summaryrefslogtreecommitdiffstats
path: root/sec-blueprint/08-Hardening.md
diff options
context:
space:
mode:
Diffstat (limited to 'sec-blueprint/08-Hardening.md')
-rw-r--r--sec-blueprint/08-Hardening.md254
1 files changed, 139 insertions, 115 deletions
diff --git a/sec-blueprint/08-Hardening.md b/sec-blueprint/08-Hardening.md
index 7a6077b..8e2b582 100644
--- a/sec-blueprint/08-Hardening.md
+++ b/sec-blueprint/08-Hardening.md
@@ -14,7 +14,7 @@ Limitations
at security desktop and server versions of Linux as well as Android
exploits and hardening.
-- Some kernel configuration options can have an impact on performance.
+- Some kernel configuration options can have an impact on performance.
This will be noted where applicable.­
Document Structure
@@ -23,9 +23,10 @@ Document Structure
This document has been divided into three sections; REQUIREMENTS,
RECOMMENDATIONS, and VALIDATION. The REQUIREMENTS section details
explicit requirements that must be adhered to for the embedded
-device**.** The RECOMMENDATIONS section details best practices, and some
-recommended security settings for the embedded device. The third
-section, VALIDATION, provides reference scripts and test procedures that
+device.
+The RECOMMENDATIONS section details best practices, and some
+recommended security settings for the embedded device.
+The third section, VALIDATION, provides reference scripts and test procedures that
can be used to verify adherence with the REQUIREMENTS detailed in the
first section of this guide.
@@ -34,11 +35,11 @@ Hardening
The term *Hardening* refers to the tools, techniques and processes
required in order to reduce the attack surface on an embedded system,
-such as an embedded control unit (ECU) or other managed device. The
-target for all hardening activities is to prevent the execution of
+such as an embedded control unit (ECU) or other managed device.
+The target for all hardening activities is to prevent the execution of
invalid binaries on the device, and to prevent copying of security
-related data from the device. There are three main areas of focus for
-hardening an embedded device:
+related data from the device.
+There are three main areas of focus for hardening an embedded device:
Requirements
@@ -46,7 +47,8 @@ Requirements
For the purposes of reference and explanation, we are providing guidance
on how to configure an embedded device that runs with a linux 3. 10.17
- Linux kernel. These requirements must still be met by manufacturers that
+ Linux kernel.
+ These requirements must still be met by manufacturers that
opt to build using an alternative version of the Linux kernel.
Kernel Hardening
@@ -55,17 +57,18 @@ Kernel Hardening
The following sub-sections contain information on various kernel
configuration options to enhance the security measures in the kernel
and also for applications compiled to take advantage of these security
- features. Additionally, there are also configuration options that
- close known vulnerable configuration options. Here’s a high level
- summary of various kernel configurations that shall be required for
- deployment.
+ features.
+ Additionally, there are also configuration options that
+ close known vulnerable configuration options.
+ Here’s a high level summary of various kernel configurations that
+ shall be required for deployment.
### Disable the serial console
The serial console should be disabled to prevent an attacker from
accessing this powerful interface.
-```
+```bash
CONFIG_SERIAL_8250=n
CONFIG_SERIAL_8250_CONSOLE=n
CONFIG_SERIAL_CORE=n
@@ -75,7 +78,8 @@ Kernel Hardening
### Restrict access to kernel memory through device file
The /dev/kmem file in Linux systems is directly mapped to kernel
- virtual memory. This can be disastrous if an attacker gains root
+ virtual memory.
+ This can be disastrous if an attacker gains root
access, as the attacker would have direct access to kernel virtual
memory.
@@ -94,14 +98,14 @@ Kernel Hardening
The kernel command-line is used to control many aspects of the booting
kernel, and is prone to tampering as they are passed in RAM with
- little to no reverse validation on these parameters. To prevent this
- type of attack, the kernel shall be configured to ignore command line
+ little to no reverse validation on these parameters.
+ To prevent this type of attack, the kernel shall be configured to ignore command line
arguments, and use pre-configured (compile time) options instead.
Set the kernel command line in the CONFIG\_CMDLINE KConfig item and
then pass no arguments from the bootloader.
