diff options
-rw-r--r-- | security-blueprint/README.md | 2 | ||||
-rw-r--r-- | security-blueprint/annexes/ConfigNotes.md | 15 | ||||
-rw-r--r-- | security-blueprint/part-4/1-General.md | 42 | ||||
-rw-r--r-- | security-blueprint/part-4/2-Memory.md | 20 | ||||
-rw-r--r-- | security-blueprint/part-4/4-Debug.md | 6 |
5 files changed, 65 insertions, 20 deletions
diff --git a/security-blueprint/README.md b/security-blueprint/README.md index 5513dcc..4ae67de 100644 --- a/security-blueprint/README.md +++ b/security-blueprint/README.md @@ -2,7 +2,7 @@ This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security of Automotive Grade Linux (AGL). The more general utility behind this document is to protect the manufacturers, customers and third party from potential financial and information loss. -This document is firstly based on the existing security-blueprint. +This document is firstly based on an existing AGL security-blueprint. **For security to be effective, the concepts must be simple. And by default, anything that is not allowed is forbidden.** diff --git a/security-blueprint/annexes/ConfigNotes.md b/security-blueprint/annexes/ConfigNotes.md index 6de1ca6..23b202a 100644 --- a/security-blueprint/annexes/ConfigNotes.md +++ b/security-blueprint/annexes/ConfigNotes.md @@ -139,6 +139,10 @@ Domain | `Config` name | `Value` ------------------------------ | ------------------------- | ------- Kernel-General-ModuleSigning-1 | `CONFIG_MODULE_SIG_FORCE` | `y` +Domain | `Variable` name | `Value` +------------------------------ | ------------------------- | ------- +Kernel-General-ModuleSigning-2 | `kernel.modules_disabled` | `1` + Domain | Object | _State_ ------------------------ | ------------------- | ---------- Kernel-General-Drivers-1 | `USB` | _Disabled_ @@ -154,10 +158,6 @@ Domain | `compiler` and `linker` options | _State_ Kernel-General-OverwriteAttacks-1 | `-z,relro` | _Enable_ Kernel-General-OverwriteAttacks-2 | `-z,now` | _Enable_ -Domain | `compiler` and `linker` options | _State_ -------------------------------- | ------------------------------- | -------- -Kernel-General-LibraryLinking-1 | `-static` | _Enable_ - Domain | `Config` name | `Value` ------------------------------ | ---------------- | ------- Kernel-Memory-RestrictAccess-1 | `CONFIG_DEVKMEM` | `n` @@ -192,9 +192,10 @@ Domain | `compiler` and `linker` options | _State_ ----------------------------- | ------------------------------- | -------- Kernel-Memory-StackSmashing-1 | `-fstack-protector-all` | _Enable_ -Domain | `compiler` and `linker` options | `Value` -------------------------------- | ------------------------------- | ------- -Kernel-Memory-BufferOverflows-1 | `-D_FORTIFY_SOURCE` | `2` +Domain | `compiler` options and `config` name | `Value` +------------------------------- | ------------------------------------ | ------- +Kernel-Memory-BufferOverflows-1 | `-D_FORTIFY_SOURCE` | `2` +Kernel-Memory-BufferOverflows-2 | `CONFIG_FORTIFY_SOURCE` | `y` Domain | `Config` name | `Value` ------------------------ | ---------------------------- | ------- diff --git a/security-blueprint/part-4/1-General.md b/security-blueprint/part-4/1-General.md index f279b17..444c97d 100644 --- a/security-blueprint/part-4/1-General.md +++ b/security-blueprint/part-4/1-General.md @@ -24,7 +24,7 @@ Kernel-MAC-1 | Add MAC config note. ## Disable kexec -This prevents someone who gets root from supplanting the kernel. This can be used as a way to bypass signed kernels. +**Kexec** is a system call that enables you to load and boot into another kernel from the currently running kernel. This feature is not required in a production environment. <!-- section-config --> @@ -34,6 +34,12 @@ Kernel-General-kexec-1 | `CONFIG_KEXEC` | `n` <!-- end-section-config --> +<!-- section-note --> + +**kexec** can load arbitrary kernels but signing of new kernel can be enforced like it is can be enforced for new modules. + +<!-- end-section-note --> + -------------------------------------------------------------------------------- ## Disable kernel IP auto-configuration @@ -80,7 +86,7 @@ Kernel-General-LegacyLinux-1 | `CONFIG_USELIB` | `n` ## Disable firmware auto-loading user mode helper -The firmware auto loading helper, which is a utility executed by the kernel on `hotplug` events requiring firmware, needs to be set `setuid`. As a result of this, the helper utility is an attractive target for attackers with control of physical ports on the device. Disabling this configuration that is supported in **Linux 3.9 and greater**. +The firmware auto loading helper, which is a utility executed by the kernel on `hotplug` events requiring firmware, can to be set `setuid`. As a result of this, the helper utility is an attractive target for attackers with control of physical ports on the device. Disabling this configuration that is supported in **Linux 3.9 and greater**. <!-- section-config --> @@ -90,6 +96,12 @@ Kernel-General-FirmHelper-1 | `CONFIG_FW_LOADER_USER_HELPER` | `n` <!-- end-section-config --> +<!