Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
kernel-hardening-checker
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
fact-depend
kernel-hardening-checker
Commits
f1009408
Commit
f1009408
authored
Jan 17, 2019
by
Tyler Hicks
Committed by
Alexander Popov
Jan 21, 2019
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add a KSPP recommendations config for x86_32
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
parent
531d8f0d
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
147 additions
and
0 deletions
+147
-0
kspp-recommendations-x86-32.config
config_files/kspp-recommendations-x86-32.config
+147
-0
No files found.
config_files/kspp-recommendations-x86-32.config
0 → 100644
View file @
f1009408
# CONFIGs
# Linux/i386 4.20 Kernel Configuration
# Report BUG() conditions and kill the offending process.
CONFIG_BUG
=
y
# Make sure kernel page tables have safe permissions.
CONFIG_STRICT_KERNEL_RWX
=
y
# Report any dangerous memory permissions (not available on all archs).
CONFIG_DEBUG_WX
=
y
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
CONFIG_STACKPROTECTOR
=
y
CONFIG_STACKPROTECTOR_STRONG
=
y
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)
# CONFIG_DEVMEM is not set
CONFIG_STRICT_DEVMEM
=
y
CONFIG_IO_STRICT_DEVMEM
=
y
# Provides some protections against SYN flooding.
CONFIG_SYN_COOKIES
=
y
# Perform additional validation of various commonly targeted structures.
CONFIG_DEBUG_CREDENTIALS
=
y
CONFIG_DEBUG_NOTIFIERS
=
y
CONFIG_DEBUG_LIST
=
y
CONFIG_DEBUG_SG
=
y
CONFIG_BUG_ON_DATA_CORRUPTION
=
y
CONFIG_SCHED_STACK_END_CHECK
=
y
# Provide userspace with seccomp BPF API for syscall attack surface reduction.
CONFIG_SECCOMP
=
y
CONFIG_SECCOMP_FILTER
=
y
# Provide userspace with ptrace ancestry protections.
CONFIG_SECURITY
=
y
CONFIG_SECURITY_YAMA
=
y
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)
CONFIG_HARDENED_USERCOPY
=
y
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
# Randomize allocator freelists, harden metadata.
CONFIG_SLAB_FREELIST_RANDOM
=
y
CONFIG_SLAB_FREELIST_HARDENED
=
y
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).
CONFIG_SLUB_DEBUG
=
y
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)
CONFIG_PAGE_POISONING
=
y
CONFIG_PAGE_POISONING_NO_SANITY
=
y
CONFIG_PAGE_POISONING_ZERO
=
y
# Adds guard pages to kernel stacks (not all architectures support this yet).
CONFIG_VMAP_STACK
=
y
# Perform extensive checks on reference counting.
CONFIG_REFCOUNT_FULL
=
y
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
CONFIG_FORTIFY_SOURCE
=
y
# Dangerous; enabling this allows direct physical memory writing.
# CONFIG_ACPI_CUSTOM_METHOD is not set
# Dangerous; enabling this disables brk ASLR.
# CONFIG_COMPAT_BRK is not set
# Dangerous; enabling this allows direct kernel memory writing.
# CONFIG_DEVKMEM is not set
# Dangerous; exposes kernel text image layout.
# CONFIG_PROC_KCORE is not set
# Dangerous; enabling this disables VDSO ASLR.
# CONFIG_COMPAT_VDSO is not set
# Dangerous; enabling this allows replacement of running kernel.
# CONFIG_KEXEC is not set
# Dangerous; enabling this allows replacement of running kernel.
# CONFIG_HIBERNATION is not set
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.
# CONFIG_INET_DIAG is not set
# Easily confused by misconfigured userspace, keep off.
# CONFIG_BINFMT_MISC is not set
# Use the modern PTY interface (devpts) only.
# CONFIG_LEGACY_PTYS is not set
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
# CONFIG_SECURITY_SELINUX_DISABLE is not set
# Reboot devices immediately if kernel experiences an Oops.
CONFIG_PANIC_ON_OOPS
=
y
CONFIG_PANIC_TIMEOUT
=-
1
# Keep root from altering kernel memory via loadable modules.
# CONFIG_MODULES is not set
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.
CONFIG_STRICT_MODULE_RWX
=
y
CONFIG_MODULE_SIG
=
y
CONFIG_MODULE_SIG_FORCE
=
y
CONFIG_MODULE_SIG_ALL
=
y
CONFIG_MODULE_SIG_SHA512
=
y
CONFIG_MODULE_SIG_HASH
=
"sha512"
CONFIG_MODULE_SIG_KEY
=
"certs/signing_key.pem"
# GCC plugins
# Enable GCC Plugins
CONFIG_GCC_PLUGINS
=
y
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
CONFIG_GCC_PLUGIN_LATENT_ENTROPY
=
y
# Force all structures to be initialized before they are passed to other functions.
CONFIG_GCC_PLUGIN_STRUCTLEAK
=
y
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
=
y
# Randomize the layout of system structures. This may have dramatic performance impact, so
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
CONFIG_GCC_PLUGIN_RANDSTRUCT
=
y
#x86_32
# On 32-bit kernels, require PAE for NX bit support.
# CONFIG_M486 is not set
# CONFIG_HIGHMEM4G is not set
CONFIG_HIGHMEM64G
=
y
CONFIG_X86_PAE
=
y
# Disallow allocating the first 64k of memory.
CONFIG_DEFAULT_MMAP_MIN_ADDR
=
65536
# Randomize position of kernel.
CONFIG_RANDOMIZE_BASE
=
y
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
