From 4aac2f4590d9ae7ffa707a662c41b7e460a0ea3a Mon Sep 17 00:00:00 2001
From: mudcam <v.nieutin@live.fr>
Date: Mon, 16 Apr 2018 15:26:11 +0200
Subject: Integration of Eli Mordechai's comments.

---
 security-blueprint/part-4/1-General.md | 42 ++++++++++++++++++++++++++++------
 security-blueprint/part-4/2-Memory.md  | 20 ++++++++++++----
 security-blueprint/part-4/4-Debug.md   |  6 +++++
 3 files changed, 56 insertions(+), 12 deletions(-)

(limited to 'security-blueprint/part-4')

diff --git a/security-blueprint/part-4/1-General.md b/security-blueprint/part-4/1-General.md
index f279b17..444c97d 100644
--- a/security-blueprint/part-4/1-General.md
+++ b/security-blueprint/part-4/1-General.md
@@ -24,7 +24,7 @@ Kernel-MAC-1 | Add MAC config note.
 
 ## Disable kexec
 
-This prevents someone who gets root from supplanting the kernel. This can be used as a way to bypass signed kernels.
+**Kexec** is a system call that enables you to load and boot into another kernel from the currently running kernel. This feature is not required in a production environment.
 
 <!-- section-config -->
 
@@ -34,6 +34,12 @@ Kernel-General-kexec-1 | `CONFIG_KEXEC` | `n`
 
 <!-- end-section-config -->
 
+<!-- section-note -->
+
+**kexec** can load arbitrary kernels but signing of new kernel can be enforced like it is can be enforced for new modules.
+
+<!-- end-section-note -->
+
 --------------------------------------------------------------------------------
 
 ## Disable kernel IP auto-configuration
@@ -80,7 +86,7 @@ Kernel-General-LegacyLinux-1 | `CONFIG_USELIB` | `n`
 
 ## Disable firmware auto-loading user mode helper
 
-The firmware auto loading helper, which is a utility executed by the kernel on `hotplug` events requiring firmware, needs to be set `setuid`. As a result of this, the helper utility is an attractive target for attackers with control of physical ports on the device. Disabling this configuration that is supported in **Linux 3.9 and greater**.
+The firmware auto loading helper, which is a utility executed by the kernel on `hotplug` events requiring firmware, can to be set `setuid`. As a result of this, the helper utility is an attractive target for attackers with control of physical ports on the device. Disabling this configuration that is supported in **Linux 3.9 and greater**.
 
 <!-- section-config -->
 
@@ -90,6 +96,12 @@ Kernel-General-FirmHelper-1 | `CONFIG_FW_LOADER_USER_HELPER` | `n`
 
 <!-- end-section-config -->
 
+<!-- section-note -->
+
+It doesn't strictly need to be `setuid`, there is an option of shipping firmware builtin into kernel without initrd/filesystem.
+
+<!-- end-section-note -->
+
 --------------------------------------------------------------------------------
 
 ## Enable Kernel Panic on OOPS
@@ -152,7 +164,7 @@ since that would provide a facility to unexpectedly extend the available attack
 
 To protect against even privileged users, systems may need to either disable
 module loading entirely, or provide signed modules
-(e.g. CONFIG_MODULE_SIG_FORCE, or dm-crypt with LoadPin), to keep from having
+(e.g. `CONFIG_MODULE_SIG_FORCE`, or dm-crypt with LoadPin), to keep from having
 root load arbitrary kernel code via the module loader interface.
 
 This configuration is supported in **Linux 3.7 and greater** and thus should only be enabled for such versions.
@@ -165,6 +177,16 @@ Kernel-General-ModuleSigning-1 | `CONFIG_MODULE_SIG_FORCE` | `y`
 
 <!-- end-section-config -->
 
+It is also possible to block the loading of modules after startup with "kernel.modules_disabled".
+
+<!-- section-config -->
+
+Domain                         | `Variable` name           | `Value`
+------------------------------ | ------------------------- | -------
+Kernel-General-ModuleSigning-2 | `kernel.modules_disabled` | `1`
+
+<!-- end-section-config -->
+
 --------------------------------------------------------------------------------
 
 <!-- pagebreak -->
@@ -236,12 +258,18 @@ Kernel-General-LibraryLinking-1 | Keep this part?
 
