diff options
Diffstat (limited to 'security-blueprint/part-4/1-General.md')
-rw-r--r-- | security-blueprint/part-4/1-General.md | 28 |
1 files changed, 22 insertions, 6 deletions
diff --git a/security-blueprint/part-4/1-General.md b/security-blueprint/part-4/1-General.md index 013762f..6f951db 100644 --- a/security-blueprint/part-4/1-General.md +++ b/security-blueprint/part-4/1-General.md @@ -1,17 +1,25 @@ # General configuration -## MAC +## Mandatory Access Control Kernel should controls access with labels and policy. <!-- config --> Domain | Object | Recommendations --------------------- | ------ | -------------------- -Kernel-General-MAC-1 | SMACK | Must implement a MAC +-------------------- | ------ | ------------------------------------------ +Kernel-General-MAC-1 | SMACK | Must implement a Mandatory Access Control. <!-- endconfig --> +<!-- todo --> + +Domain | Improvement +------------ | ---------------- +Kernel-MAC-1 | Add MAC config note. + +<!-- endtodo --> + -------------------------------------------------------------------------------- ## Disable kexec @@ -129,9 +137,9 @@ This configuration for is supported in **Linux 3.16 and greater** and thus shoul <!-- config --> -Domain | `Config` name | `Value` ------------------------- | ------------- | ------- -Kernel-General-BPF_JIT-1 | `BPF_JIT` | `n` +Domain | `Config` name | `Value` +------------------------ | ---------------- | ------- +Kernel-General-BPF_JIT-1 | `CONFIG_BPF_JIT` | `n` <!-- endconfig --> @@ -139,6 +147,14 @@ Kernel-General-BPF_JIT-1 | `BPF_JIT` | `n` ## Enable Enforced Module Signing +The kernel should never allow an unprivileged user the ability to load specific kernel modules, +since that would provide a facility to unexpectedly extend the available attack surface. + +To protect against even privileged users, systems may need to either disable +module loading entirely, or provide signed modules +(e.g. CONFIG_MODULE_SIG_FORCE, or dm-crypt with LoadPin), to keep from having +root load arbitrary kernel code via the module loader interface. + This configuration is supported in **Linux 3.7 and greater** and thus should only be enabled for such versions. <!-- config --> |