-```
+```bash
CONFIG_CMDLINE_BOOL=y
CONFIG_CMDLINE=”<*insert kernel command line here*>”
CONFIG_CMDLINE_OVERRIDE=y
@@ -117,13 +121,14 @@ Kernel Hardening
Debug symbols should always be removed from production kernels as they
provide a lot of information to attackers.
-```
+```bash
CONFIG_DEBUG_INFO=n
```
These kernel debug symbols are enabled by other config items in the
- kernel. Care should be taken to disable those also. If
- CONFIG\_DEBUG\_INFO cannot be disabled then enabling
+ kernel.
+ Care should be taken to disable those also.
+ If CONFIG\_DEBUG\_INFO cannot be disabled then enabling
CONFIG\_DEBUG\_INFO\_REDUCED is second best.
### Disable access to a kernel core dump
@@ -132,7 +137,7 @@ Kernel Hardening
user space -- if enabled it gives attackers a useful view into kernel
memory.
-```
+```bash
CONFIG_PROC_KCORE=n
```
@@ -140,40 +145,42 @@ Kernel Hardening
The Linux kernel supports KGDB over USB and console ports. These
mechanisms are controlled by the kgdbdbgp and kgdboc kernel
- command-line parameters. It is important to ensure that no shipping
+ command-line parameters.
+ It is important to ensure that no shipping
product contains a kernel with KGDB compiled-in.
-```
+```bash
CONFIG_KGDB=n
```
### Disable Kprobes
Kprobes enables you to dynamically break into any kernel routine and
- collect debugging and performance information non-disruptively. You
- can trap at almost any kernel code address, specifying a handler
+ collect debugging and performance information non-disruptively.
+ You can trap at almost any kernel code address, specifying a handler
routine to be invoked when the breakpoint is hit.
-```
+```bash
CONFIG_KPROBES=n
```
### Disable Tracing
- FTrace enables the kernel to trace every kernel function. Providing kernel
- trace functionality would assist an attacker in discovering attack vectors.
+ FTrace enables the kernel to trace every kernel function.
+ Providing kernel trace functionality would assist an attacker in discovering attack vectors.
-```
+```bash
CONFIG_FTRACE=n
```
### Disable Profiling
Profiling and OProfile enables profiling the whole system, include the kernel,
- kernel modules, libraries, and applications.Providing profiling functionality
+ kernel modules, libraries, and applications.
+ Providing profiling functionality
would assist an attacker in discovering attack vectors.
-```
+```bash
CONFIG_OPROFILE=n
CONFIG_PROFILING=n
```
@@ -181,12 +188,12 @@ Kernel Hardening
### Disable magic sysrq support
On a few architectures, you can access a powerful debugger interface
- from the keyboard. The same powerful interface can be present on the
- serial console – responding to serial break – of Linux on other
- architectures. Disable to avoid potentially exposing this powerful
- backdoor.
+ from the keyboard.
+ The same powerful interface can be present on the serial console
+ – responding to serial break – of Linux on other architectures.
+ Disable to avoid potentially exposing this powerful backdoor.
-```
+```bash
CONFIG_MAGIC_SYSRQ=n
```
@@ -196,37 +203,39 @@ Kernel Hardening
Programming (ROP) when trying to determine the effectives of an
exploit.
-```
+```bash
CONFIG_DEBUG_BUGVERBOSE=n
```
### Disable kexec
- This prevents someone who gets root from supplanting the kernel. This
- can be used as a way to bypass signed kernels.
+ This prevents someone who gets root from supplanting the kernel.
+ This can be used as a way to bypass signed kernels.
-```
+```bash
CONFIG_KEXEC=n
```
### Disable kernel IP autoconfiguration
It is preferable to have IP configuration performed using a user-space
- tool as these tend to have more validation. We do not want the network
+ tool as these tend to have more validation.
+ We do not want the network
interface coming up until the system has come up properly.
-```
+```bash
CONFIG_IP_PNP=n
```
### Disable /proc/config.gz
It is extremely important to not expose the kernel configuration used
- on a production device to a potential attacker. With access to the
+ on a production device to a potential attacker.
+ With access to the
kernel config, it could be possible for an attacker to build a custom
kernel for the device that may disable critical security features.
