Comments (2)
Need to compare these recommendations with the current kernel-hardening-checker
rules.
Gonna do that after preparing the next release of the tool.
from kernel-hardening-checker.
Link no longer appears to be up. I saved a cache for reference:
RDK Linux Hardening specification
Created on June 21, 2022
- Ensure no hard-coded credentials are present in the clear
- Ensure compliance with Comcast specifications for crypto and TLS
o All STB connections to servers must be secured using TLS 1.2 or above, and verified to be correctly performing server certificate chain validation - Build with stack-smashing (at least for modules implementing security)
o Enable CONFIG_CC_STACKPROTECTOR, -fstack-protector-all, -Wstack-protector
o Libc function buffer overrun checks: _FORTIFY_SOURCE=2
o Initial requirement would be to enable this for all security sensitive modules with follow up to enable for the entire build. - Scan all non-OSS sources with static analyzer
- Network port blocking
o All ports not specifically used must be blocked by ipTables rules - Disable all unused devices (USB, Bluetooth, etc)
- Implement multiuser/sandbox strategy (Restrict Linux process privileges)
o No applications/utilities within a sandbox should run as root or have any means to achieve root privileges. Sandbox shall not contains hard links to outside files. Every sandbox connected to external network shall contain its own firewall and shall be configured using a whitelist.
o Configure processes to the minimum capabilities and resources required for their operation. Have unique user and group own service components/applications that need to be isolated. Users have permissions to access the required device files only. Shared files are access controlled using group permissions. Default permissions for newly created files include read/write/exec permissions for the owner only. Always use setresuid() and setresgid() functions to change the current user and group. Always confirm the change with getresuid() and getresgid() function. Users and groups must have unique ID’s
o In progress, containerization via LXC is being implemented for subset of RDK processes. OEM may choose to use a technology other than LXC to sandbox their processes. - Vet all open source
o Currently being done using Whitesource tool - Disable kernel module load
o Making modules statically linked to the kernel would be a significant effort.
o Disable module load after boot using /proc/sys/kernel/module_disabled - Disable kernel module unload
o Set CONFIG_MODULE_UNLOAD - Kernel module parameters must be R/O or trusted
o Audit boot scripts to ensure loadable kernel module parameters are hard coded and don’t rely on data from persistent storage or other writable source - Remove kernel debugging and profiling options
o CONFIG_DEBUG_KERNEL CONFIG_MARKERS CONFIG_DEBUG_MEMLEAK CONFIG_KPROBES
o CONFIG_SLUB_DEBUG CONFIG_PROFILING CONFIG_DEBUG_FS CONFIG_KPTRACE
o CONFIG_KALLSYMS CONFIG_LTT CONFIG_UNUSED_SYMBOLS CONFIG_TRACE_IRQFLAGS_SUPPORT
o CONFIG_RELAY CONFIG_MAGIC_SYSRQ CONFIG_VM_EVENT_COUNTERS CONFIGU_UNWIND_INFO
o CONFIG_BPA2_ALLOC_TRACE CONFIG_PRINTK
o CONFIG_CRASH_DUMP CONFIG_BUG CONFIG_SCSI_LOGGING CONFIG_ELF_CORE CONFIG_FULL_PANIC
o CONFIG_TASKSTATUS CONFIG_AUDIT CONFIG_BSD_PROCESS_ACCT CONFIG_KEXEC
o CONFIG_EARLY_PRINTK CONFIG_IKCONFIG CONFIG_NETFILTER_DEBUG
o CONFIG_MTD_UBI_DEBUG CONFIG_B43_DEBUG CONFIG_SSB_DEBUG CONFIG_FB_INTEL_DEBUG
o CONFIG_TRACING CONFIG_PERF_EVENTS - Disable unused file system and block device support
- Enable heap protection and pointer obfuscation features.
o Enabled by default in glibc. Protects heap from buffer overflows. Available in glibc 2.3.4 or above, Enabled using environment variable malloc_check_ - Restrict /dev/mem to minimal regions of memory required
- Remove support for /dev/kmem
- Remove support for /dev/kcore
o Kernel core dumping should be disabled in production - Enable format, buffer, and object size checks
- Restrict /proc to process owners (except for IDS)
- Disable kernel configfs
o Allows modification of kernel objects - Remove ldconfig from target filesystem and ld.so.conf and ld.so.cache should be empty
o Removes caching of symbolic links. Will cause a performance hit.
o Impact: glibc changes. Would allow loading libraries from a non-standard library path even if we don’t use LD_LIBRARY_PATH. - Security critical software are compiled as PIE (Position Independent Executable), if supported
- Kernel boots with “ro” in command line
o Mount filesystem as readonly. - Mount filesystems with minimal privileges. For example, filesystem containing no executable code shall have “noexec” option specified.
