1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
|
# General configuration
## Mandatory Access Control
Kernel should controls access with labels and policy.
<!-- section-config -->
Domain | Object | Recommendations
-------------------- | ------ | ------------------------------------------
Kernel-General-MAC-1 | SMACK | Must implement a Mandatory Access Control.
<!-- end-section-config -->
<!-- section-todo -->
Domain | Improvement
------------ | ----------------
Kernel-MAC-1 | Add MAC config note.
<!-- end-section-todo -->
--------------------------------------------------------------------------------
## Disable kexec
This prevents someone who gets root from supplanting the kernel. This can be used as a way to bypass signed kernels.
<!-- section-config -->
Domain | `Config` name | `Value`
---------------------- | -------------- | -------
Kernel-General-kexec-1 | `CONFIG_KEXEC` | `n`
<!-- end-section-config -->
--------------------------------------------------------------------------------
## Disable kernel IP auto-configuration
It is preferable to have an IP configuration performed using a user-space tool as these tend to have more validation. We do not want the network interface coming up until the system has come up properly.
<!-- section-config -->
Domain | `Config` name | `Value`
--------------------------- | --------------- | -------
Kernel-General-IPAutoConf-1 | `CONFIG_IP_PNP` | `n`
<!-- end-section-config -->
--------------------------------------------------------------------------------
## Disable Sysctl syscall support
Enabling this will result in code being included that is hard to maintain and not well tested.
<!-- section-config -->
Domain | `Config` name | `Value`
------------------------------- | ----------------------- | -------
Kernel-General-SysCtl_SysCall-1 | `CONFIG_SYSCTL_SYSCALL` | `n`
<!-- end-section-config -->
--------------------------------------------------------------------------------
## Disable Legacy Linux Support
There are some Kernel Configs which are present only to support legacy binaries. See also "Consoles" part in order to disabling support for legacy binary formats. The `uselib` system call, in particular, has no valid use in any `libc6` or `uclibc` system in recent times. This configuration is supported in **Linux 3.15 and greater** and thus should only be disabled for such versions.
<!-- section-config -->
Domain | `Config` name | `Value`
---------------------------- | --------------- | -------
Kernel-General-LegacyLinux-1 | `CONFIG_USELIB` | `n`
<!-- end-section-config -->
--------------------------------------------------------------------------------
## Disable firmware auto-loading user mode helper
The firmware auto loading helper, which is a utility executed by the kernel on `hotplug` events requiring firmware, needs to be set `setuid`. As a result of this, the helper utility is an attractive target for attackers with control of physical ports on the device. Disabling this configuration that is supported in **Linux 3.9 and greater**.
<!-- section-config -->
Domain | `Config` name | `Value`
--------------------------- | ------------------------------ | -------
Kernel-General-FirmHelper-1 | `CONFIG_FW_LOADER_USER_HELPER` | `n`
<!-- end-section-config -->
--------------------------------------------------------------------------------
## Enable Kernel Panic on OOPS
When fuzzing the kernel or attempting kernel exploits attackers are likely to trigger kernel OOPSes. Setting the behavior on OOPS to PANIC can impede their progress.
This configuration is supported in **Linux 3.5 and greater** and thus should only be enabled for such versions.
<!-- section-config -->
Domain | `Config` name | `Value`
---------------------------- | ---------------------- | -------
Kernel-General-PanicOnOOPS-1 | `CONFIG_PANIC_ON_OOPS` | `y`
<!-- end-section-config -->
--------------------------------------------------------------------------------
<!-- pagebreak -->
## Disable socket monitoring interface
These monitors can be used to inspect shared file descriptors on Unix Domain sockets or traffic on 'localhost' which is otherwise assumed to be confidential.
The `CONFIG_PACKET_DIAG` configuration is supported in **Linux 3.7 and greater** and thus should only be disabled for such versions.
The `CONFIG_UNIX_DIAG` configuration is supported in **Linux 3.3 and greater** and thus should only be disabled for such versions.