-```
+```bash
CONFIG_IKCONFIG=n
```
@@ -236,17 +245,17 @@ Kernel Hardening
the memory subsystem and then scour the pages written to swap for
useful information.
-```
+```bash
CONFIG_SWAP=n
```
### Disable namespace support
Do not allow namespace support to prevent duplicates of dev nodes,
- pids and mount points. This may be used in virtualization and
- container solutions like LXC, so in some cases it cannot be disabled.
+ pids and mount points.
+ This may be used in virtualization and container solutions like LXC, so in some cases it cannot be disabled.
-```
+```bash
CONFIG_NAMESPACES=n
```
@@ -256,7 +265,7 @@ Kernel Hardening
builds this can be a very useful way for an attacker to get files onto
and off of an STB.
-```
+```bash
CONFIG_NFSD=n
CONFIG_NFS_FS=n
```
@@ -264,25 +273,26 @@ Kernel Hardening
### Disable support for binary formats other than ELF
This will make possible to plug wrapper-driven binary formats into
- the kernel. It enables support for binary formats other than ELF. Providing
- the ability to use alternate interpreters would assist an attacker in
+ the kernel.
+ It enables support for binary formats other than ELF.
+ Providing the ability to use alternate interpreters would assist an attacker in
discovering attack vectors
-```
+```bash
CONFIG_BINFMT_MISC=n
```
### Disable “Load All Symbols”
There is a /proc/kallsyms file which exposes the kernel memory space
- address of many kernel symbols (functions, variables, etc.). This
- information is useful to attackers in identifying kernel
+ address of many kernel symbols (functions, variables, etc.).
+ This information is useful to attackers in identifying kernel
versions/configurations and in preparing payloads for exploits of
kernel space.
Both KALLSYMS\_ALL and KALLSYMS shall be disabled;
-```
+```bash
CONFIG_KALLSYMS=n
CONFIG_KALLSYMS_ALL=n
```
@@ -290,17 +300,18 @@ Kernel Hardening
### Disable Kernel Debugging
There are development-only branches of code in the kernel enabled by
- the DEBUG\_KERNEL conf. This should be disabled to compile-out these
- branches.
+ the DEBUG\_KERNEL conf.
+ This should be disabled to compile-out these branches.
-```
+```bash
CONFIG_DEBUG_KERNEL=n
```
In some kernel versions, disabling this requires also disabling
CONFIG\_EMBEDDED, and CONFIG\_EXPERT Disabling CONFIG\_EXPERT makes it
impossible to disable \_COREDUMP, DEBUG\_BUGVERBOSE, \_NAMESPACES,
- \_KALLSYMS and \_BUG. In which case it is better to leave this enabled
+ \_KALLSYMS and \_BUG.
+ In which case it is better to leave this enabled
than enable the others.
### Disable the kernel debug filesystem
@@ -308,7 +319,7 @@ Kernel Hardening
The kernel debug filesystem presents a lot of useful information and
means of manipulation of the kernel to an attacker.
-```
+```bash
CONFIG_DEBUG_FS=n
```
@@ -318,7 +329,7 @@ Kernel Hardening
and WARNs in kernel space, making it easier for attackers to develop
exploits.
-```
+```bash
CONFIG_BUG=n
```
@@ -327,7 +338,7 @@ Kernel Hardening
Enabling this will result in code being included that is hard to
maintain and not well tested.
-```
+```bash
CONFIG_SYSCTL_SYSCALL=n
```
@@ -335,23 +346,23 @@ Kernel Hardening
### Disable module unloading
- This stops an attacker unloading security focused kernel modules. It
- will also prevent the attacker from removing evidence of any attempted
+ This stops an attacker unloading security focused kernel modules.
+ It will also prevent the attacker from removing evidence of any attempted
kernel tampering that may have been initiated by loading of a kernel
module.
-```
+```bash
CONFIG_MODULE_UNLOAD=n
```
### Disable Forced Module Loading
If enabled, then modules without version information or with
- mismatched version information may be forcibly loaded into the kernel.
+ mismatched version information may be forcibly loaded into the kernel.
Disabling this configuration forces the attackers to build modules
with matched kernel sources and configuration in order to load them.
