Rules Related To 'kernel'

Component overview

Relevant packages:

Relevant groups:

Changelog:

No changes recorded.

Relevant rules:

Rule details

Ensure auditd Collects Information on Kernel Module Loading and Unloading

audit_rules_kernel_module_loading

Description

To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:

-a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=unset -F key=modules
The place to add the lines depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the lines to file /etc/audit/audit.rules.

Rationale

The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

Ensure auditd Collects Information on Kernel Module Unloading - create_module

audit_rules_kernel_module_loading_create

Description

To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:

-a always,exit -F arch=ARCH -S create_module -F key=module-change
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.

Rationale

The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

Ensure auditd Collects Information on Kernel Module Unloading - delete_module

audit_rules_kernel_module_loading_delete

Description

To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:

-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.

Rationale

The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module

audit_rules_kernel_module_loading_finit

Description

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:

-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules

Rationale

The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

Ensure auditd Collects Information on Kernel Module Loading - init_module

audit_rules_kernel_module_loading_init

Description

To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:

-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.

Rationale

The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module

audit_rules_kernel_module_loading_query

Description

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:

-a always,exit -F arch=ARCH -S query_module -F auid>=1000 -F auid!=unset -F key=modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S query_module -F auid>=1000 -F auid!=unset -F key=modules

Rationale

The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

Extend Audit Backlog Limit for the Audit Daemon

coreos_audit_backlog_limit_kernel_argument

Description

To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument audit_backlog_limit=8192 to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in /boot/loader/entries/*.conf.

Rationale

audit_backlog_limit sets the queue length for audit events awaiting transfer to the audit daemon. Until the audit daemon is up and running, all log messages are stored in this queue. If the queue is overrun during boot process, the action defined by audit failure flag is taken.

Ensure SELinux Not Disabled in the kernel arguments

coreos_enable_selinux_kernel_argument

Description

SELinux can be disabled at boot time by disabling it via a kernel argument. Remove any instances of selinux=0 from the kernel arguments in that file to prevent SELinux from being disabled at boot.

Rationale

Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.

Disable Kernel Support for USB via Bootloader Configuration

coreos_nousb_kernel_argument

Description

All USB support can be disabled by adding the nousb argument to the kernel's boot loader configuration. To do so, Add the nousb kernel argument via a MachineConfig object.

Rationale

Disabling the USB subsystem within the Linux kernel at system boot will protect against potentially malicious USB devices, although it is only practical in specialized systems.

Enable page allocator poisoning

coreos_page_poison_kernel_argument

Description

To enable poisoning of free pages, add the argument page_poison=1 to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in /boot/loader/entries/*.conf.

Rationale

Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.

Enable Kernel Page-Table Isolation (KPTI)

coreos_pti_kernel_argument

Description

To enable Kernel page-table isolation, add the argument pti=on to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in /boot/loader/entries/*.conf.

Rationale

Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR).

Enable SLUB/SLAB allocator poisoning

coreos_slub_debug_kernel_argument

Description

To enable poisoning of SLUB/SLAB objects, add the argument slub_debug=P to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in /boot/loader/entries/*.conf.

Rationale

Poisoning writes an arbitrary value to freed objects, so any modification or reference to that object after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.

Disable vsyscalls

coreos_vsyscall_kernel_argument

Description

To disable use of virtual syscalls, add the argument vsyscall=none to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in /boot/loader/entries/*.conf.

Rationale

Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer.

Verify Group Who Owns /etc/sysctl.d Directory

directory_groupowner_etc_sysctld

Description

To properly set the group owner of /etc/sysctl.d, run the command:

$ sudo chgrp root /etc/sysctl.d

Rationale

The ownership of the /etc/sysctl.d directory by the root group is important because this directory hosts kernel configuration. Protection of this directory is critical for system security. Assigning the ownership to root ensures exclusive control of the kernel configuration.

Verify User Who Owns /etc/sysctl.d Directory

directory_owner_etc_sysctld

Description

To properly set the owner of /etc/sysctl.d, run the command:

$ sudo chown root /etc/sysctl.d 

Rationale

The ownership of the /etc/sysctl.d directory by the root user is important because this directory hosts kernel configuration. Protection of this directory is critical for system security. Assigning the ownership to root ensures exclusive control of the kernel configuration.