-- section-note --> + +It doesn't strictly need to be `setuid`, there is an option of shipping firmware builtin into kernel without initrd/filesystem. + +<!-- end-section-note --> + -------------------------------------------------------------------------------- ## Enable Kernel Panic on OOPS @@ -152,7 +164,7 @@ since that would provide a facility to unexpectedly extend the available attack To protect against even privileged users, systems may need to either disable module loading entirely, or provide signed modules -(e.g. CONFIG_MODULE_SIG_FORCE, or dm-crypt with LoadPin), to keep from having +(e.g. `CONFIG_MODULE_SIG_FORCE`, or dm-crypt with LoadPin), to keep from having root load arbitrary kernel code via the module loader interface. This configuration is supported in **Linux 3.7 and greater** and thus should only be enabled for such versions. @@ -165,6 +177,16 @@ Kernel-General-ModuleSigning-1 | `CONFIG_MODULE_SIG_FORCE` | `y` <!-- end-section-config --> +It is also possible to block the loading of modules after startup with "kernel.modules_disabled". + +<!-- section-config --> + +Domain | `Variable` name | `Value` +------------------------------ | ------------------------- | ------- +Kernel-General-ModuleSigning-2 | `kernel.modules_disabled` | `1` + +<!-- end-section-config --> + -------------------------------------------------------------------------------- <!-- pagebreak --> @@ -236,12 +258,18 @@ Kernel-General-LibraryLinking-1 | Keep this part? <!-- end-section-todo --> -It is recommended that dynamic linking should generally not be allowed. This will avoid the user from replacing a library with malicious library. All libraries should be linked statically, but this is difficult to implement. +It is recommended that dynamic linking should generally not be allowed. This will avoid the user from replacing a library with malicious library. <!-- section-config --> -Domain | `compiler` and `linker` options | _State_ -------------------------------- | ------------------------------- | -------- -Kernel-General-LibraryLinking-1 | `-static` | _Enable_ +Domain | Object | Recommendations +------------------------------- | --------------- | -------------------------------- +Kernel-General-LibraryLinking-1 | Dynamic linking | Should generally not be allowed. <!-- end-section-config --> + +<!-- section-note --> + +Linking everything statically doesn't change anything wrt security as binaries will live under same user:group as libraries and setuid executables ignore `LD_PRELOAD/LD_LIBRARY_PATH`. It also increases RSS footprint and creates problems with upgrading. + +<!-- end-section-note --> diff --git a/security-blueprint/part-4/2-Memory.md b/security-blueprint/part-4/2-Memory.md index 822c928..d7af446 100644 --- a/security-blueprint/part-4/2-Memory.md +++ b/security-blueprint/part-4/2-Memory.md @@ -44,6 +44,15 @@ Kernel-Memory-Swap-1 | `CONFIG_SWAP` | `n` <!-- end-section-config --> +<!-- section-note --> + +- Enabling swap at runtime require `CAP_SYS_ADMIN`. +- Swap block device is usually under root:disk. +- Linux never swaps kernel pages. +- If swap disabling is not possible, swap encryption should be enabled. + +<!-- end-section-note --> + -------------------------------------------------------------------------------- <!-- pagebreak --> @@ -79,10 +88,10 @@ Domain | `Config` name | `Value` --------------------- | -------------------------- | ------- Kernel-Memory-Stack-1 | `CONFIG_CC_STACKPROTECTOR` | `y` -Other defenses include things like shadow stacks. - <!-- end-section-config --> +Other defenses include things like shadow stacks. + -------------------------------------------------------------------------------- ## Disable access to /dev/mem @@ -137,9 +146,10 @@ Emit extra code to check for buffer overflows, such as stack smashing attacks. <!-- section-config --> -Domain | `compiler` and `linker` options | `Value` -------------------------------- | ------------------------------- | ------- -Kernel-Memory-BufferOverflows-1 | `-D_FORTIFY_SOURCE` | `2` +Domain | `compiler` options and `config` name | `Value` +------------------------------- | ------------------------------------ | ------- +Kernel-Memory-BufferOverflows-1 | `-D_FORTIFY_SOURCE` | `2` +Kernel-Memory-BufferOverflows-2 | `CONFIG_FORTIFY_SOURCE` | `y` <!-- end-section-config --> diff --git a/security-blueprint/part-4/4-Debug.md b/security-blueprint/part-4/4-Debug.md index 5a1eb24..cce5fc0 100644 --- a/security-blueprint/part-4/4-Debug.md +++ b/security-blueprint/part-4/4-Debug.md @@ -16,6 +16,12 @@ Kernel-Debug-Symbols-1 | `CONFIG_DEBUG_INFO` | `n` These kernel debug symbols are enabled by other config items in the kernel. Care should be taken to disable those also. If `CONFIG_DEBUG_INFO` cannot be disabled, then enabling `CONFIG_DEBUG_INFO_REDUCED` is second best. +<!-- section-note --> + +At least `CONFIG_DEBUG_INFO_REDUCED` should be always enabled for developers to convert addresses in oops messages to line numbers. + +<!-- end-section-note --> + -------------------------------------------------------------------------------- ## Disable Kprobes |