-```
+```bash
CONFIG_MODULE_FORCE_LOAD=n
```
@@ -359,7 +370,8 @@ Recommendations
===============
The following sections detail best practices that should be applied in
-order to secure a device. Although they are not currently listed as hard
+order to secure a device.
+Although they are not currently listed as hard
requirements, they may be upgraded to requirements status in the future.
@@ -371,10 +383,11 @@ Kernel Hardening
configuration options that will require updating to a newer kernel
version in order to enhance the security measures in the kernel and
also for applications compiled to take advantage of these security
- features.
+ features.
Additionally, there are also configuration options that close known
- vulnerable configuration options. Here’s a high level summary of the
+ vulnerable configuration options.
+ Here’s a high level summary of the
various kernel configurations and which kernel version they pertain:
| Kernel Configuration | Kernel Version |
@@ -395,84 +408,91 @@ Kernel Hardening
### Build with Stack Protection
Similar to the stack protector used for ELF programs in user-space,
- the kernel can protect its internal stacks as well. This configuration
- for the MIPS architecture is supported in Linux 3.11 and greater and
- thus should only be enabled for such versions. This configuration also
+ the kernel can protect its internal stacks as well.
+ This configuration for the MIPS architecture is supported in Linux 3.11 and greater and
+ thus should only be enabled for such versions.
+ This configuration also
requires building the kernel with the gcc compiler 4.2 or greater.
-```
+```bash
CONFIG_CC_STACKPROTECTOR=y
```
### Disable access to /dev/mem
The /dev/mem file in Linux systems is directly mapped to physical
- memory. This can be disastrous if an attacker gains root access, as
+ memory.
+ This can be disastrous if an attacker gains root access, as
the attacker would have direct access to physical memory through this
- convenient device file. It may not always be possible to disable such
- file, as some applications might need such support. In that case then
+ convenient device file.
+ It may not always be possible to disable such
+ file, as some applications might need such support.
+ In that case then
this device file should be available only for authenticated
- applications. This configuration is supported in Linux 4.0 and greater
+ applications.
+ This configuration is supported in Linux 4.0 and greater
and thus should only be disabled for such versions.
-```
+```bash
CONFIG_DEVMEM=n
```
### Disable cross-memory attach
Disable the process\_vm\_\*v syscalls which allow one process to
- peek/poke the virtual memory of another. This configuration is
+ peek/poke the virtual memory of another.
+ This configuration is
supported in Linux 3.5 and greater and thus should only be disabled
for such versions.
-```
+```bash
CROSS_MEMORY_ATTACH=n
```
### Disable core dumps
- Core dumps provide lot of debug information for hackers. So disabling
- core dumps is recommended in production builds. This configuration is
+ Core dumps provide lot of debug information for hackers.
+ So disabling core dumps is recommended in production builds.
+ This configuration is
supported in Linux 3.7 and greater and thus should only be disabled
for such versions.
-```
+```bash
CONFIG_COREDUMP=n
```
### Disable Legacy Linux Support
There are some Kernel Configs which are present only to support legacy
- binaries. See also section 2.2.2.18 for disabling support for legacy
- binary formats. The uselib system call, in particular, has no valid
- use in any libc6 or uclibc system in recent times. This configuration
- is supported in Linux 3.15 and greater and thus should only be
+ binaries.
+ See also section 2.2.2.18 for disabling support for legacy binary formats.
+ The uselib system call, in particular, has no valid use in any libc6 or uclibc system in recent times.
+ This configuration is supported in Linux 3.15 and greater and thus should only be
disabled for such versions.
-```
+```bash
CONFIG_USELIB=n
```
### Disable firmware auto-loading user mode helper
The firmware auto loading helper, which is a utility executed by the
- kernel on hotplug events requiring firmware, needs to be set setuid.
+ kernel on hotplug events requiring firmware, needs to be set setuid.
As a result of this, the helper utility is an attractive target for
- attackers with control of physical ports on the device. Disabling this
- configuration is supported in Linux 3.9 and greater.
+ attackers with control of physical ports on the device.
+ Disabling this configuration is supported in Linux 3.9 and greater.
