5 **System Hardening:** Best practices associated with the configuration of an
6 embedded Linux based operating system. This section includes both hardening of
7 the kernel itself, as well as specific configurations and patches used to
8 protect against known vulnerabilities within the build and configuration of the
11 At the Kernel level, we must ensure that no console can be launched. It could be
12 used to change the behavior of the system or to have more information about it.
13 Another aspect is the protection of the memory used by the Kernel.
15 The next sub-sections contain information on various kernel configuration
16 options to enhance the security in the kernel (3.10.17) and also for
17 applications compiled to take advantage of these security features.
18 Additionally, there are also configuration options that protect from known
19 vulnerable configuration options. Here's a high level summary of various kernel
20 configurations that shall be required for deployment.
24 The choice of kernel version for the AGL system is essential to its security.
25 Depending on the type of board and eventual production system, different kernel
26 versions are used. For example, one of the systems under study uses the Linux
27 kernel version 3.10, while another uses the Linux kernel version 4.4. For the
28 Linux kernel version 3.10.31, there are 25 known vulnerabilities. These
29 vulnerabilities would allow an attacker to gain privileges, bypass access
30 restrictions, allow memory to be corrupted, or cause denial of service. In
31 contrast, the Linux kernel version of 4.4 has many fewer known vulnerabilities.
32 For this reason, we would in general recommend the later kernel version as a
33 basis for the platform.
35 Note that, although there are fewer known vulnerabilities in the most recent
36 kernel versions there may be many unknown vulnerabilities underlying. A rule of
37 thumb is to update the kernel as much as possible to avoid the problems you do
38 know, but you should not be complacent in the trust that you place in it. A
39 defense-in-depth approach would then apply.
41 If there are constraints and dependencies in upgrading to a newer kernel version
42 (e.g. device drivers, board support providers) and you are forced to an older
43 Linux kernel version, there need to be additional provisions made to reduce the
44 risk of kernel exploits, which can include memory monitoring, watch-dog
45 services, and system call hooking. In this case, further defense-in-depth
46 techniques may be required to mitigate the risk of attacks to known
47 vulnerabilities, which can also include runtime integrity verification of
48 components that are vulnerable to tampering.
50 ## Kernel Build Configuration
52 The kernel build configuration is extremely important for determining the level
53 of access to services and to reduce the breadth of the attack surface. Linux
54 contains a great and flexible number of capabilities and this is only controlled
55 through the build configuration. For example, the `CONFIG_MODULES` parameter
56 allows kernel modules to be loaded at runtime extending the capabilities of the
57 kernel. This capability needs to be either inhibited or controlled at runtime
58 through other configuration parameters. For example, `CONFIG_MODULE_SIG_FORCE=y`
59 ensures that only signed modules are loaded. There is a very large number of
60 kernel configuration parameters, and these are discussed in detail in this
63 # General configuration
65 ## Mandatory Access Control
67 Kernel should controls access with labels and policy.
69 Domain | `Config` name | `Value`
70 -------------------- | -------------- | --------------------------------------
71 Kernel-General-MAC-1 | CONFIG_IP_NF_SECURITY | m
72 Kernel-General-MAC-2 | CONFIG_IP6_NF_SECURITY | m
73 Kernel-General-MAC-3 | CONFIG_EXT2_FS_SECURITY | y
74 Kernel-General-MAC-4 | CONFIG_EXT3_FS_SECURITY | y
75 Kernel-General-MAC-5 | CONFIG_EXT4_FS_SECURITY | y
76 Kernel-General-MAC-6 | CONFIG_SECURITY | y
77 Kernel-General-MAC-7 | CONFIG_SECURITY_SMACK | y
78 Kernel-General-MAC-8 | CONFIG_TMPFS_XATTR | y
80 Please also refer to the [Mandatory Access Control documentation in
81 Platform](5_Platform.md). You can also find useful documentation and
82 links on wikipedia about
83 [**MAC**](https://en.wikipedia.org/wiki/Mandatory_access_control) and about
84 [**SMACK**](https://en.wikipedia.org/wiki/Simplified_Mandatory_Access_Control_Kernel).
86 --------------------------------------------------------------------------------
90 **Kexec** is a system call that enables you to load and boot into another kernel
91 from the currently running kernel. This feature is not required in a production
96 Domain | `Config` name | `Value`
97 ---------------------- | -------------- | -------
98 Kernel-General-kexec-1 | `CONFIG_KEXEC` | `n`
104 **kexec** can load arbitrary kernels but signing of new kernel can be enforced
105 like it is can be enforced for new modules.