Verify Permissions On /etc/sysctl.d Directory

directory_permissions_etc_sysctld

Description

To properly set the permissions of /etc/sysctl.d, run the command:

$ sudo chmod 0755 /etc/sysctl.d

Rationale

Setting correct permissions on the /etc/sysctl.d directory is important because this directory hosts kernel configuration. Protection of this directory is critical for system security. Restricting the permissions ensures exclusive control of the kernel configuration.

Ensure IPv6 is disabled through kernel boot parameter

grub2_ipv6_disable_argument

Description

To disable IPv6 protocol support in the Linux kernel, add the argument ipv6.disable=1 to the default GRUB2 command line for the Linux operating system. To ensure that ipv6.disable=1 is added as a kernel command line argument to newly installed kernels, add ipv6.disable=1 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:

GRUB_CMDLINE_LINUX="... ipv6.disable=1 ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="ipv6.disable=1"

Rationale

Any unnecessary network stacks, including IPv6, should be disabled to reduce the vulnerability to exploitation.

Configure kernel to trust the CPU random number generator

grub2_kernel_trust_cpu_rng

Description

There exist two ways how to ensure that the Linux kernel trusts the CPU hardware random number generator. If the option is configured during kernel compilation, e.g. the option CONFIG_RANDOM_TRUST_CPU is set to Y, make sure that it is not overridden with the boot parameter. There must not exist the boot parameter random.trust_cpu=off. If the option is not compiled in, make sure that random.trust_cpu=on is configured as a boot parameter. To ensure that random.trust_cpu=on is added as a kernel command line argument to newly installed kernels, add random.trust_cpu=on to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:

GRUB_CMDLINE_LINUX="... random.trust_cpu=on ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="random.trust_cpu=on"

Rationale

The Linux kernel offers an option which signifies if the kernel should trust data provided by CPU hardware random number generator. Hardware random number generators can provide random data very quickly and are used to generate random cryptographic keys. They can be useful during boot time when other means of getting random data can be slow because there is not yet enough entropy in the system.

Install PAE Kernel on Supported 32-bit x86 Systems

install_PAE_kernel_on_x86-32

Description

Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes this support. However, if the system is 32-bit and also supports the PAE and NX features as determined in the previous section, the kernel-PAE package should be installed to enable XD or NX support. The kernel-PAE package can be installed with the following command:

$ sudo dnf install kernel-PAE
The installation process should also have configured the bootloader to load the new kernel at boot. Verify this after reboot and modify /etc/default/grub if necessary.

Rationale

On 32-bit systems that support the XD or NX bit, the vendor-supplied PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support.

Do not allow ACPI methods to be inserted/replaced at run time

kernel_config_acpi_custom_method

Description

This debug facility allows ACPI AML methods to be inserted and/or replaced without rebooting the system. This configuration is available from kernel 3.0. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_ACPI_CUSTOM_METHOD, run the following command: grep CONFIG_ACPI_CUSTOM_METHOD /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.

Rationale

Enabling this feature allows arbitrary kernel memory to be written to by root (uid=0) users, allowing them to bypass certain security measures

Emulate Privileged Access Never (PAN)

kernel_config_arm64_sw_ttbr0_pan

Description

Enabling this option prevents the kernel from accessing user-space memory directly by pointing TTBR0_EL1 to a reserved zeroed area and reserved ASID. The user access routines restore the valid TTBR0_EL1 temporarily. This configuration is available from kernel 4.10, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_ARM64_SW_TTBR0_PAN, run the following command: grep CONFIG_ARM64_SW_TTBR0_PAN /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

The Privileged Access Never (PAN) is the ARM equivalent of the x86 Supervisor Mode Access Prevention (SMAP), and it prevents privileged acccess to user data unless explicitly enabled.

Disable kernel support for MISC binaries

kernel_config_binfmt_misc

Description

Enabling CONFIG_BINFMT_MISC makes it possible to plug wrapper-driven binary formats into the kernel. This is specially useful for programs that need an interpreter to run like Java, Python and DOS emulators. Once you have registered such a binary class with the kernel, you can start one of those programs simply by typing in its name at a shell prompt. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_BINFMT_MISC, run the following command: grep CONFIG_BINFMT_MISC /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.

