5 # General configuration
7 ## Mandatory Access Control
9 Kernel should controls access with labels and policy.
11 <!-- section-config -->
13 Domain | `Config` name | `Value`
14 -------------------- | -------------- | --------------------------------------
15 Kernel-General-MAC-1 | CONFIG_IP_NF_SECURITY | m
16 Kernel-General-MAC-2 | CONFIG_IP6_NF_SECURITY | m
17 Kernel-General-MAC-3 | CONFIG_EXT2_FS_SECURITY | y
18 Kernel-General-MAC-4 | CONFIG_EXT3_FS_SECURITY | y
19 Kernel-General-MAC-5 | CONFIG_EXT4_FS_SECURITY | y
20 Kernel-General-MAC-6 | CONFIG_SECURITY | y
21 Kernel-General-MAC-7 | CONFIG_SECURITY_SMACK | y
22 Kernel-General-MAC-8 | CONFIG_TMPFS_XATTR | y
24 <!-- end-section-config -->
26 Please also refer to the [**Mandatory Access Control** documentation in
27 Platform](../part-5/1-MAC.html) part. You can also find useful documentation and
28 links on wikipedia about
29 [**MAC**](https://en.wikipedia.org/wiki/Mandatory_access_control) and about
30 [**SMACK**](https://en.wikipedia.org/wiki/Simplified_Mandatory_Access_Control_Kernel).
32 --------------------------------------------------------------------------------
36 **Kexec** is a system call that enables you to load and boot into another kernel
37 from the currently running kernel. This feature is not required in a production
40 <!-- section-config -->
42 Domain | `Config` name | `Value`
43 ---------------------- | -------------- | -------
44 Kernel-General-kexec-1 | `CONFIG_KEXEC` | `n`
46 <!-- end-section-config -->
50 **kexec** can load arbitrary kernels but signing of new kernel can be enforced
51 like it is can be enforced for new modules.
53 <!-- end-section-note -->
55 --------------------------------------------------------------------------------
57 ## Disable kernel IP auto-configuration
59 It is preferable to have an IP configuration performed using a user-space tool
60 as these tend to have more validation. We do not want the network interface
61 coming up until the system has come up properly.
63 <!-- section-config -->
65 Domain | `Config` name | `Value`
66 --------------------------- | --------------- | -------
67 Kernel-General-IPAutoConf-1 | `CONFIG_IP_PNP` | `n`
69 <!-- end-section-config -->
71 --------------------------------------------------------------------------------
73 ## Disable Sysctl syscall support
75 Enabling this will result in code being included that is hard to maintain and
78 <!-- section-config -->
80 Domain | `Config` name | `Value`
81 ------------------------------- | ----------------------- | -------
82 Kernel-General-SysCtl_SysCall-1 | `CONFIG_SYSCTL_SYSCALL` | `n`
84 <!-- end-section-config -->
86 --------------------------------------------------------------------------------
88 ## Disable Legacy Linux Support
90 There are some Kernel Configs which are present only to support legacy binaries.
91 See also "Consoles" part in order to disabling support for legacy binary
92 formats. The `uselib` system call, in particular, has no valid use in any
93 `libc6` or `uclibc` system in recent times. This configuration is supported in
94 **Linux 3.15 and greater** and thus should only be disabled for such versions.
96 <!-- section-config -->
98 Domain | `Config` name | `Value`
99 ---------------------------- | --------------- | -------
100 Kernel-General-LegacyLinux-1 | `CONFIG_USELIB` | `n`
102 <!-- end-section-config -->
104 --------------------------------------------------------------------------------
106 ## Disable firmware auto-loading user mode helper
108 The firmware auto loading helper, which is a utility executed by the kernel on
109 `hotplug` events requiring firmware, can to be set `setuid`. As a result of
110 this, the helper utility is an attractive target for attackers with control of
111 physical ports on the device. Disabling this configuration that is supported in
112 **Linux 3.9 and greater**.
114 <!-- section-config -->
116 Domain | `Config` name | `Value`
117 --------------------------- | ------------------------------ | -------
118 Kernel-General-FirmHelper-1 | `CONFIG_FW_LOADER_USER_HELPER` | `n`
120 <!-- end-section-config -->
122 <!-- section-note -->
124 It doesn't strictly need to be `setuid`, there is an option of shipping firmware
125 builtin into kernel without initrd/filesystem.
127 <!-- end-section-note -->
129 --------------------------------------------------------------------------------
131 ## Enable Kernel Panic on OOPS
133 When fuzzing the kernel or attempting kernel exploits attackers are likely to
134 trigger kernel OOPSes. Setting the behavior on OOPS to PANIC can impede their
137 This configuration is supported in **Linux 3.5 and greater** and thus should
138 only be enabled for such versions.
140 <!-- section-config -->
142 Domain | `Config` name | `Value`
143 ---------------------------- | ---------------------- | -------
144 Kernel-General-PanicOnOOPS-1 | `CONFIG_PANIC_ON_OOPS` | `y`
146 <!-- end-section-config -->
148 --------------------------------------------------------------------------------
152 ## Disable socket monitoring interface
154 These monitors can be used to inspect shared file descriptors on Unix Domain
155 sockets or traffic on 'localhost' which is otherwise assumed to be confidential.
157 The `CONFIG_PACKET_DIAG` configuration is supported in **Linux 3.7 and greater**
158 and thus should only be disabled for such versions.
