forked from a13xp0p0v/kernel-hardening-checker
-
Notifications
You must be signed in to change notification settings - Fork 0
/
kspp-recommendations.config
154 lines (109 loc) · 4.62 KB
/
kspp-recommendations.config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
# CONFIGs
# Report BUG() conditions and kill the offending process.
CONFIG_BUG=y
# Make sure kernel page tables have safe permissions.
CONFIG_DEBUG_KERNEL=y
CONFIG_STRICT_KERNEL_RWX=y
# Report any dangerous memory permissions (not available on all archs).
CONFIG_DEBUG_WX=y
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
CONFIG_CC_STACKPROTECTOR=y
CONFIG_CC_STACKPROTECTOR_STRONG=y
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)
# CONFIG_DEVMEM is not set
CONFIG_STRICT_DEVMEM=y
CONFIG_IO_STRICT_DEVMEM=y
# Provides some protections against SYN flooding.
CONFIG_SYN_COOKIES=y
# Perform additional validation of various commonly targeted structures.
CONFIG_DEBUG_CREDENTIALS=y
CONFIG_DEBUG_NOTIFIERS=y
CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_SG=y
CONFIG_BUG_ON_DATA_CORRUPTION=y
CONFIG_SCHED_STACK_END_CHECK=y
# Provide userspace with seccomp BPF API for syscall attack surface reduction.
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y
# Provide userspace with ptrace ancestry protections.
CONFIG_SECURITY=y
CONFIG_SECURITY_YAMA=y
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)
CONFIG_HARDENED_USERCOPY=y
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
# Randomize allocator freelists, harden metadata.
CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).
CONFIG_SLUB_DEBUG=y
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)
CONFIG_PAGE_POISONING=y
CONFIG_PAGE_POISONING_NO_SANITY=y
CONFIG_PAGE_POISONING_ZERO=y
# Adds guard pages to kernel stacks (not all architectures support this yet).
CONFIG_VMAP_STACK=y
# Perform extensive checks on reference counting.
CONFIG_REFCOUNT_FULL=y
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
CONFIG_FORTIFY_SOURCE=y
# Dangerous; enabling this allows direct physical memory writing.
# CONFIG_ACPI_CUSTOM_METHOD is not set
# Dangerous; enabling this disables brk ASLR.
# CONFIG_COMPAT_BRK is not set
# Dangerous; enabling this allows direct kernel memory writing.
# CONFIG_DEVKMEM is not set
# Dangerous; exposes kernel text image layout.
# CONFIG_PROC_KCORE is not set
# Dangerous; enabling this disables VDSO ASLR.
# CONFIG_COMPAT_VDSO is not set
# Dangerous; enabling this allows replacement of running kernel.
# CONFIG_KEXEC is not set
# Dangerous; enabling this allows replacement of running kernel.
# CONFIG_HIBERNATION is not set
# Easily confused by misconfigured userspace, keep off.
# CONFIG_BINFMT_MISC is not set
# Use the modern PTY interface (devpts) only.
# CONFIG_LEGACY_PTYS is not set
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
# CONFIG_SECURITY_SELINUX_DISABLE is not set
# Reboot devices immediately if kernel experiences an Oops.
CONFIG_PANIC_ON_OOPS=y
CONFIG_PANIC_TIMEOUT=-1
# Keep root from altering kernel memory via loadable modules.
# CONFIG_MODULES is not set
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.
CONFIG_STRICT_MODULE_RWX=y
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_ALL=y
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_HASH="sha512"
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
# GCC plugins
# Enable GCC Plugins
CONFIG_GCC_PLUGINS=y
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y
# Force all structures to be initialized before they are passed to other functions.
CONFIG_GCC_PLUGIN_STRUCTLEAK=y
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
# Randomize the layout of system structures. This may have dramatic performance impact, so
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
CONFIG_GCC_PLUGIN_RANDSTRUCT=y
#x86_64
# Full 64-bit means PAE and NX bit.
CONFIG_X86_64=y
# Disallow allocating the first 64k of memory.
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
# Randomize position of kernel and memory.
CONFIG_RANDOMIZE_BASE=y
CONFIG_RANDOMIZE_MEMORY=y
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
CONFIG_LEGACY_VSYSCALL_NONE=y
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
CONFIG_PAGE_TABLE_ISOLATION=y
# Remove additional attack surface, unless you really need them.
# CONFIG_IA32_EMULATION is not set
# CONFIG_X86_X32 is not set
# CONFIG_MODIFY_LDT_SYSCALL is not set