Rationale

This disables arbitrary binary format support and helps reduce attack surface.

Enable support for BUG()

kernel_config_bug

Description

Disabling this option eliminates support for BUG and WARN, reducing the size of your kernel image and potentially quietly ignoring numerous fatal conditions. You should only consider disabling this option for embedded systems with no facilities for reporting errors. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_BUG, run the following command: grep CONFIG_BUG /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

Not setting this variable may hide a number of critical errors.

Trigger a kernel BUG when data corruption is detected

kernel_config_bug_on_data_corruption

Description

This option makes the kernel BUG when it encounters data corruption in kernel memory structures when they get checked for validity. This configuration is available from kernel 4.10. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_BUG_ON_DATA_CORRUPTION, run the following command: grep CONFIG_BUG_ON_DATA_CORRUPTION /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This helps detect data corruptions early and stop with a BUG() error message.

Disable compatibility with brk()

kernel_config_compat_brk

Description

Enabling compatiliby with brk() allows legacy binaries to run (i.e. those linked against libc5). But this compatibility comes at the cost of not being able to randomize the heap placement (ASLR). Unless legacy binaries need to run on the system, set CONFIG_COMPAT_BRK to "n". The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_COMPAT_BRK, run the following command: grep CONFIG_COMPAT_BRK /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.

Rationale

Enabling compatibility with brk() disables support for ASLR.

Disable the 32-bit vDSO

kernel_config_compat_vdso

Description

Certain buggy versions of glibc (2.3.3) will crash if they are presented with a 32-bit vDSO that is not mapped at the address indicated in its segment table. Setting CONFIG_COMPAT_VDSO to y turns off the 32-bit VDSO and works aroud the glibc bug. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_COMPAT_VDSO, run the following command: grep CONFIG_COMPAT_VDSO /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.

Rationale

Enabling VDSO compatibility hurts performance and disables ASLR.

Enable checks on credential management

kernel_config_debug_credentials

Description

Enable this to turn on some debug checking for credential management. The additional code keeps track of the number of pointers from task_structs to any given cred struct, and checks to see that this number never exceeds the usage count of the cred struct. Furthermore, if SELinux is enabled, this also checks that the security pointer in the cred struct is never seen to be invalid. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_DEBUG_CREDENTIALS, run the following command: grep CONFIG_DEBUG_CREDENTIALS /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This adds sanity checks and validations to credential data structures.

Disable kernel debugfs

kernel_config_debug_fs

Description

debugfs is a virtual file system that kernel developers use to put debugging files into. Enable this option to be able to read and write to these files. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_DEBUG_FS, run the following command: grep CONFIG_DEBUG_FS /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.

Rationale

To reduce the attack surface, this file system should be disabled if not in use.

Enable checks on linked list manipulation

kernel_config_debug_list

Description

Enable this to turn on extended checks in the linked-list walking routines. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_DEBUG_LIST, run the following command: grep CONFIG_DEBUG_LIST /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This add sanity checks to manipulation of linked lists structures in the kernel and may prevent exploits such as CVE-2017-1661, where a race condition and simultaneos operations caused a list to corrupt.

Enable checks on notifier call chains

kernel_config_debug_notifiers

Description

Enable this to turn on sanity checking for notifier call chains. This is most useful for kernel developers to make sure that modules properly unregister themselves from notifier chains. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_DEBUG_NOTIFIERS, run the following command: grep CONFIG_DEBUG_NOTIFIERS /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This provides validation of notifier chains, it checks whether the notifiers are from the kernel or a module that is still loaded prior to being invoked.

Enable checks on scatter-gather (SG) table operations

kernel_config_debug_sg

Description

Scatter-gather tables are mechanism used for high performance I/O on DMA devices. Enable this to turn on checks on scatter-gather tables. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_DEBUG_SG, run the following command: grep CONFIG_DEBUG_SG /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This can help find problems with drivers that do not properly initialize their SG tables.