160 The `CONFIG_UNIX_DIAG` configuration is supported in **Linux 3.3 and greater**
161 and thus should only be disabled for such versions.
163 <!-- section-config -->
165 Domain | `Config` name | `Value`
166 -------------------------- | -------------------- | -------
167 Kernel-General-SocketMon-1 | `CONFIG_PACKET_DIAG` | `n`
168 Kernel-General-SocketMon-2 | `CONFIG_UNIX_DIAG` | `n`
170 <!-- end-section-config -->
172 --------------------------------------------------------------------------------
176 The BPF JIT can be used to create kernel-payloads from firewall table rules.
178 This configuration for is supported in **Linux 3.16 and greater** and thus
179 should only be disabled for such versions.
181 <!-- section-config -->
183 Domain | `Config` name | `Value`
184 ------------------------ | ---------------- | -------
185 Kernel-General-BPF_JIT-1 | `CONFIG_BPF_JIT` | `n`
187 <!-- end-section-config -->
189 --------------------------------------------------------------------------------
191 ## Enable Enforced Module Signing
193 The kernel should never allow an unprivileged user the ability to load specific
194 kernel modules, since that would provide a facility to unexpectedly extend the
195 available attack surface.
197 To protect against even privileged users, systems may need to either disable
198 module loading entirely, or provide signed modules (e.g.
199 `CONFIG_MODULE_SIG_FORCE`, or dm-crypt with LoadPin), to keep from having root
200 load arbitrary kernel code via the module loader interface.
202 This configuration is supported in **Linux 3.7 and greater** and thus should
203 only be enabled for such versions.
205 <!-- section-config -->
207 Domain | `Config` name | `Value`
208 ------------------------------ | ------------------------- | -------
209 Kernel-General-ModuleSigning-1 | `CONFIG_MODULE_SIG_FORCE` | `y`
211 <!-- end-section-config -->
213 It is also possible to block the loading of modules after startup with
214 "kernel.modules_disabled".
216 <!-- section-config -->
218 Domain | `Variable` name | `Value`
219 ------------------------------ | ------------------------- | -------
220 Kernel-General-ModuleSigning-2 | `kernel.modules_disabled` | `1`
222 <!-- end-section-config -->
224 --------------------------------------------------------------------------------
228 ## Disable all USB, PCMCIA (and other `hotplug` bus) drivers that aren't needed
230 To reduce the attack surface, the driver enumeration, probe, and operation
231 happen in the kernel. The driver data is parsed by the kernel, so any logic bugs
232 in these drivers can become kernel exploits.
234 <!-- section-config -->
236 Domain | Object | _State_
237 ------------------------ | ------------------- | ----------
238 Kernel-General-Drivers-1 | `USB` | _Disabled_
239 Kernel-General-Drivers-2 | `PCMCIA` | _Disabled_
240 Kernel-General-Drivers-3 | Other `hotplug` bus | _Disabled_
242 <!-- end-section-config -->
244 --------------------------------------------------------------------------------
246 ## Position Independent Executables
248 <!-- section-todo -->
251 -------------------------------- | -----------------------------
252 Kernel-General-IndependentExec-1 | Kernel or/and platform part ?
254 <!-- end-section-todo -->
256 <!-- section-config -->
258 Domain | `compiler` and `linker` options | _State_
259 -------------------------------- | ------------------------------- | --------
260 Kernel-General-IndependentExec-1 | `-pie -fpic` | _Enable_
262 <!-- end-section-config -->
264 Produce a position independent executable on targets which supports it.
266 --------------------------------------------------------------------------------
268 ## Prevent Overwrite Attacks
270 `-z,relro` linking option helps during program load, several ELF memory sections
271 need to be written by the linker, but can be turned read-only before turning
272 over control to the program. This prevents some Global Offset Table GOT
273 overwrite attacks, or in the dtors section of the ELF binary.
275 <!-- section-config -->
277 Domain | `compiler` and `linker` options | _State_
278 --------------------------------- | ------------------------------- | --------
279 Kernel-General-OverwriteAttacks-1 | `-z,relro` | _Enable_
280 Kernel-General-OverwriteAttacks-2 | `-z,now` | _Enable_
282 <!-- end-section-config -->
284 During program load, all dynamic symbols are resolved, allowing for the complete
285 GOT to be marked read-only (due to `-z relro` above). This prevents GOT
286 overwrite attacks. For very large application, this can incur some performance
287 loss during initial load while symbols are resolved, but this shouldn't be an
290 --------------------------------------------------------------------------------
296 <!-- section-todo -->
299 ------------------------------- | ---------------
300 Kernel-General-LibraryLinking-1 | Keep this part?
302 <!-- end-section-todo -->
304 It is recommended that dynamic linking should generally not be allowed. This
305 will avoid the user from replacing a library with malicious library.
307 <!-- section-config -->
309 Domain | Object | Recommendations
310 ------------------------------- | --------------- | --------------------------------
311 Kernel-General-LibraryLinking-1 | Dynamic linking | Should generally not be allowed.
313 <!-- end-section-config -->
315 <!-- section-note -->
317 Linking everything statically doesn't change anything wrt security as binaries
318 will live under same user:group as libraries and setuid executables ignore
319 `LD_PRELOAD/LD_LIBRARY_PATH`. It also increases RSS footprint and creates
320 problems with upgrading.
322 <!-- end-section-note -->