3_FS_SECURITY | y +Kernel-General-MAC-5 | CONFIG_EXT4_FS_SECURITY | y +Kernel-General-MAC-6 | CONFIG_SECURITY | y +Kernel-General-MAC-7 | CONFIG_SECURITY_SMACK | y +Kernel-General-MAC-8 | CONFIG_TMPFS_XATTR | y Domain | `Config` name | `Value` ---------------------- | -------------- | ------- @@ -158,6 +165,10 @@ Domain | `compiler` and `linker` options | _State_ Kernel-General-OverwriteAttacks-1 | `-z,relro` | _Enable_ Kernel-General-OverwriteAttacks-2 | `-z,now` | _Enable_ +Domain | Object | Recommendations +------------------------------- | --------------- | -------------------------------- +Kernel-General-LibraryLinking-1 | Dynamic linking | Should generally not be allowed. + Domain | `Config` name | `Value` ------------------------------ | ---------------- | ------- Kernel-Memory-RestrictAccess-1 | `CONFIG_DEVKMEM` | `n` @@ -178,7 +189,6 @@ Kernel-Memory-LoadAllSymbols-2 | `CONFIG_KALLSYMS_ALL` | `n` Domain | `Config` name | `Value` --------------------- | -------------------------- | ------- Kernel-Memory-Stack-1 | `CONFIG_CC_STACKPROTECTOR` | `y` -Other defenses include things like shadow stacks. Domain | `Config` name | `Value` ---------------------- | --------------- | ------- @@ -472,8 +482,4 @@ Domain | Object | Reco ----------------------------- | ----------------------------------------- | --------------------------------- Application-Cloud-Transport-1 | Integrity, confidentiality and legitimacy | Should implement IPSec standards. -Domain | Object | Recommendations -------------- | ----------------------------------------- | --------------- -Update-FOTA-1 | Integrity, confidentiality and legitimacy | Must be secure. - <!-- end-section-config --> diff --git a/security-blueprint/annexes/todoNotes.md b/security-blueprint/annexes/todoNotes.md index 01e05d8..f152a71 100644 --- a/security-blueprint/annexes/todoNotes.md +++ b/security-blueprint/annexes/todoNotes.md @@ -17,10 +17,6 @@ Domain | Improvement --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- Hypervisor-Abstract-1 | Complete Hypervisor part ([jailhouse](https://github.com/siemens/jailhouse) / [KVM](https://www.linux-kvm.org/page/Main_Page) / [Xen](https://www.xenproject.org/developers/teams/embedded-and-automotive.html)). -Domain | Improvement ------------- | ---------------- -Kernel-MAC-1 | Add MAC config note. - Domain | Improvement -------------------------------- | ----------------------------- Kernel-General-IndependentExec-1 | Kernel or/and platform part ? diff --git a/security-blueprint/part-4/1-General.md b/security-blueprint/part-4/1-General.md index 444c97d..54c7ea8 100644 --- a/security-blueprint/part-4/1-General.md +++ b/security-blueprint/part-4/1-General.md @@ -6,19 +6,22 @@ Kernel should controls access with labels and policy. <!-- section-config --> -Domain | Object | Recommendations --------------------- | ------ | ------------------------------------------ -Kernel-General-MAC-1 | SMACK | Must implement a Mandatory Access Control. +Domain | `Config` name | `Value` +-------------------- | -------------- | -------------------------------------- +Kernel-General-MAC-1 | CONFIG_IP_NF_SECURITY | m +Kernel-General-MAC-2 | CONFIG_IP6_NF_SECURITY | m +Kernel-General-MAC-3 | CONFIG_EXT2_FS_SECURITY | y +Kernel-General-MAC-4 | CONFIG_EXT3_FS_SECURITY | y +Kernel-General-MAC-5 | CONFIG_EXT4_FS_SECURITY | y +Kernel-General-MAC-6 | CONFIG_SECURITY | y +Kernel-General-MAC-7 | CONFIG_SECURITY_SMACK | y +Kernel-General-MAC-8 | CONFIG_TMPFS_XATTR | y <!-- end-section-config --> -<!-- section-todo --> - -Domain | Improvement ------------- | ---------------- -Kernel-MAC-1 | Add MAC config note. - -<!-- end-section-todo --> +Please also refer to the [**Mandatory Access Control** documentation in Platform](../part-5/1-MAC.html) part. +You can also find useful documentation and links on wikipedia about [**MAC**](https://en.wikipedia.org/wiki/Mandatory_access_control) +and about [**SMACK**](https://en.wikipedia.org/wiki/Simplified_Mandatory_Access_Control_Kernel). -------------------------------------------------------------------------------- |