107 --------------------------------------------------------------------------------
109 ## Disable kernel IP auto-configuration
111 It is preferable to have an IP configuration performed using a user-space tool
112 as these tend to have more validation. We do not want the network interface
113 coming up until the system has come up properly.
117 Domain | `Config` name | `Value`
118 --------------------------- | --------------- | -------
119 Kernel-General-IPAutoConf-1 | `CONFIG_IP_PNP` | `n`
123 --------------------------------------------------------------------------------
125 ## Disable Sysctl syscall support
127 Enabling this will result in code being included that is hard to maintain and
132 Domain | `Config` name | `Value`
133 ------------------------------- | ----------------------- | -------
134 Kernel-General-SysCtl_SysCall-1 | `CONFIG_SYSCTL_SYSCALL` | `n`
138 --------------------------------------------------------------------------------
140 ## Disable Legacy Linux Support
142 There are some Kernel Configs which are present only to support legacy binaries.
143 See also "Consoles" part in order to disabling support for legacy binary
144 formats. The `uselib` system call, in particular, has no valid use in any
145 `libc6` or `uclibc` system in recent times. This configuration is supported in
146 **Linux 3.15 and greater** and thus should only be disabled for such versions.
150 Domain | `Config` name | `Value`
151 ---------------------------- | --------------- | -------
152 Kernel-General-LegacyLinux-1 | `CONFIG_USELIB` | `n`
156 --------------------------------------------------------------------------------
158 ## Disable firmware auto-loading user mode helper
160 The firmware auto loading helper, which is a utility executed by the kernel on
161 `hotplug` events requiring firmware, can to be set `setuid`. As a result of
162 this, the helper utility is an attractive target for attackers with control of
163 physical ports on the device. Disabling this configuration that is supported in
164 **Linux 3.9 and greater**.
168 Domain | `Config` name | `Value`
169 --------------------------- | ------------------------------ | -------
170 Kernel-General-FirmHelper-1 | `CONFIG_FW_LOADER_USER_HELPER` | `n`
176 It doesn't strictly need to be `setuid`, there is an option of shipping firmware
177 builtin into kernel without initrd/filesystem.
181 --------------------------------------------------------------------------------
183 ## Enable Kernel Panic on OOPS
185 When fuzzing the kernel or attempting kernel exploits attackers are likely to
186 trigger kernel OOPSes. Setting the behavior on OOPS to PANIC can impede their
189 This configuration is supported in **Linux 3.5 and greater** and thus should
190 only be enabled for such versions.
194 Domain | `Config` name | `Value`
195 ---------------------------- | ---------------------- | -------
196 Kernel-General-PanicOnOOPS-1 | `CONFIG_PANIC_ON_OOPS` | `y`
200 --------------------------------------------------------------------------------
204 ## Disable socket monitoring interface
206 These monitors can be used to inspect shared file descriptors on Unix Domain
207 sockets or traffic on 'localhost' which is otherwise assumed to be confidential.
209 The `CONFIG_PACKET_DIAG` configuration is supported in **Linux 3.7 and greater**
210 and thus should only be disabled for such versions.
212 The `CONFIG_UNIX_DIAG` configuration is supported in **Linux 3.3 and greater**
213 and thus should only be disabled for such versions.
217 Domain | `Config` name | `Value`
218 -------------------------- | -------------------- | -------
219 Kernel-General-SocketMon-1 | `CONFIG_PACKET_DIAG` | `n`
220 Kernel-General-SocketMon-2 | `CONFIG_UNIX_DIAG` | `n`
224 --------------------------------------------------------------------------------
228 The BPF JIT can be used to create kernel-payloads from firewall table rules.
230 This configuration for is supported in **Linux 3.16 and greater** and thus
231 should only be disabled for such versions.
235 Domain | `Config` name | `Value`
236 ------------------------ | ---------------- | -------
237 Kernel-General-BPF_JIT-1 | `CONFIG_BPF_JIT` | `n`
241 --------------------------------------------------------------------------------
243 ## Enable Enforced Module Signing
245 The kernel should never allow an unprivileged user the ability to load specific
246 kernel modules, since that would provide a facility to unexpectedly extend the
247 available attack surface.
249 To protect against even privileged users, systems may need to either disable
250 module loading entirely, or provide signed modules (e.g.
