Kernel Self Protection: Status quo in IPFire 2.x

["Peter Müller" <peter.mueller@link38.eu>]

[-- Attachment #1: Type: text/plain, Size: 2938 bytes --]

Hello,

attached is the current status of security relevant kernel configure
flags and other settings. I post this to the mailing list to provide
people with better knowledge the ability to comment on it.

The whole issue is filed under #11659, please refer to
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
for a list of recommended (= paranoid) settings.

(a) CONFIG flags that differ from recommended settings
- CONFIG_DEBUG_WX is disabled on AARCH64
- CONFIG_CC_STACKPROTECTOR_STRONG is unset on i586 PAE in favour of CONFIG_CC_STACKPROTECTOR_REGULAR
- CONFIG_DEVMEM is enabled on all architectures (!)
- CONFIG_IO_STRICT_DEVMEM is disabled on all architectures (!)
- CONFIG_DEBUG_CREDENTIALS is disabled on all architectures
- CONFIG_DEBUG_NOTIFIERS is disabled on all architectures
- CONFIG_DEBUG_SG is disabled on all architectures
- CONFIG_BUG_ON_DATA_CORRUPTION is disabled on all architectures
- CONFIG_SCHED_STACK_END_CHECK is disabled on all architectures
- CONFIG_SECURITY_YAMA is disabled on AARCH64 and i586 PAE (!)
- CONFIG_HARDENED_USERCOPY is disabled on AARCH64 and ARM
- CONFIG_SLUB_DEBUG is disabled on AARCH64 and i586 PAE
- CONFIG_PAGE_POISONING is disabled on all architectures except i586 PAE (!)
- CONFIG_PAGE_POISONING_NO_SANITY is disabled on all architectures
- CONFIG_PAGE_POISONING_ZERO is enabled on i586 PAE only (!)
- CONFIG_FORTIFY_SOURCE is disabled on AARCH64
- CONFIG_ACPI_CUSTOM_METHOD is enabled on all except ARM and AARCH64
- CONFIG_INET_DIAG is enabled on all architecture
- CONFIG_BINFMT_MISC is enabled on all architecture

Some flags have been omitted for the first time going through this on 4.14.x .
They will be included as soon as the differences above are fixed or
cleared.

(b) GCC plugins flags that differ from recommended settings 
- CONFIG_GCC_PLUGIN_RANDSTRUCT is disabled on all architectures

(c) Kernel command line options that differ from recommended settings
- slub_debug=P is missing
- page_poison=1 is missing
- slab_nomerge is missing
- pti=on is missing

(d) sysctls that differ from recommended settings
- user.max_user_namespaces is 15345 (recommended: 0)
- kernel.kexec_load_disabled is not found (recommended: 1) -> TBD, patch
- kernel.yama.ptrace_scope is not found (recommended: 1)
- net.core.bpf_jit_harden is 0 (recommended: 2)
- kernel.unprivileged_bpf_disabled is not found (recommended: 1)


Is there any reason why some of these points have to stay this way
(compatibility issues, hardware bugs, ...)? If yes, drop me a line.
Otherwise I will change them step by step, merging everything in IPFire 3.x
if this is finished.

Thanks, and best regards,
Peter Müller
-- 
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made.  Fix Information: Run your DNS
service on a different platform.
		-- bugtraq


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]