diff options
Diffstat (limited to 'security-blueprint/part-4/4-Debug.md')
| -rw-r--r-- | security-blueprint/part-4/4-Debug.md | 52 |
1 files changed, 26 insertions, 26 deletions
diff --git a/security-blueprint/part-4/4-Debug.md b/security-blueprint/part-4/4-Debug.md index c8d5de0..5a1eb24 100644 --- a/security-blueprint/part-4/4-Debug.md +++ b/security-blueprint/part-4/4-Debug.md @@ -6,13 +6,13 @@ No debuggers shall be present on the file system. This includes, but is not limi Debug symbols should always be removed from production kernels as they provide a lot of information to attackers. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ---------------------- | ------------------- | ------- Kernel-Debug-Symbols-1 | `CONFIG_DEBUG_INFO` | `n` -<!-- endconfig --> +<!-- end-section-config --> These kernel debug symbols are enabled by other config items in the kernel. Care should be taken to disable those also. If `CONFIG_DEBUG_INFO` cannot be disabled, then enabling `CONFIG_DEBUG_INFO_REDUCED` is second best. @@ -22,13 +22,13 @@ These kernel debug symbols are enabled by other config items in the kernel. Care Kprobes enables you to dynamically break into any kernel routine and collect debugging and performance information non-disruptively. You can trap at almost any kernel code address, specifying a handler routine to be invoked when the breakpoint is hit. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ---------------------- | ---------------- | ------- Kernel-Debug-Kprobes-1 | `CONFIG_KPROBES` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -36,13 +36,13 @@ Kernel-Debug-Kprobes-1 | `CONFIG_KPROBES` | `n` FTrace enables the kernel to trace every kernel function. Providing kernel trace functionality would assist an attacker in discovering attack vectors. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ---------------------- | --------------- | ------- Kernel-Debug-Tracing-1 | `CONFIG_FTRACE` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -50,14 +50,14 @@ Kernel-Debug-Tracing-1 | `CONFIG_FTRACE` | `n` Profiling and OProfile enables profiling the whole system, include the kernel, kernel modules, libraries, and applications. Providing profiling functionality would assist an attacker in discovering attack vectors. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------------ | ------------------ | ------- Kernel-Debug-Profiling-1 | `CONFIG_OPROFILE` | `n` Kernel-Debug-Profiling-2 | `CONFIG_PROFILING` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -65,13 +65,13 @@ Kernel-Debug-Profiling-2 | `CONFIG_PROFILING` | `n` The output from OOPS print can be helpful in Return Oriented Programming (ROP) when trying to determine the effectiveness of an exploit. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------------ | ------------------------- | ------- Kernel-Debug-OOPSOnBUG-1 | `CONFIG_DEBUG_BUGVERBOSE` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -79,14 +79,14 @@ Kernel-Debug-OOPSOnBUG-1 | `CONFIG_DEBUG_BUGVERBOSE` | `n` There are development-only branches of code in the kernel enabled by the `DEBUG_KERNEL` conf. This should be disabled to compile-out these branches. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------ | --------------------- | ------- Kernel-Debug-Dev-1 | `CONFIG_DEBUG_KERNEL` | `n` Kernel-Debug-Dev-2 | `CONFIG_EMBEDDED` | `n` -<!-- endconfig --> +<!-- end-section-config --> In some kernel versions, disabling this requires also disabling `CONFIG_EMBEDDED`, and `CONFIG_EXPERT`. Disabling `CONFIG_EXPERT` makes it impossible to disable `COREDUMP`, `DEBUG_BUGVERBOSE`, `NAMESPACES`, `KALLSYMS` and `BUG`. In which case it is better to leave this enabled than enable the others. @@ -98,13 +98,13 @@ In some kernel versions, disabling this requires also disabling `CONFIG_EMBEDDED The kernel debug filesystem presents a lot of useful information and means of manipulation of the kernel to an attacker. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------------- | ----------------- | ------- Kernel-Debug-FileSystem-1 | `CONFIG_DEBUG_FS` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -112,13 +112,13 @@ Kernel-Debug-FileSystem-1 | `CONFIG_DEBUG_FS` | `n` The kernel will display backtrace and register information for BUGs and WARNs in kernel space, making it easier for attackers to develop exploits. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------ | ------------- | ------- Kernel-Debug-BUG-1 | `CONFIG_BUG` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -128,13 +128,13 @@ Core dumps provide a lot of debug information for hackers. So disabling core dum This configuration is supported in **Linux 3.7 and greater** and thus should only be disabled for such versions. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------------ | ----------------- | ------- Kernel-Debug-CoreDumps-1 | `CONFIG_COREDUMP` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -146,17 +146,17 @@ When attackers try to develop "run anywhere" exploits for kernel vulnerabilities **/proc/sys/kernel/kptr_restrict is set to "1"** to block the reporting of known kernel address leaks. -<!-- config --> +<!-- section-config --> Domain | `File` name | `Value` ---------------------------- | -------------------------------- | ------- Kernel-Debug-AdressDisplay-1 | `/proc/sys/kernel/kptr_restrict` | `1` -<!-- endconfig --> +<!-- end-section-config --> Additionally, various files and directories should be readable only by the root user: `/boot/vmlinuz*`, `/boot/System.map*`, `/sys/kernel/debug/`, `/proc/slabinfo` -<!-- config --> +<!-- section-config --> Domain | `File` or `Directorie` name | _State_ ---------------------------- | --------------------------- | ----------------------------- @@ -165,7 +165,7 @@ Kernel-Debug-AdressDisplay-2 | `/boot/System.map*` | _Readable Only for Kernel-Debug-AdressDisplay-3 | `/sys/kernel/debug/` | _Readable Only for root user_ Kernel-Debug-AdressDisplay-4 | `/proc/slabinfo` | _Readable Only for root user_ -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -175,13 +175,13 @@ When attackers try to develop "run anywhere" exploits for vulnerabilities, they **/proc/sys/kernel/dmesg_restrict can be set to "1"** to treat dmesg output as sensitive. -<!-- config --> +<!-- section-config --> Domain | `File` name | `Value` -------------------- | --------------------------------- | ------- Kernel-Debug-DMESG-1 | `/proc/sys/kernel/dmesg_restrict` | `1` -<!-- endconfig --> +<!-- end-section-config --> Enable the below compiler and linker options when building user-space applications to avoid stack smashing, buffer overflow attacks. @@ -193,10 +193,10 @@ Enable the below compiler and linker options when building user-space applicatio It is extremely important to not expose the kernel configuration used on a production device to a potential attacker. With access to the kernel config, it could be possible for an attacker to build a custom kernel for the device that may disable critical security features. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` --------------------- | ----------------- | ------- Kernel-Debug-Config-1 | `CONFIG_IKCONFIG` | `n` -<!-- endconfig --> +<!-- end-section-config --> |