251 `CONFIG_MODULE_SIG_FORCE`, or dm-crypt with LoadPin), to keep from having root
252 load arbitrary kernel code via the module loader interface.
254 This configuration is supported in **Linux 3.7 and greater** and thus should
255 only be enabled for such versions.
259 Domain | `Config` name | `Value`
260 ------------------------------ | ------------------------- | -------
261 Kernel-General-ModuleSigning-1 | `CONFIG_MODULE_SIG_FORCE` | `y`
265 It is also possible to block the loading of modules after startup with
266 "kernel.modules_disabled".
270 Domain | `Variable` name | `Value`
271 ------------------------------ | ------------------------- | -------
272 Kernel-General-ModuleSigning-2 | `kernel.modules_disabled` | `1`
276 --------------------------------------------------------------------------------
280 ## Disable all USB, PCMCIA (and other `hotplug` bus) drivers that aren't needed
282 To reduce the attack surface, the driver enumeration, probe, and operation
283 happen in the kernel. The driver data is parsed by the kernel, so any logic bugs
284 in these drivers can become kernel exploits.
288 Domain | Object | _State_
289 ------------------------ | ------------------- | ----------
290 Kernel-General-Drivers-1 | `USB` | _Disabled_
291 Kernel-General-Drivers-2 | `PCMCIA` | _Disabled_
292 Kernel-General-Drivers-3 | Other `hotplug` bus | _Disabled_
296 --------------------------------------------------------------------------------
298 ## Position Independent Executables
303 -------------------------------- | -----------------------------
304 Kernel-General-IndependentExec-1 | Kernel or/and platform part ?
310 Domain | `compiler` and `linker` options | _State_
311 -------------------------------- | ------------------------------- | --------
312 Kernel-General-IndependentExec-1 | `-pie -fpic` | _Enable_
316 Produce a position independent executable on targets which supports it.
318 --------------------------------------------------------------------------------
320 ## Prevent Overwrite Attacks
322 `-z,relro` linking option helps during program load, several ELF memory sections
323 need to be written by the linker, but can be turned read-only before turning
324 over control to the program. This prevents some Global Offset Table GOT
325 overwrite attacks, or in the dtors section of the ELF binary.
329 Domain | `compiler` and `linker` options | _State_
330 --------------------------------- | ------------------------------- | --------
331 Kernel-General-OverwriteAttacks-1 | `-z,relro` | _Enable_
332 Kernel-General-OverwriteAttacks-2 | `-z,now` | _Enable_
336 During program load, all dynamic symbols are resolved, allowing for the complete
337 GOT to be marked read-only (due to `-z relro` above). This prevents GOT
338 overwrite attacks. For very large application, this can incur some performance
339 loss during initial load while symbols are resolved, but this shouldn't be an
342 --------------------------------------------------------------------------------
351 ------------------------------- | ---------------
352 Kernel-General-LibraryLinking-1 | Keep this part?
356 It is recommended that dynamic linking should generally not be allowed. This
357 will avoid the user from replacing a library with malicious library.
361 Domain | Object | Recommendations
362 ------------------------------- | --------------- | --------------------------------
363 Kernel-General-LibraryLinking-1 | Dynamic linking | Should generally not be allowed.
365 Linking everything statically doesn't change anything wrt security as binaries
366 will live under same user:group as libraries and setuid executables ignore
367 `LD_PRELOAD/LD_LIBRARY_PATH`. It also increases RSS footprint and creates
368 problems with upgrading.
372 ## Restrict access to kernel memory
374 The /dev/kmem file in Linux systems is directly mapped to kernel virtual memory.
375 This can be disastrous if an attacker gains root access, as the attacker would
376 have direct access to kernel virtual memory.
378 To disable the /dev/kmem file, which is very infrequently used by applications,
379 the following kernel option should be set in the compile-time kernel
382 Domain | `Config` name | `Value`
383 ------------------------------ | ---------------- | -------
384 Kernel-Memory-RestrictAccess-1 | `CONFIG_DEVKMEM` | `n`
386 In case applications in userspace need /dev/kmem support, it should be available
387 only for authenticated applications.
