diff options
-rw-r--r-- | security-blueprint/annexes/ConfigNotes.md | 16 | ||||
-rw-r--r-- | security-blueprint/part-2/0_Abstract.md | 3 | ||||
-rw-r--r-- | security-blueprint/part-2/2-Communication-modes.md | 2 | ||||
-rw-r--r-- | security-blueprint/part-2/3-Consoles.md | 4 | ||||
-rw-r--r-- | security-blueprint/part-3/0_Abstract.md | 2 | ||||
-rw-r--r-- | security-blueprint/part-4/1-General.md | 28 |
6 files changed, 37 insertions, 18 deletions
diff --git a/security-blueprint/annexes/ConfigNotes.md b/security-blueprint/annexes/ConfigNotes.md index 3e1f295..f79f4fa 100644 --- a/security-blueprint/annexes/ConfigNotes.md +++ b/security-blueprint/annexes/ConfigNotes.md @@ -99,8 +99,8 @@ Boot-Consoles-MemDump-8 | `mtest` | _Disabled_ Boot-Consoles-MemDump-9 | `loopw` | _Disabled_ Domain | Object | Recommendations --------------------- | ------ | -------------------- -Kernel-General-MAC-1 | SMACK | Must implement a MAC +-------------------- | ------ | ------------------------------------------ +Kernel-General-MAC-1 | SMACK | Must implement a Mandatory Access Control. Domain | `Config` name | `Value` ---------------------- | -------------- | ------- @@ -131,9 +131,9 @@ Domain | `Config` name | `Value` Kernel-General-SocketMon-1 | `CONFIG_PACKET_DIAG` | `n` Kernel-General-SocketMon-2 | `CONFIG_UNIX_DIAG` | `n` -Domain | `Config` name | `Value` ------------------------- | ------------- | ------- -Kernel-General-BPF_JIT-1 | `BPF_JIT` | `n` +Domain | `Config` name | `Value` +------------------------ | ---------------- | ------- +Kernel-General-BPF_JIT-1 | `CONFIG_BPF_JIT` | `n` Domain | `Config` name | `Value` ------------------------------ | ------------------------- | ------- @@ -453,10 +453,10 @@ Domain | Tech name | Recommendations Connectivity-Wireless-NFC-1 | NFC | Protected against relay and replay attacks. Connectivity-Wireless-NFC-2 | Device | Disable unneeded and unapproved services and profiles. -Domain | Object | Recommendations ----------------------------- | ---------------- | ---------------------------------------- +Domain | Object | Recommendations +---------------------------- | -------------- | -------------------------------------- Application-Cloud-Download-1 | authentication | Must implement authentication process. -Application-Cloud-Download-2 | Authorization | Must implement Authorization process. +Application-Cloud-Download-2 | Authorization | Must implement Authorization process. Domain | Object | Recommendations ---------------------------------- | ------------- | ---------------------------------------------------------- diff --git a/security-blueprint/part-2/0_Abstract.md b/security-blueprint/part-2/0_Abstract.md index 5ebb750..6d10490 100644 --- a/security-blueprint/part-2/0_Abstract.md +++ b/security-blueprint/part-2/0_Abstract.md @@ -53,6 +53,7 @@ loads the Kernel/system image before passing control to it. The following table lists the terms utilized within this part of the document. Acronyms or Abbreviations | Description -------------------------- | --------------------------------- +------------------------- | ----------------------------------------------------------------------- _FUSE_ | **F**ilesystem in **U**ser**S**pac**E** _OTP_ | **O**ne-**T**ime-**P**rogrammable +_DOCSIS_ | **D**ata **O**ver **C**able **S**ervice **I**nterface **S**pecification diff --git a/security-blueprint/part-2/2-Communication-modes.md b/security-blueprint/part-2/2-Communication-modes.md index d3a823c..165f8fd 100644 --- a/security-blueprint/part-2/2-Communication-modes.md +++ b/security-blueprint/part-2/2-Communication-modes.md @@ -1,6 +1,6 @@ # Communication modes -## Disable USB, Serial and Docsis Support +## Disable USB, Serial and DOCSIS Support To disable USB support in U-Boot, following config's shall not be defined: diff --git a/security-blueprint/part-2/3-Consoles.md b/security-blueprint/part-2/3-Consoles.md index 5adad3f..a2d1209 100644 --- a/security-blueprint/part-2/3-Consoles.md +++ b/security-blueprint/part-2/3-Consoles.md @@ -21,8 +21,8 @@ Boot-Consoles-1 | Secure loader: No reference earlier? <!-- endtodo --> -And set "**silent**" environment variable. For the Secure loader, disable the -traces by undefined the below macro: +And set "**silent**" environment variable. For the Secure loader, +disable the traces by not defining the below macro: <!-- config --> diff --git a/security-blueprint/part-3/0_Abstract.md b/security-blueprint/part-3/0_Abstract.md index 3fb8831..4fe7fb6 100644 --- a/security-blueprint/part-3/0_Abstract.md +++ b/security-blueprint/part-3/0_Abstract.md @@ -3,6 +3,8 @@ Definition: "A hypervisor or virtual machine monitor (VMM) is computer software, firmware or hardware that creates and runs virtual machines". +It must include a signature verification (possibly delegated). + <!-- todo --> Domain | Improvement diff --git a/security-blueprint/part-4/1-General.md b/security-blueprint/part-4/1-General.md index 013762f..6f951db 100644 --- a/security-blueprint/part-4/1-General.md +++ b/security-blueprint/part-4/1-General.md @@ -1,17 +1,25 @@ # General configuration -## MAC +## Mandatory Access Control Kernel should controls access with labels and policy. <!-- config --> Domain | Object | Recommendations --------------------- | ------ | -------------------- -Kernel-General-MAC-1 | SMACK | Must implement a MAC +-------------------- | ------ | ------------------------------------------ +Kernel-General-MAC-1 | SMACK | Must implement a Mandatory Access Control. <!-- endconfig --> +<!-- todo --> + +Domain | Improvement +------------ | ---------------- +Kernel-MAC-1 | Add MAC config note. + +<!-- endtodo --> + -------------------------------------------------------------------------------- ## Disable kexec @@ -129,9 +137,9 @@ This configuration for is supported in **Linux 3.16 and greater** and thus shoul <!-- config --> -Domain | `Config` name | `Value` ------------------------- | ------------- | ------- -Kernel-General-BPF_JIT-1 | `BPF_JIT` | `n` +Domain | `Config` name | `Value` +------------------------ | ---------------- | ------- +Kernel-General-BPF_JIT-1 | `CONFIG_BPF_JIT` | `n` <!-- endconfig --> @@ -139,6 +147,14 @@ Kernel-General-BPF_JIT-1 | `BPF_JIT` | `n` ## Enable Enforced Module Signing +The kernel should never allow an unprivileged user the ability to load specific kernel modules, +since that would provide a facility to unexpectedly extend the available attack surface. + +To protect against even privileged users, systems may need to either disable +module loading entirely, or provide signed modules +(e.g. CONFIG_MODULE_SIG_FORCE, or dm-crypt with LoadPin), to keep from having +root load arbitrary kernel code via the module loader interface. + This configuration is supported in **Linux 3.7 and greater** and thus should only be enabled for such versions. <!-- config --> |