Warn on W+X mappings found at boot

kernel_config_debug_wx

Description

Generate a warning if any W+X mappings are found at boot. This configuration is available from kernel 5.8. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_DEBUG_WX, run the following command: grep CONFIG_DEBUG_WX /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This is useful for discovering cases where the kernel is leaving W+X mappings after applying NX, as such mappings are a security risk. Note that even if the check fails, your kernel is possibly still fine, as W+X mappings are not a security hole in themselves, what they do is that they make the exploitation of other unfixed kernel bugs easier.

Configure Low Address Space To Protect From User Allocation

kernel_config_default_mmap_min_addr

Description

This is the portion of low virtual memory which should be protected from userspace allocation. This configuration is available from kernel 3.14, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_DEFAULT_MMAP_MIN_ADDR, run the following command: grep CONFIG_DEFAULT_MMAP_MIN_ADDR /boot/config-* For each kernel installed, a line with value should be returned. If the system architecture is x86_64, the value should be 65536. If the system architecture is aarch64, the value should be 32768.

Rationale

Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs.

Disable /dev/kmem virtual device support

kernel_config_devkmem

Description

Disable support for the /dev/kmem device. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_DEVKMEM, run the following command: grep CONFIG_DEVKMEM /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.

Rationale

The /dev/kmem device is rarely used, but can be used for certain kind of kernel debugging operations.

Harden common str/mem functions against buffer overflows

kernel_config_fortify_source

Description

Detect overflows of buffers in common string and memory functions where the compiler can determine and validate the buffer sizes. This configuration is available from kernel 4.13, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_FORTIFY_SOURCE, run the following command: grep CONFIG_FORTIFY_SOURCE /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This features helps reduce likelihood of memory corruption of kernel structures.

Generate some entropy during boot and runtime

kernel_config_gcc_plugin_latent_entropy

Description

Instrument some kernel code to extract some entropy from both original and artificially created program state. This will help especially embedded systems where there is little 'natural' source of entropy normally. This configuration is available from kernel 4.9, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_GCC_PLUGIN_LATENT_ENTROPY, run the following command: grep CONFIG_GCC_PLUGIN_LATENT_ENTROPY /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This helps generate entropy during startup and is particularly relevant for devices with inappropriate entropy sources.

Randomize layout of sensitive kernel structures

kernel_config_gcc_plugin_randstruct

Description

Randomize at compile-time the layouts of structures that are entirely function pointers (and have not been manually annotated with __no_randomize_layout), or structures that have been explicitly marked with __randomize_layout. This configuration is available from kernel 4.13, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_GCC_PLUGIN_RANDSTRUCT, run the following command: grep CONFIG_GCC_PLUGIN_RANDSTRUCT /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

Randomizing the layout of kernel data structures make it more difficult for an attacker to know the location of sensitive data.

Poison kernel stack before returning from syscalls

kernel_config_gcc_plugin_stackleak

Description

This option makes the kernel erase the kernel stack before returning from system calls. This has the effect of leaving the stack initialized to the poison value, which both reduces the lifetime of any sensitive stack contents and reduces potential for uninitialized stack variable exploits or information exposures (it does not cover functions reaching the same stack depth as prior functions during the same syscall). This configuration is available from kernel 4.20, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_GCC_PLUGIN_STACKLEAK, run the following command: grep CONFIG_GCC_PLUGIN_STACKLEAK /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This blocks most uninitialized stack variable attacks, with the performance impact being driven by the depth of the stack usage, rather than the function calling complexity.

Force initialization of variables containing userspace addresses

kernel_config_gcc_plugin_structleak

Description

While the kernel is built with warnings enabled for any missed stack variable initializations, this warning is silenced for anything passed by reference to another function, under the occasionally misguided assumption that the function will do the initialization. As this regularly leads to exploitable flaws, this plugin is available to identify and zero-initialize such variables, depending on the chosen level of coverage. This configuration is available from kernel 4.11, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_GCC_PLUGIN_STRUCTLEAK, run the following command: grep CONFIG_GCC_PLUGIN_STRUCTLEAK /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

Initializing structures from userspace can prevent some classes of information exposure.

zero-init everything passed by reference

kernel_config_gcc_plugin_structleak_byref_all

Description

Zero-initialize any stack variables that may be passed by reference and had not already been explicitly initialized. This configuration is available from kernel 4.14, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL, run the following command: grep CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This eliminates all classes of uninitialized stack variable exploits and information exposures.