389 --------------------------------------------------------------------------------
391 ## Disable access to a kernel core dump
393 This kernel configuration disables access to a kernel core dump from user space.
394 If enabled, it gives attackers a useful view into kernel memory.
398 Domain | `Config` name | `Value`
399 ------------------------ | ------------------- | -------
400 Kernel-Memory-CoreDump-1 | `CONFIG_PROC_KCORE` | `n`
404 --------------------------------------------------------------------------------
408 If not disabled, attackers can enable swap at runtime, add pressure to the
409 memory subsystem and then scour the pages written to swap for useful
414 Domain | `Config` name | `Value`
415 -------------------- | ------------- | -------
416 Kernel-Memory-Swap-1 | `CONFIG_SWAP` | `n`
422 - Enabling swap at runtime require `CAP_SYS_ADMIN`.
423 - Swap block device is usually under root:disk.
424 - Linux never swaps kernel pages.
425 - If swap disabling is not possible, swap encryption should be enabled.
429 --------------------------------------------------------------------------------
433 ## Disable "Load All Symbols"
435 There is a /proc/kallsyms file which exposes the kernel memory space address of
436 many kernel symbols (functions, variables, etc...). This information is useful
437 to attackers in identifying kernel versions/configurations and in preparing
438 payloads for the exploits of kernel space.
440 Both `KALLSYMS_ALL` and `KALLSYMS` shall be disabled;
444 Domain | `Config` name | `Value`
445 ------------------------------ | --------------------- | -------
446 Kernel-Memory-LoadAllSymbols-1 | `CONFIG_KALLSYMS` | `n`
447 Kernel-Memory-LoadAllSymbols-2 | `CONFIG_KALLSYMS_ALL` | `n`
451 --------------------------------------------------------------------------------
455 To prevent stack-smashing, similar to the stack protector used for ELF programs
456 in user-space, the kernel can protect its internal stacks as well.
458 This configuration is supported in **Linux 3.11 and greater** and thus should
459 only be enabled for such versions.
461 This configuration also requires building the kernel with the **gcc compiler 4.2
466 Domain | `Config` name | `Value`
467 --------------------- | -------------------------- | -------
468 Kernel-Memory-Stack-1 | `CONFIG_CC_STACKPROTECTOR` | `y`
472 Other defenses include things like shadow stacks.
474 --------------------------------------------------------------------------------
476 ## Disable access to /dev/mem
478 The /dev/mem file in Linux systems is directly mapped to physical memory. This
479 can be disastrous if an attacker gains root access, as the attacker would have
480 direct access to physical memory through this convenient device file. It may not
481 always be possible to disable such file, as some applications might need such
482 support. In that case, then this device file should be available only for
483 authenticated applications.
485 This configuration is supported in **Linux 4.0 and greater** and thus should
486 only be disabled for such versions.
490 Domain | `Config` name | `Value`
491 ---------------------- | --------------- | -------
492 Kernel-Memory-Access-1 | `CONFIG_DEVMEM` | `n`
496 --------------------------------------------------------------------------------
500 ## Disable cross-memory attach
502 Disable the process_vm_*v syscalls which allow one process to peek/poke the
503 virtual memory of another.
505 This configuration is supported in **Linux 3.5 and greater** and thus should
506 only be disabled for such versions.
510 Domain | `Config` name | `Value`
511 ------------------------------ | --------------------- | -------
512 Kernel-Memory-CrossMemAttach-1 | `CROSS_MEMORY_ATTACH` | `n`
516 --------------------------------------------------------------------------------
518 ## Stack Smashing Attacks
522 Domain | `compiler` and `linker` options | _State_
523 ----------------------------- | ------------------------------- | --------
524 Kernel-Memory-StackSmashing-1 | `-fstack-protector-all` | _Enable_
528 Emit extra code to check for buffer overflows, such as stack smashing attacks.
530 --------------------------------------------------------------------------------
532 ## Detect Buffer Overflows
534 Domain | `compiler` options and `config` name | `Value`
535 ------------------------------- | ------------------------------------ | -------
536 Kernel-Memory-BufferOverflows-1 | `-D_FORTIFY_SOURCE` | `2`
537 Kernel-Memory-BufferOverflows-2 | `CONFIG_FORTIFY_SOURCE` | `y`
539 Helps detect some buffer overflow errors.
543 ## Disable serial console
545 The serial console should be disabled to prevent an attacker from accessing this
548 Domain | `Config` name | `Value`
549 ------------------------ | ---------------------------- | -------
550 Kernel-Consoles-Serial-1 | `CONFIG_SERIAL_8250` | `n`
551 Kernel-Consoles-Serial-2 | `CONFIG_SERIAL_8250_CONSOLE` | `n`
552 Kernel-Consoles-Serial-3 | `CONFIG_SERIAL_CORE` | `n`
553 Kernel-Consoles-Serial-4 | `CONFIG_SERIAL_CORE_CONSOLE` | `n`
555 --------------------------------------------------------------------------------
557 ## Bake-in the kernel command-line
559 The kernel command-line is used to control many aspects of the booting kernel,
560 and is prone to tampering as they are passed in RAM with little to no reverse
561 validation on these parameters. To prevent this type of attack, the kernel shall
562 be configured to ignore commands line arguments, and use pre-configured (compile
563 time) options instead.