<!-- section-config -->
Domain | `Config` name | `Value`
-------------------------- | -------------------- | -------
Kernel-General-SocketMon-1 | `CONFIG_PACKET_DIAG` | `n`
Kernel-General-SocketMon-2 | `CONFIG_UNIX_DIAG` | `n`
<!-- end-section-config -->
--------------------------------------------------------------------------------
## Disable BPF JIT
The BPF JIT can be used to create kernel-payloads from firewall table rules.
This configuration for is supported in **Linux 3.16 and greater** and thus should only be disabled for such versions.
<!-- section-config -->
Domain | `Config` name | `Value`
------------------------ | ---------------- | -------
Kernel-General-BPF_JIT-1 | `CONFIG_BPF_JIT` | `n`
<!-- end-section-config -->
--------------------------------------------------------------------------------
## Enable Enforced Module Signing
The kernel should never allow an unprivileged user the ability to load specific kernel modules,
since that would provide a facility to unexpectedly extend the available attack surface.
To protect against even privileged users, systems may need to either disable
module loading entirely, or provide signed modules
(e.g. CONFIG_MODULE_SIG_FORCE, or dm-crypt with LoadPin), to keep from having
root load arbitrary kernel code via the module loader interface.
This configuration is supported in **Linux 3.7 and greater** and thus should only be enabled for such versions.
<!-- section-config -->
Domain | `Config` name | `Value`
------------------------------ | ------------------------- | -------
Kernel-General-ModuleSigning-1 | `CONFIG_MODULE_SIG_FORCE` | `y`
<!-- end-section-config -->
--------------------------------------------------------------------------------
<!-- pagebreak -->
## Disable all USB, PCMCIA (and other `hotplug` bus) drivers that aren't needed
To reduce the attack surface, the driver enumeration, probe, and operation happen in the kernel. The driver data is parsed by the kernel, so any logic bugs in these drivers can become kernel exploits.
<!-- section-config -->
Domain | Object | _State_
------------------------ | ------------------- | ----------
Kernel-General-Drivers-1 | `USB` | _Disabled_
Kernel-General-Drivers-2 | `PCMCIA` | _Disabled_
Kernel-General-Drivers-3 | Other `hotplug` bus | _Disabled_
<!-- end-section-config -->
--------------------------------------------------------------------------------
## Position Independent Executables
<!-- section-todo -->
Domain | Improvement
-------------------------------- | -----------------------------
Kernel-General-IndependentExec-1 | Kernel or/and platform part ?
<!-- end-section-todo -->
<!-- section-config -->
Domain | `compiler` and `linker` options | _State_
-------------------------------- | ------------------------------- | --------
Kernel-General-IndependentExec-1 | `-pie -fpic` | _Enable_
<!-- end-section-config -->
Produce a position independent executable on targets which supports it.
--------------------------------------------------------------------------------
## Prevent Overwrite Attacks
`-z,relro` linking option helps during program load, several ELF memory sections need to be written by the linker, but can be turned read-only before turning over control to the program. This prevents some Global Offset Table GOT overwrite attacks, or in the dtors section of the ELF binary.
<!-- section-config -->
Domain | `compiler` and `linker` options | _State_
--------------------------------- | ------------------------------- | --------
Kernel-General-OverwriteAttacks-1 | `-z,relro` | _Enable_
Kernel-General-OverwriteAttacks-2 | `-z,now` | _Enable_
<!-- end-section-config -->
During program load, all dynamic symbols are resolved, allowing for the complete GOT to be marked read-only (due to `-z relro` above). This prevents GOT overwrite attacks. For very large application, this can incur some performance loss during initial load while symbols are resolved, but this shouldn't be an issue for daemons.
--------------------------------------------------------------------------------
<!-- pagebreak -->
## Library linking
<!-- section-todo -->
Domain | Improvement
------------------------------- | ---------------
Kernel-General-LibraryLinking-1 | Keep this part?
<!-- end-section-todo -->
It is recommended that dynamic linking should generally not be allowed. This will avoid the user from replacing a library with malicious library. All libraries should be linked statically, but this is difficult to implement.
<!-- section-config -->
Domain | `compiler` and `linker` options | _State_
------------------------------- | ------------------------------- | --------
Kernel-General-LibraryLinking-1 | `-static` | _Enable_
<!-- end-section-config -->
|