- Mount temporary storage (/tmp) shall in dedicated filesystem (eg. tmpfs) and its contents does not survive reboots
- Flush cache after accessing sensitive data
- No overlay of writable mounts on read-only data
- system directories such as /proc or /dev shall not be writable within a sandbox
- Applications and utilities shall not have the setgid or setuid bit set
- Configure default shell to /dev/null
- Remove all unused executables and libraries
- Disable PTRACE, General restriction on PTRACE should be applied at kernel level with Yama LSM
o http://linux-audit.com/protect-ptrace-processes-kernel-yama-ptrace_scope/
o PTRACE is used by GDB. Disable only for production builds. Both compile time and runtime changes required (can restrict PTRACE to root if required) - Don’t use LD_LIBRARY_PATH (loads libraries from default locations only)
- Full runtime path for non-standard libraries included in code image
o Use -rpath and -rpath-link - Mount filesystems with ro option and change permission temporarily when needed
- Kernel init parameters / command line must be R/O and trusted
- Restrict kernel syslog (dmesg) to root user only
- Disable kernel debugfs
o Part of sysfs used to enable kernel debug messaging. If printk is disabled this becomes irrelevant - Use ELF format only
o May break scripts like Python - Dynamic linker configuration changes
o Remove LD_DEBUG support from dynamic linker
o Remove LD_PRELOAD support from dynamic linker
o Remove LD_PROFILE support from the dynamic linker
o Remove LD_AUDIT support from the dynamic linker
o Remove LD_SHOW_AUXV support from the dynamic linker
o Remove LD_TRACE_LOADED_OBJECTS support from the dynamic linker
o Link dynamic programs with -z now and -z relro options - Hide restricted kernel pointers
o Restricted pointers replaced with 0’s.
o Relates to printk handling of printing pointer values. This is a runtime setting, enable/disable via /proc/sys/kernel/kptr_restrict - Review use of SYSFS, disable it if possible
- Mark unchanging files in writable partition with “immutable”
- Use all compiler security features
o Compile -wall, -Werror and fail on warnings (and possibly -Wextra) - Replace strcpy with strncpy
o All code should use safer, bounds checking versions of string library functions (such as strncpy instead of strcpy) to avoid potential buffer overruns. - Prevent file races, open temp files with O_CREAT | O_EXCL
o Makes check for file existence and creation atomic. Prevents multiple threads creating same file. - Set sticky bit for temporary directories to prevent acc
idental deletion
o Only owner and root can delete directory - Restrict kernel network settings to be the most restrictive possible
- Limit temporary storage (tmpfs) memory size
- Enable kernel ABI Version Check
- Disable kernel symbol resolution
o Disable CONFIG_KALLSYMS
o Limits our ability to debug kernel crash dumps - Disable kernel crashdump
o Disable CONFIG_CRASH_DUMP - Minimum MMAPable address set to 4K min.
o This prevents mapping NULL address
from kernel-hardening-checker.
Related Issues (20)
- CONFIG_COMPAT_VDSO has a completely different meaning for arm64 and recommending disabling it doesn't make sense there HOT 3
- CONFIG_ARCH_MMAP_RND_BITS check is wrong for arm64 HOT 3
- drop check for dependency-only CONFIG_GCC_PLUGINS due to Clang HOT 3
- add disabling CONFIG_AIO (legacy POSIX AIO) as a recommendation HOT 1
- add check for CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x0 too HOT 4
- add check for UNWIND_PATCH_PAC_INTO_SCS, which reduces security compared to using both PAC + SCS HOT 4
- Minimal kernel version ? HOT 1
- New CONFIG_MODULE_SIG_SHA3_512 option in kernel 6.7 HOT 1
- Better json output HOT 4
- Add io_uring_disabled sysctl to disable/limit io_uring creation
- Reducing Kernel Symbols on File System by Disabling CONFIG_VMLINUX_MAP and CONFIG_DEBUG_KERNEL HOT 2
- Kernel Debug Metadata Access with CONFIG_DYNAMIC_DEBUG HOT 3
- Add ia32_emulation kernel cmdline parameter to disable 32-bit emulation support on 64-bit x86 CPUs HOT 1
- Suggestions for kernel-hardening-checker HOT 3
- Add kconfig option for Intel CET shadow stack
- Add check for CONFIG_MITIGATION_RFDS HOT 1
- Linux 6.9 Renames Many CPU Mitigation CONFIGs to CONFIG_MITIGATION_... HOT 1
- The separation between desktop and server. HOT 3
- skip CONFIG_SCHED_STACK_END_CHECK requirement when CONFIG_VMAP_STACK is set HOT 2
- skip CONFIG_DEBUG_NOTIFIERS requirement when CONFIG_CFI_CLANG is set with CONFIG_CFI_PERMISSIVE disabled HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kernel-hardening-checker.