-```
+```bash
CONFIG_FW_LOADER_USER_HELPER=n
```
### Enable Kernel Panic on OOPS
When fuzzing the kernel or attempting kernel exploits attackers are
- likely to trigger kernel OOPSes. Setting the behavior on OOPS to PANIC
- can impede their progress. This configuration is supported in Linux
- 3.5 and greater and thus should only be enabled for such versions.
+ likely to trigger kernel OOPSes.
+ Setting the behavior on OOPS to PANIC can impede their progress.
+ This configuration is supported in Linux 3.5 and greater and thus should only be enabled for such versions.
-```
+```bash
CONFIG_PANIC_ON_OOPS=y
```
@@ -480,13 +500,14 @@ Kernel Hardening
These monitors can be used to inspect shared file descriptors on Unix
Domain sockets or traffic on ‘localhost’ which is otherwise assumed to
- be confidential. The **CONFIG\_PACKET\_DIAG** configuration is
- supported in Linux 3.7 and greater and thus should only be disabled
- for such versions. The **CONFIG\_UNIX\_DIAG** configuration is
+ be confidential.
+ The **CONFIG\_PACKET\_DIAG** configuration is supported in Linux 3.7 and greater and thus should only be disabled
+ for such versions.
+ The **CONFIG\_UNIX\_DIAG** configuration is
supported in Linux 3.3 and greater and thus should only be disabled
for such versions.
-```
+```bash
CONFIG_PACKET_DIAG=n
CONFIG_UNIX_DIAG=n
```
@@ -494,21 +515,24 @@ Kernel Hardening
### Disable BPF JIT
The BPF JIT can be used to create kernel-payloads from firewall table
- rules. This configuration for the MIPS architecture is supported in
+ rules.
+ This configuration for the MIPS architecture is supported in
Linux 3.16 and greater and thus should only be disabled for such
versions.
-```
+
+```bash
BPF_JIT=n
```
### Disable checkpoint/restore
The checkpoint/restore service can take a process, freeze it and
- migrate it. This results in providing more info than a core dump. This
- configuration is supported in Linux 3.3 and greater and thus should
+ migrate it.
+ This results in providing more info than a core dump.
+ This configuration is supported in Linux 3.3 and greater and thus should
only be disabled for such versions.
-```
+```bash
CONFIG_CHECKPOINT_RESTORE=n
```
@@ -517,15 +541,15 @@ Kernel Hardening
This configuration is supported in Linux 3.7 and greater and thus
should only be enabled for such versions.
-```
+```bash
CONFIG_MODULE_SIG_FORCE=y
```
### Disable all USB, PCMCIA (and other hotplug bus) drivers that aren’t needed
To reduce the attack surface, the driver enumeration, probe, and
- operation happen in the kernel. The driver data is parsed by the
- kernel, so any logic bugs in these drivers can become kernel exploits.
+ operation happen in the kernel.
+ The driver data is parsed by the kernel, so any logic bugs in these drivers can become kernel exploits.
### Disable all file systems not needed
@@ -536,8 +560,8 @@ Kernel Hardening
When attackers try to develop "run anywhere" exploits for kernel
vulnerabilities, they frequently need to know the location of internal
- kernel structures. By treating kernel addresses as sensitive
- information, those locations are not visible to regular local users.
+ kernel structures.
+ By treating kernel addresses as sensitive information, those locations are not visible to regular local users.
/proc/sys/kernel/kptr\_restrict is set to "1" to block the reporting
of known kernel address leaks.
@@ -549,8 +573,8 @@ Kernel Hardening
### DMESG Restrictions
When attackers try to develop "run anywhere" exploits for
- vulnerabilties, they frequently will use dmesg output. By treating
- dmesg output as sensitive information, this output is not available to
+ vulnerabilties, they frequently will use dmesg output.
+ By treating dmesg output as sensitive information, this output is not available to
the attacker.
/proc/sys/kernel/dmesg\_restrict can be set to "1" to treat dmesg
@@ -562,7 +586,7 @@ Kernel Hardening
options should be enabled to prevent SELlinux from being disabled at
either runtime or boot time.
-```
+```bash
CONFIG_SECURITY_SELINUX_DEVELOP=n
CONFIG_SECURITY_SELINUX_DISABLE=n
CONFIG_SECURITY_SELINUX_BOOTPARAM=n