General configuration
Mandatory Access Control
Kernel should controls access with labels and policy.
| Domain | Config name |
Value |
|---|---|---|
| Kernel-General-MAC-1 | CONFIG_IP_NF_SECURITY | m |
| Kernel-General-MAC-2 | CONFIG_IP6_NF_SECURITY | m |
| Kernel-General-MAC-3 | CONFIG_EXT2_FS_SECURITY | y |
| Kernel-General-MAC-4 | CONFIG_EXT3_FS_SECURITY | y |
| Kernel-General-MAC-5 | CONFIG_EXT4_FS_SECURITY | y |
| Kernel-General-MAC-6 | CONFIG_SECURITY | y |
| Kernel-General-MAC-7 | CONFIG_SECURITY_SMACK | y |
| Kernel-General-MAC-8 | CONFIG_TMPFS_XATTR | y |
Please also refer to the Mandatory Access Control documentation in Platform part. You can also find useful documentation and links on wikipedia about MAC and about SMACK.
Disable kexec
Kexec is a system call that enables you to load and boot into another kernel from the currently running kernel. This feature is not required in a production environment.
| Domain | Config name |
Value |
|---|---|---|
| Kernel-General-kexec-1 | CONFIG_KEXEC |
n |
kexec can load arbitrary kernels but signing of new kernel can be enforced like it is can be enforced for new modules.
Disable kernel IP auto-configuration
It is preferable to have an IP configuration performed using a user-space tool as these tend to have more validation. We do not want the network interface coming up until the system has come up properly.
| Domain | Config name |
Value |
|---|---|---|
| Kernel-General-IPAutoConf-1 | CONFIG_IP_PNP |
n |
Disable Sysctl syscall support
Enabling this will result in code being included that is hard to maintain and not well tested.
| Domain | Config name |
Value |
|---|---|---|
| Kernel-General-SysCtl_SysCall-1 | CONFIG_SYSCTL_SYSCALL |
n |
Disable Legacy Linux Support
There are some Kernel Configs which are present only to support legacy binaries. See also "Consoles" part in order to disabling support for legacy binary formats. The uselib system call, in particular, has no valid use in any libc6 or uclibc system in recent times. This configuration is supported in Linux 3.15 and greater and thus should only be disabled for such versions.
| Domain | Config name |
Value |
|---|---|---|
| Kernel-General-LegacyLinux-1 | CONFIG_USELIB |
n |
Disable firmware auto-loading user mode helper
The firmware auto loading helper, which is a utility executed by the kernel on hotplug events requiring firmware, can to be set setuid. As a result of this, the helper utility is an attractive target for attackers with control of physical ports on the device. Disabling this configuration that is supported in Linux 3.9 and greater.
| Domain | Config name |
Value |
|---|---|---|
| Kernel-General-FirmHelper-1 | CONFIG_FW_LOADER_USER_HELPER |
n |
It doesn't strictly need to be setuid, there is an option of shipping firmware builtin into kernel without initrd/filesystem.
Enable Kernel Panic on OOPS
When fuzzing the kernel or attempting kernel exploits attackers are likely to trigger kernel OOPSes. Setting the behavior on OOPS to PANIC can impede their progress.
This configuration is supported in Linux 3.5 and greater and thus should only be enabled for such versions.
| Domain | Config name |
Value |
|---|---|---|
| Kernel-General-PanicOnOOPS-1 | CONFIG_PANIC_ON_OOPS |
y |
Disable socket monitoring interface
These monitors can be used to inspect shared file descriptors on Unix Domain sockets or traffic on 'localhost' which is otherwise assumed to be confidential.
The CONFIG_PACKET_DIAG configuration is supported in Linux 3.7 and greater and thus should only be disabled for such versions.
The CONFIG_UNIX_DIAG configuration is supported in Linux 3.3 and greater and thus should only be disabled for such versions.
| Domain | Config name |
Value |
|---|---|---|
| Kernel-General-SocketMon-1 | CONFIG_PACKET_DIAG |
n |
| Kernel-General-SocketMon-2 | CONFIG_UNIX_DIAG |
n |
Disable BPF JIT
The BPF JIT can be used to create kernel-payloads from firewall table rules.
This configuration for is supported in Linux 3.16 and greater and thus should only be disabled for such versions.
| Domain | Config name |
Value |
|---|---|---|
| Kernel-General-BPF_JIT-1 | CONFIG_BPF_JIT |
n |
Enable Enforced Module Signing
The kernel should never allow an unprivileged user the ability to load specific kernel modules, since that would provide a facility to unexpectedly extend the available attack surface.
To protect against even privileged users, systems may need to either disable
module loading entirely, or provide signed modules
(e.g. CONFIG_MODULE_SIG_FORCE, or dm-crypt with LoadPin), to keep from having
root load arbitrary kernel code via the module loader interface.
This configuration is supported in Linux 3.7 and greater and thus should only be enabled for such versions.
| Domain | Config name |
Value |
|---|---|---|
| Kernel-General-ModuleSigning-1 | CONFIG_MODULE_SIG_FORCE |
y |
It is also possible to block the loading of modules after startup with "kernel.modules_disabled".
| Domain | Variable name |
Value |
|---|---|---|
| Kernel-General-ModuleSigning-2 | kernel.modules_disabled |
1 |
Disable all USB, PCMCIA (and other hotplug bus) drivers that aren't needed
To reduce the attack surface, the driver enumeration, probe, and operation happen in the kernel. The driver data is parsed by the kernel, so any logic bugs in these drivers can become kernel exploits.
| Domain | Object | State |
|---|---|---|
| Kernel-General-Drivers-1 | USB |
Disabled |
| Kernel-General-Drivers-2 | PCMCIA |
Disabled |
| Kernel-General-Drivers-3 | Other hotplug bus |
Disabled |
Position Independent Executables
| Domain | Improvement |
|---|---|
| Kernel-General-IndependentExec-1 | Kernel or/and platform part ? |
| Domain | compiler and linker options |
State |
|---|---|---|
| Kernel-General-IndependentExec-1 | -pie -fpic |
Enable |
Produce a position independent executable on targets which supports it.
Prevent Overwrite Attacks
-z,relro linking option helps during program load, several ELF memory sections need to be written by the linker, but can be turned read-only before turning over control to the program. This prevents some Global Offset Table GOT overwrite attacks, or in the dtors section of the ELF binary.
| Domain | compiler and linker options |
State |
|---|---|---|
| Kernel-General-OverwriteAttacks-1 | -z,relro |
Enable |
| Kernel-General-OverwriteAttacks-2 | -z,now |
Enable |
During program load, all dynamic symbols are resolved, allowing for the complete GOT to be marked read-only (due to -z relro above). This prevents GOT overwrite attacks. For very large application, this can incur some performance loss during initial load while symbols are resolved, but this shouldn't be an issue for daemons.
Library linking
| Domain | Improvement |
|---|---|
| Kernel-General-LibraryLinking-1 | Keep this part? |
It is recommended that dynamic linking should generally not be allowed. This will avoid the user from replacing a library with malicious library.
| Domain | Object | Recommendations |
|---|---|---|
| Kernel-General-LibraryLinking-1 | Dynamic linking | Should generally not be allowed. |
Linking everything statically doesn't change anything wrt security as binaries will live under same user:group as libraries and setuid executables ignore LD_PRELOAD/LD_LIBRARY_PATH. It also increases RSS footprint and creates problems with upgrading.