565 Set the kernel command line in the `CONFIG_CMDLINE KConfig` item and then pass
566 no arguments from the bootloader.
570 Domain | `Config` name | `Value`
571 ----------------------------- | ------------------------- | -----------------------------------
572 Kernel-Consoles-CommandLine-1 | `CONFIG_CMDLINE_BOOL` | `y`
573 Kernel-Consoles-CommandLine-2 | `CONFIG_CMDLINE` | `"insert kernel command line here"`
574 Kernel-Consoles-CommandLine-3 | `CONFIG_CMDLINE_OVERRIDE` | `y`
578 It is recommended that any per-device settings (e.g: MAC addresses, serial
579 numbers, etc.) be stored and accessed from read-only memory (or files), and that
580 any such parameters be verified (signature checking) prior to their use.
582 --------------------------------------------------------------------------------
586 The Linux kernel supports KGDB over USB and console ports. These mechanisms are
587 controlled by the `kgdbdbgp` and `kgdboc` kernel command-line parameters. It is
588 important to ensure that no shipping product contains a kernel with KGDB
593 Domain | `Config` name | `Value`
594 ---------------------- | ------------- | -------
595 Kernel-Consoles-KDBG-1 | `CONFIG_KGDB` | `n`
599 --------------------------------------------------------------------------------
601 ## Disable magic sysrq support
603 On a few architectures, you can access a powerful debugger interface from the
604 keyboard. The same powerful interface can be present on the serial console
605 (responding to serial break) of Linux on other architectures. Disable to avoid
606 potentially exposing this powerful backdoor.
610 Domain | `Config` name | `Value`
611 ----------------------- | -------------------- | -------
612 Kernel-Consoles-SysRQ-1 | `CONFIG_MAGIC_SYSRQ` | `n`
616 --------------------------------------------------------------------------------
618 ## Disable support for binary formats other than ELF
620 This will make possible to plug wrapper-driven binary formats into the kernel.
621 It enables support for binary formats other than ELF. Providing the ability to
622 use alternate interpreters would assist an attacker in discovering attack
627 Domain | `Config` name | `Value`
628 ------------------------------ | -------------------- | -------
629 Kernel-Consoles-BinaryFormat-1 | `CONFIG_BINFMT_MISC` | `n`
633 No debuggers shall be present on the file system. This includes, but is not
634 limited to, the GNU Debugger client/server (commonly known in their short form
635 names such as the `gdb` and `gdbserver` executable binaries respectively), the
636 `LLDB` next generation debugger or the `TCF` (Target Communications Framework)
637 agnostic framework. Including these binaries as part of the file system will
638 facilitate an attacker's ability to reverse engineer and debug (either locally
639 or remotely) any process that is currently executing on the device.
641 ## Kernel debug symbols
643 Debug symbols should always be removed from production kernels as they provide a
644 lot of information to attackers.
648 Domain | `Config` name | `Value`
649 ---------------------- | ------------------- | -------
650 Kernel-Debug-Symbols-1 | `CONFIG_DEBUG_INFO` | `n`
654 These kernel debug symbols are enabled by other config items in the kernel. Care
655 should be taken to disable those also. If `CONFIG_DEBUG_INFO` cannot be
656 disabled, then enabling `CONFIG_DEBUG_INFO_REDUCED` is second best.
660 At least `CONFIG_DEBUG_INFO_REDUCED` should be always enabled for developers to
661 convert addresses in oops messages to line numbers.
665 --------------------------------------------------------------------------------
669 Kprobes enables you to dynamically break into any kernel routine and collect
670 debugging and performance information non-disruptively. You can trap at almost
671 any kernel code address, specifying a handler routine to be invoked when the
676 Domain | `Config` name | `Value`
677 ---------------------- | ---------------- | -------
678 Kernel-Debug-Kprobes-1 | `CONFIG_KPROBES` | `n`
682 --------------------------------------------------------------------------------
686 FTrace enables the kernel to trace every kernel function. Providing kernel trace
687 functionality would assist an attacker in discovering attack vectors.
