diff options
Diffstat (limited to 'security-blueprint/part-4/1-General.md')
| -rw-r--r-- | security-blueprint/part-4/1-General.md | 56 |
1 files changed, 28 insertions, 28 deletions
diff --git a/security-blueprint/part-4/1-General.md b/security-blueprint/part-4/1-General.md index 013762f..3653904 100644 --- a/security-blueprint/part-4/1-General.md +++ b/security-blueprint/part-4/1-General.md @@ -4,13 +4,13 @@ Kernel should controls access with labels and policy. -<!-- config --> +<!-- section-config --> Domain | Object | Recommendations -------------------- | ------ | -------------------- Kernel-General-MAC-1 | SMACK | Must implement a MAC -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -18,13 +18,13 @@ Kernel-General-MAC-1 | SMACK | Must implement a MAC This prevents someone who gets root from supplanting the kernel. This can be used as a way to bypass signed kernels. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ---------------------- | -------------- | ------- Kernel-General-kexec-1 | `CONFIG_KEXEC` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -32,13 +32,13 @@ Kernel-General-kexec-1 | `CONFIG_KEXEC` | `n` It is preferable to have an IP configuration performed using a user-space tool as these tend to have more validation. We do not want the network interface coming up until the system has come up properly. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` --------------------------- | --------------- | ------- Kernel-General-IPAutoConf-1 | `CONFIG_IP_PNP` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -46,13 +46,13 @@ Kernel-General-IPAutoConf-1 | `CONFIG_IP_PNP` | `n` Enabling this will result in code being included that is hard to maintain and not well tested. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------------------- | ----------------------- | ------- Kernel-General-SysCtl_SysCall-1 | `CONFIG_SYSCTL_SYSCALL` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -60,13 +60,13 @@ Kernel-General-SysCtl_SysCall-1 | `CONFIG_SYSCTL_SYSCALL` | `n` There are some Kernel Configs which are present only to support legacy binaries. See also "Consoles" part in order to disabling support for legacy binary formats. The `uselib` system call, in particular, has no valid use in any `libc6` or `uclibc` system in recent times. This configuration is supported in **Linux 3.15 and greater** and thus should only be disabled for such versions. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ---------------------------- | --------------- | ------- Kernel-General-LegacyLinux-1 | `CONFIG_USELIB` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -74,13 +74,13 @@ Kernel-General-LegacyLinux-1 | `CONFIG_USELIB` | `n` The firmware auto loading helper, which is a utility executed by the kernel on `hotplug` events requiring firmware, needs to be set `setuid`. As a result of this, the helper utility is an attractive target for attackers with control of physical ports on the device. Disabling this configuration that is supported in **Linux 3.9 and greater**. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` --------------------------- | ------------------------------ | ------- Kernel-General-FirmHelper-1 | `CONFIG_FW_LOADER_USER_HELPER` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -90,13 +90,13 @@ When fuzzing the kernel or attempting kernel exploits attackers are likely to tr This configuration is supported in **Linux 3.5 and greater** and thus should only be enabled for such versions. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ---------------------------- | ---------------------- | ------- Kernel-General-PanicOnOOPS-1 | `CONFIG_PANIC_ON_OOPS` | `y` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -110,14 +110,14 @@ The `CONFIG_PACKET_DIAG` configuration is supported in **Linux 3.7 and greater** The `CONFIG_UNIX_DIAG` configuration is supported in **Linux 3.3 and greater** and thus should only be disabled for such versions. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` -------------------------- | -------------------- | ------- Kernel-General-SocketMon-1 | `CONFIG_PACKET_DIAG` | `n` Kernel-General-SocketMon-2 | `CONFIG_UNIX_DIAG` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -127,13 +127,13 @@ The BPF JIT can be used to create kernel-payloads from firewall table rules. This configuration for is supported in **Linux 3.16 and greater** and thus should only be disabled for such versions. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------------ | ------------- | ------- Kernel-General-BPF_JIT-1 | `BPF_JIT` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -141,13 +141,13 @@ Kernel-General-BPF_JIT-1 | `BPF_JIT` | `n` This configuration is supported in **Linux 3.7 and greater** and thus should only be enabled for such versions. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------------------ | ------------------------- | ------- Kernel-General-ModuleSigning-1 | `CONFIG_MODULE_SIG_FORCE` | `y` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -157,7 +157,7 @@ Kernel-General-ModuleSigning-1 | `CONFIG_MODULE_SIG_FORCE` | `y` To reduce the attack surface, the driver enumeration, probe, and operation happen in the kernel. The driver data is parsed by the kernel, so any logic bugs in these drivers can become kernel exploits. -<!-- config --> +<!-- section-config --> Domain | Object | _State_ ------------------------ | ------------------- | ---------- @@ -165,19 +165,19 @@ Kernel-General-Drivers-1 | `USB` | _Disabled_ Kernel-General-Drivers-2 | `PCMCIA` | _Disabled_ Kernel-General-Drivers-3 | Other `hotplug` bus | _Disabled_ -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- ## Position Independent Executables -<!-- config --> +<!-- section-config --> Domain | `compiler` and `linker` options | _State_ -------------------------------- | ------------------------------- | -------- Kernel-General-IndependentExec-1 | `-pie -fpic` | _Enable_ -<!-- endconfig --> +<!-- end-section-config --> Produce a position independent executable on targets which supports it. @@ -187,14 +187,14 @@ Produce a position independent executable on targets which supports it. `-z,relro` linking option helps during program load, several ELF memory sections need to be written by the linker, but can be turned read-only before turning over control to the program. This prevents some Global Offset Table GOT overwrite attacks, or in the dtors section of the ELF binary. -<!-- config --> +<!-- section-config --> Domain | `compiler` and `linker` options | _State_ --------------------------------- | ------------------------------- | -------- Kernel-General-OverwriteAttacks-1 | `-z,relro` | _Enable_ Kernel-General-OverwriteAttacks-2 | `-z,now` | _Enable_ -<!-- endconfig --> +<!-- end-section-config --> During program load, all dynamic symbols are resolved, allowing for the complete GOT to be marked read-only (due to `-z relro` above). This prevents GOT overwrite attacks. For very large application, this can incur some performance loss during initial load while symbols are resolved, but this shouldn't be an issue for daemons. @@ -206,10 +206,10 @@ During program load, all dynamic symbols are resolved, allowing for the complete It is recommended that dynamic linking should generally not be allowed. This will avoid the user from replacing a library with malicious library. All libraries should be linked statically, but this is difficult to implement. -<!-- config --> +<!-- section-config --> Domain | `compiler` and `linker` options | _State_ ------------------------------- | ------------------------------- | -------- Kernel-General-LibraryLinking-1 | `-static` | _Enable_ -<!-- endconfig --> +<!-- end-section-config --> |