From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Kernel Self Protection: Status quo in IPFire 2.x Date: Thu, 16 Aug 2018 18:24:54 +0200 Message-ID: <349afd0b-af27-1eed-8af8-9b03a6352eb3@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8122444171873725433==" List-Id: --===============8122444171873725433== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, attached is the current status of security relevant kernel configure flags and other settings. I post this to the mailing list to provide people with better knowledge the ability to comment on it. The whole issue is filed under #11659, please refer to https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended= _Settings for a list of recommended (=3D paranoid) settings. (a) CONFIG flags that differ from recommended settings - CONFIG_DEBUG_WX is disabled on AARCH64 - CONFIG_CC_STACKPROTECTOR_STRONG is unset on i586 PAE in favour of CONFIG_CC= _STACKPROTECTOR_REGULAR - CONFIG_DEVMEM is enabled on all architectures (!) - CONFIG_IO_STRICT_DEVMEM is disabled on all architectures (!) - CONFIG_DEBUG_CREDENTIALS is disabled on all architectures - CONFIG_DEBUG_NOTIFIERS is disabled on all architectures - CONFIG_DEBUG_SG is disabled on all architectures - CONFIG_BUG_ON_DATA_CORRUPTION is disabled on all architectures - CONFIG_SCHED_STACK_END_CHECK is disabled on all architectures - CONFIG_SECURITY_YAMA is disabled on AARCH64 and i586 PAE (!) - CONFIG_HARDENED_USERCOPY is disabled on AARCH64 and ARM - CONFIG_SLUB_DEBUG is disabled on AARCH64 and i586 PAE - CONFIG_PAGE_POISONING is disabled on all architectures except i586 PAE (!) - CONFIG_PAGE_POISONING_NO_SANITY is disabled on all architectures - CONFIG_PAGE_POISONING_ZERO is enabled on i586 PAE only (!) - CONFIG_FORTIFY_SOURCE is disabled on AARCH64 - CONFIG_ACPI_CUSTOM_METHOD is enabled on all except ARM and AARCH64 - CONFIG_INET_DIAG is enabled on all architecture - CONFIG_BINFMT_MISC is enabled on all architecture Some flags have been omitted for the first time going through this on 4.14.x . They will be included as soon as the differences above are fixed or cleared. (b) GCC plugins flags that differ from recommended settings=20 - CONFIG_GCC_PLUGIN_RANDSTRUCT is disabled on all architectures (c) Kernel command line options that differ from recommended settings - slub_debug=3DP is missing - page_poison=3D1 is missing - slab_nomerge is missing - pti=3Don is missing (d) sysctls that differ from recommended settings - user.max_user_namespaces is 15345 (recommended: 0) - kernel.kexec_load_disabled is not found (recommended: 1) -> TBD, patch - kernel.yama.ptrace_scope is not found (recommended: 1) - net.core.bpf_jit_harden is 0 (recommended: 2) - kernel.unprivileged_bpf_disabled is not found (recommended: 1) Is there any reason why some of these points have to stay this way (compatibility issues, hardware bugs, ...)? If yes, drop me a line. Otherwise I will change them step by step, merging everything in IPFire 3.x if this is finished. Thanks, and best regards, Peter M=C3=BCller --=20 Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq --===============8122444171873725433== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUVCQ2dBZEZpRUV2UDRTaUdoRVlE SnlyUkxrMlVqeUQzMTduMmdGQWx0MXBWWUFDZ2tRMlVqeUQzMTcKbjJnb3ZnLytOVzdjUGdUREZx OVZYanRwSjBBdDFvSEVDNUVkaktJb2ZxM29NUkh1elNrZ0lhN1FvQTdaT29vNgpWSFhuVitLbE5w dTBsNEZnRjZjaHZCcE5WUHk4NjlYaFRRaWFJTUhuVW5yK0RnZFBxS01tQllNN1RYZ0dHcllJCjFS Tnl4dktNUlVTOW1yVG9nNEQwMkhIdmxGTVdDTzJuMlJjT3gySFNIeGZVakRjcWhCbGtUWmJKVll0 YXlWZWwKL2o3QTh0RWs5RmtBL3IySzhRejBUQTlZU3dVcVc3WnpUZTNObWs1YjRGNU82Zk5xNEF0 OXdyT2NCUHBiWTlXegpYVjMyRGJRVjhLckcxMmJBY0wzL2lIbHJ4VUlmMEtON2hxZWtWWmxtV3Rs UUwyMlBOTDdwa3ZSZEJlbk5xczh4CnNyMlk3RlZzMWtyRUJjNE5SVlQvN1g4OUY3K0gzdkhRWUxi TzhoeFkvbzFHYlo0a2puTVVHSkRjbGtORTM3SlMKem5pZWpDRTI5VnlpTjdCWHNVY3FPNnZyT2ZZ TjExeXYyVVlvR0JrbEZ0RjkvWDlWM1BIdHdxQkROWkY4RGY1Lwp3K0JvVElydWFadTJkVTA1dnpS MUpQU0tsNmtZWXlMbkZxY3JvUVk4V0krU1k0Ym1uTXowZ3J3WVFFS0tNN0dJCkRldEVLZnZPOVBD azZDMTVrOXFoYTNucGlWSkVhSDZKV25ETHZManozWnl4b2JGM0xxUkZacXpxcUdSUm5BYXIKeDZH Ym54OFc2ZTVQWDJFaUhvSXRDMngrdFRXZHJ6WThwcGZKYXlKV1BpdU4vQmozMFp0cy9maG91VkYv ZzEvYgpGaGtxdHVFZEJ0UG0rKzNtQXRGdm5rTFdha1BBa2hibEdSaXhCS1Zqd3BLYzA3SU1EODQ9 Cj12M0xjCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============8122444171873725433==--