691 Domain | `Config` name | `Value`
692 ---------------------- | --------------- | -------
693 Kernel-Debug-Tracing-1 | `CONFIG_FTRACE` | `n`
697 --------------------------------------------------------------------------------
701 Profiling and OProfile enables profiling the whole system, include the kernel,
702 kernel modules, libraries, and applications. Providing profiling functionality
703 would assist an attacker in discovering attack vectors.
707 Domain | `Config` name | `Value`
708 ------------------------ | ------------------ | -------
709 Kernel-Debug-Profiling-1 | `CONFIG_OPROFILE` | `n`
710 Kernel-Debug-Profiling-2 | `CONFIG_PROFILING` | `n`
714 --------------------------------------------------------------------------------
716 ## Disable OOPS print on BUG()
718 The output from OOPS print can be helpful in Return Oriented Programming (ROP)
719 when trying to determine the effectiveness of an exploit.
723 Domain | `Config` name | `Value`
724 ------------------------ | ------------------------- | -------
725 Kernel-Debug-OOPSOnBUG-1 | `CONFIG_DEBUG_BUGVERBOSE` | `n`
729 --------------------------------------------------------------------------------
731 ## Disable Kernel Debugging
733 There are development-only branches of code in the kernel enabled by the
734 `DEBUG_KERNEL` conf. This should be disabled to compile-out these branches.
738 Domain | `Config` name | `Value`
739 ------------------ | --------------------- | -------
740 Kernel-Debug-Dev-1 | `CONFIG_DEBUG_KERNEL` | `n`
741 Kernel-Debug-Dev-2 | `CONFIG_EMBEDDED` | `n`
745 In some kernel versions, disabling this requires also disabling
746 `CONFIG_EMBEDDED`, and `CONFIG_EXPERT`. Disabling `CONFIG_EXPERT` makes it
747 impossible to disable `COREDUMP`, `DEBUG_BUGVERBOSE`, `NAMESPACES`, `KALLSYMS`
748 and `BUG`. In which case it is better to leave this enabled than enable the
751 --------------------------------------------------------------------------------
755 ## Disable the kernel debug filesystem
757 The kernel debug filesystem presents a lot of useful information and means of
758 manipulation of the kernel to an attacker.
762 Domain | `Config` name | `Value`
763 ------------------------- | ----------------- | -------
764 Kernel-Debug-FileSystem-1 | `CONFIG_DEBUG_FS` | `n`
768 --------------------------------------------------------------------------------
770 ## Disable BUG() support
772 The kernel will display backtrace and register information for BUGs and WARNs in
773 kernel space, making it easier for attackers to develop exploits.
777 Domain | `Config` name | `Value`
778 ------------------ | ------------- | -------
779 Kernel-Debug-BUG-1 | `CONFIG_BUG` | `n`
783 --------------------------------------------------------------------------------
785 ## Disable core dumps
787 Core dumps provide a lot of debug information for hackers. So disabling core
788 dumps are recommended in production builds.
790 This configuration is supported in **Linux 3.7 and greater** and thus should
791 only be disabled for such versions.
795 Domain | `Config` name | `Value`
796 ------------------------ | ----------------- | -------
797 Kernel-Debug-CoreDumps-1 | `CONFIG_COREDUMP` | `n`
801 --------------------------------------------------------------------------------
805 ## Kernel Address Display Restriction
807 When attackers try to develop "run anywhere" exploits for kernel
808 vulnerabilities, they frequently need to know the location of internal kernel
809 structures. By treating kernel addresses as sensitive information, those
810 locations are not visible to regular local users.
812 **/proc/sys/kernel/kptr_restrict is set to "1"** to block the reporting of known
813 kernel address leaks.