 <!-- end-section-todo -->
 
-It is recommended that dynamic linking should generally not be allowed. This will avoid the user from replacing a library with malicious library. All libraries should be linked statically, but this is difficult to implement.
+It is recommended that dynamic linking should generally not be allowed. This will avoid the user from replacing a library with malicious library.
 
 <!-- section-config -->
 
-Domain                          | `compiler` and `linker` options | _State_
-------------------------------- | ------------------------------- | --------
-Kernel-General-LibraryLinking-1 | `-static`                       | _Enable_
+Domain                          | Object          | Recommendations
+------------------------------- | --------------- | --------------------------------
+Kernel-General-LibraryLinking-1 | Dynamic linking | Should generally not be allowed.
 
 <!-- end-section-config -->
+
+<!-- section-note -->
+
+Linking everything statically doesn't change anything wrt security as binaries will live under same user:group as libraries and setuid executables ignore `LD_PRELOAD/LD_LIBRARY_PATH`. It also increases RSS footprint and creates problems with upgrading.
+
+<!-- end-section-note -->
diff --git a/security-blueprint/part-4/2-Memory.md b/security-blueprint/part-4/2-Memory.md
index 822c928..d7af446 100644
--- a/security-blueprint/part-4/2-Memory.md
+++ b/security-blueprint/part-4/2-Memory.md
@@ -44,6 +44,15 @@ Kernel-Memory-Swap-1 | `CONFIG_SWAP` | `n`
 
 <!-- end-section-config -->
 
+<!-- section-note -->
+
+- Enabling swap at runtime require `CAP_SYS_ADMIN`.
+- Swap block device is usually under root:disk.
+- Linux never swaps kernel pages.
+- If swap disabling is not possible, swap encryption should be enabled.
+
+<!-- end-section-note -->
+
 --------------------------------------------------------------------------------
 
 <!-- pagebreak -->
@@ -79,10 +88,10 @@ Domain                | `Config` name              | `Value`
 --------------------- | -------------------------- | -------
 Kernel-Memory-Stack-1 | `CONFIG_CC_STACKPROTECTOR` | `y`
 
-Other defenses include things like shadow stacks.
-
 <!-- end-section-config -->
 
+Other defenses include things like shadow stacks.
+
 --------------------------------------------------------------------------------
 
 ## Disable access to /dev/mem
@@ -137,9 +146,10 @@ Emit extra code to check for buffer overflows, such as stack smashing attacks.
 
 <!-- section-config -->
 
-Domain                          | `compiler` and `linker` options | `Value`
-------------------------------- | ------------------------------- | -------
-Kernel-Memory-BufferOverflows-1 | `-D_FORTIFY_SOURCE`             | `2`
+Domain                          | `compiler` options and `config` name | `Value`
+------------------------------- | ------------------------------------ | -------
+Kernel-Memory-BufferOverflows-1 | `-D_FORTIFY_SOURCE`                  | `2`
+Kernel-Memory-BufferOverflows-2 | `CONFIG_FORTIFY_SOURCE`              | `y`
 
 <!-- end-section-config -->
 
diff --git a/security-blueprint/part-4/4-Debug.md b/security-blueprint/part-4/4-Debug.md
index 5a1eb24..cce5fc0 100644
--- a/security-blueprint/part-4/4-Debug.md
+++ b/security-blueprint/part-4/4-Debug.md
@@ -16,6 +16,12 @@ Kernel-Debug-Symbols-1 | `CONFIG_DEBUG_INFO` | `n`
 
 These kernel debug symbols are enabled by other config items in the kernel. Care should be taken to disable those also. If `CONFIG_DEBUG_INFO` cannot be disabled, then enabling `CONFIG_DEBUG_INFO_REDUCED` is second best.
 
+<!-- section-note -->
+
+At least `CONFIG_DEBUG_INFO_REDUCED` should be always enabled for developers to convert addresses in oops messages to line numbers.
+
+<!-- end-section-note -->
+
 --------------------------------------------------------------------------------
 
 ## Disable Kprobes
-- 
cgit