-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfig-linux-hardened
156 lines (122 loc) · 4.44 KB
/
config-linux-hardened
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
# from paulg
CONFIG_IPV6=n
# from debian
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
CONFIG_SECURITY_APPARMOR_HASH=y
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
CONFIG_DEFAULT_SECURITY_APPARMOR=y
CONFIG_DEFAULT_SECURITY="apparmor"
# from linux hardened
CONFIG_AIO=n
CONFIG_ARCH_MMAP_RND_BITS=32
CONFIG_ARCH_MMAP_RND_COMPAT_BITS=16
CONFIG_BUG_ON_DATA_CORRUPTION=y
CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_WX=y
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
CONFIG_DEVMEM=n
CONFIG_DEVPORT=n
CONFIG_FORTIFY_SOURCE=y
CONFIG_HARDENED_USERCOPY=y
CONFIG_LEGACY_VSYSCALL_EMULATE=n
CONFIG_LEGACY_VSYSCALL_NONE=y
CONFIG_MODIFY_LDT_SYSCALL=n
CONFIG_PANIC_ON_OOPS=y
CONFIG_PANIC_ON_OOPS_VALUE=1
CONFIG_PROC_VMCORE=n
CONFIG_REFCOUNT_FULL=y
CONFIG_SECURITY_DMESG_RESTRICT=y
CONFIG_SECURITY_YAMA=y
CONFIG_SLAB_FREELIST_HARDENED=y
CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_MERGE_DEFAULT=n
CONFIG_HARDENED_USERCOPY_FALLBACK=n
CONFIG_LOCAL_INIT=n
CONFIG_PAGE_SANITIZE=y
CONFIG_PAGE_SANITIZE_VERIFY=y
CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
CONFIG_SECURITY_TIOCSTI_RESTRICT=y
CONFIG_SLAB_CANARY=y
CONFIG_SLAB_HARDENED=y
CONFIG_SLAB_SANITIZE=y
CONFIG_SLAB_SANITIZE_VERIFY=y
CONFIG_X86_PTDUMP_CORE=y
# from https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
# Report BUG() conditions and kill the offending process.
CONFIG_BUG=y
# Make sure kernel page tables have safe permissions.
CONFIG_STRICT_KERNEL_RWX=y
# Report any dangerous memory permissions (not available on all archs).
CONFIG_DEBUG_WX=y
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
# Prior to v4.18, these are:
# CONFIG_CC_STACKPROTECTOR=y
# CONFIG_CC_STACKPROTECTOR_STRONG=y
CONFIG_STACKPROTECTOR=y
CONFIG_STACKPROTECTOR_STRONG=y
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)
# CONFIG_DEVMEM is not set
CONFIG_STRICT_DEVMEM=y
CONFIG_IO_STRICT_DEVMEM=y
# Provides some protections against SYN flooding.
CONFIG_SYN_COOKIES=y
# Perform additional validation of various commonly targeted structures.
CONFIG_DEBUG_CREDENTIALS=y
CONFIG_DEBUG_NOTIFIERS=y
CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_SG=y
CONFIG_BUG_ON_DATA_CORRUPTION=y
CONFIG_SCHED_STACK_END_CHECK=y
# Provide userspace with seccomp BPF API for syscall attack surface reduction.
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y
# Provide userspace with ptrace ancestry protections.
CONFIG_SECURITY=y
CONFIG_SECURITY_YAMA=y
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)
CONFIG_HARDENED_USERCOPY=y
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
# Randomize allocator freelists, harden metadata.
CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).
CONFIG_SLUB_DEBUG=y
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)
CONFIG_PAGE_POISONING=y
CONFIG_PAGE_POISONING_NO_SANITY=y
CONFIG_PAGE_POISONING_ZERO=y
# Adds guard pages to kernel stacks (not all architectures support this yet).
CONFIG_VMAP_STACK=y
# Perform extensive checks on reference counting.
CONFIG_REFCOUNT_FULL=y
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
CONFIG_FORTIFY_SOURCE=y
# Dangerous; enabling this allows direct physical memory writing.
CONFIG_ACPI_CUSTOM_METHOD=n
# Dangerous; enabling this disables brk ASLR.
CONFIG_COMPAT_BRK=n
# Dangerous; enabling this allows direct kernel memory writing.
CONFIG_DEVKMEM=n
# Dangerous; exposes kernel text image layout.
CONFIG_PROC_KCORE=n
# Dangerous; enabling this disables VDSO ASLR.
CONFIG_COMPAT_VDSO=n
# Dangerous; enabling this allows replacement of running kernel.
CONFIG_KEXEC=n
# Dangerous; enabling this allows replacement of running kernel.
CONFIG_HIBERNATION=n
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.
CONFIG_INET_DIAG=n
# Easily confused by misconfigured userspace, keep off.
CONFIG_BINFMT_MISC=n
# Use the modern PTY interface (devpts) only.
CONFIG_LEGACY_PTYS=n
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
CONFIG_SECURITY_SELINUX_DISABLE=n
# Reboot devices immediately if kernel experiences an Oops.
CONFIG_PANIC_ON_OOPS=y
CONFIG_PANIC_TIMEOUT=-1
# Keep root from altering kernel memory via loadable modules.
CONFIG_MODULES=n