817 Domain | `File` name | `Value`
818 ---------------------------- | -------------------------------- | -------
819 Kernel-Debug-AdressDisplay-1 | `/proc/sys/kernel/kptr_restrict` | `1`
823 Additionally, various files and directories should be readable only by the root
824 user: `/boot/vmlinuz*`, `/boot/System.map*`, `/sys/kernel/debug/`,
829 Domain | `File` or `Directorie` name | _State_
830 ---------------------------- | --------------------------- | -----------------------------
831 Kernel-Debug-AdressDisplay-1 | `/boot/vmlinuz*` | _Readable Only for root user_
832 Kernel-Debug-AdressDisplay-2 | `/boot/System.map*` | _Readable Only for root user_
833 Kernel-Debug-AdressDisplay-3 | `/sys/kernel/debug/` | _Readable Only for root user_
834 Kernel-Debug-AdressDisplay-4 | `/proc/slabinfo` | _Readable Only for root user_
838 --------------------------------------------------------------------------------
840 ## DMESG Restrictions
842 When attackers try to develop "run anywhere" exploits for vulnerabilities, they
843 frequently will use `dmesg` output. By treating `dmesg` output as sensitive
844 information, this output is not available to the attacker.
846 **/proc/sys/kernel/dmesg_restrict can be set to "1"** to treat dmesg output as
851 Domain | `File` name | `Value`
852 -------------------- | --------------------------------- | -------
853 Kernel-Debug-DMESG-1 | `/proc/sys/kernel/dmesg_restrict` | `1`
857 Enable the below compiler and linker options when building user-space
858 applications to avoid stack smashing, buffer overflow attacks.
860 --------------------------------------------------------------------------------
864 ## Disable /proc/config.gz
866 It is extremely important to not expose the kernel configuration used on a
867 production device to a potential attacker. With access to the kernel config, it
868 could be possible for an attacker to build a custom kernel for the device that
869 may disable critical security features.
873 Domain | `Config` name | `Value`
874 --------------------- | ----------------- | -------
875 Kernel-Debug-Config-1 | `CONFIG_IKCONFIG` | `n`
879 ## Disable all file systems not needed
881 To reduce the attack surface, file system data is parsed by the kernel, so any
882 logic bugs in file system drivers can become kernel exploits.
884 ### Disable NFS file system
886 NFS FileSystems are useful during development phases, but this can be a very
887 helpful way for an attacker to get files when you are in production mode, so we
892 Domain | `Config` name | `Value`
893 ------------------------ | --------------- | -------
894 Kernel-FileSystems-NFS-1 | `CONFIG_NFSD` | `n`
895 Kernel-FileSystems-NFS-2 | `CONFIG_NFS_FS` | `n`
899 --------------------------------------------------------------------------------
903 ## Partition Mount Options
905 There are several security restrictions that can be set on a filesystem when it
906 is mounted. Some common security options include, but are not limited to:
908 `nosuid` - Do not allow set-user-identifier or set-group-identifier bits to take
911 `nodev` - Do not interpret character or block special devices on the filesystem.
913 `noexec` - Do not allow execution of any binaries on the mounted filesystem.
915 `ro` - Mount filesystem as read-only.
917 The following flags shall be used for mounting common filesystems:
921 Domain | `Partition` | `Value`
922 -------------------------- | ------------------- | -----------------------------------------------------------------
923 Kernel-FileSystems-Mount-1 | `/boot` | `nosuid`, `nodev` and `noexec`.
924 Kernel-FileSystems-Mount-2 | `/var` & `/tmp` | In `/etc/fstab` or `vfstab`, add `nosuid`, `nodev` and `noexec`.
925 Kernel-FileSystems-Mount-3 | _Non-root local_ | If type is `ext2` or `ext3` and mount point not '/', add `nodev`.
926 Kernel-FileSystems-Mount-4 | _Removable storage_ | Add `nosuid`, `nodev` and `noexec`.
927 Kernel-FileSystems-Mount-5 | _Temporary storage_ | Add `nosuid`, `nodev` and `noexec`.
928 Kernel-FileSystems-Mount-6 | `/dev/shm` | Add `nosuid`, `nodev` and `noexec`.
929 Kernel-FileSystems-Mount-7 | `/dev` | Add `nosuid` and `noexec`.
933 If `CONFIG_DEVTMPFS_MOUNT` is set, then the kernel will mount /dev and will not
934 apply the `nosuid`, `noexec` options. Either disable `CONFIG_DEVTMPFS_MOUNT` or
935 add a remount with `noexec` and `nosuid` options to system startup.
939 Domain | `Config` name | _State_ or `Value`
940 -------------------------- | ----------------------- | -----------------------------------------------------------------------
941 Kernel-FileSystems-Mount-1 | `CONFIG_DEVTMPFS_MOUNT` | _Disabled_ or add remount with `noexec` and `nosuid` to system startup.