Harden memory copies between kernel and userspace

kernel_config_hardened_usercopy

Description

This option checks for obviously wrong memory regions when copying memory to/from the kernel (via copy_to_user() and copy_from_user() functions) by rejecting memory ranges that are larger than the specified heap object, span multiple separately allocated pages, are not on the process stack, or are part of the kernel text. This configuration is available from kernel 4.8, and may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_HARDENED_USERCOPY, run the following command: grep CONFIG_HARDENED_USERCOPY /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This config prevents entire classes of heap overflow exploits and similar kernel memory exposures.

Do not allow usercopy whitelist violations to fallback to object size

kernel_config_hardened_usercopy_fallback

Description

This is a temporary option that allows missing usercopy whitelists to be discovered via a WARN() to the kernel log, instead of rejecting the copy, falling back to non-whitelisted hardened usercopy that checks the slab allocation size instead of the whitelist size. This configuration is available from kernel 4.16. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_HARDENED_USERCOPY_FALLBACK, run the following command: grep CONFIG_HARDENED_USERCOPY_FALLBACK /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.

Rationale

This config prevents entire classes of heap overflow exploits and similar kernel memory exposures.

Disable hibernation

kernel_config_hibernation

Description

Enable the suspend to disk (STD) functionality, which is usually called "hibernation" in user interfaces. STD checkpoints the system and powers it off; and restores that checkpoint on reboot. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_HIBERNATION, run the following command: grep CONFIG_HIBERNATION /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.

Rationale

Suspending to disk allows one to replace the running kernel.

Disable IA32 emulation

kernel_config_ia32_emulation

Description

Disables support for legacy 32-bit programs under a 64-bit kernel. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_IA32_EMULATION, run the following command: grep CONFIG_IA32_EMULATION /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.

Rationale

Disabling 32-bit backwards compatibility helps reduce the attack surface.

Disable the IPv6 protocol

kernel_config_ipv6

Description

Disable support for IP version 6 (IPv6). The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_IPV6, run the following command: grep CONFIG_IPV6 /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.

Rationale

Any unnecessary network stacks, including IPv6, should be disabled to reduce the vulnerability to exploitation.

Disable kexec system call

kernel_config_kexec

Description

kexec is a system call that implements the ability to shutdown your current kernel, and to start another kernel. It is like a reboot but it is independent of the system firmware. And like a reboot you can start any kernel with it, not just Linux. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_KEXEC, run the following command: grep CONFIG_KEXEC /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.

Rationale

Prohibits the execution of a new kernel image after reboot.

Disable legacy (BSD) PTY support

kernel_config_legacy_ptys

Description

Disable the Linux traditional BSD-like terminal names /dev/ptyxx for masters and /dev/ttyxx for slaves of pseudo terminals, and use only the modern ptys (devpts) interface. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_LEGACY_PTYS, run the following command: grep CONFIG_LEGACY_PTYS /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.

Rationale

The legacy scheme has a number of security problems.

Disable vsyscall emulation

kernel_config_legacy_vsyscall_emulate

Description

The kernel traps and emulates calls into the fixed vsyscall address mapping. This configuration is available from kernel 5.3, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_LEGACY_VSYSCALL_EMULATE, run the following command: grep CONFIG_LEGACY_VSYSCALL_EMULATE /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.

Rationale

The mapping is non-executable, but it still contains known contents, which could be used in certain rare security vulnerability exploits.

Disable vsyscall mapping

kernel_config_legacy_vsyscall_none

Description

This config disables the vsyscall mapping at all. Attempts to use the vsyscalls will be reported to dmesg, so that either old or malicious userspace programs can be identified. This configuration is available from kernel 4.4. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_LEGACY_VSYSCALL_NONE, run the following command: grep CONFIG_LEGACY_VSYSCALL_NONE /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This will eliminate any risk of ASLR bypass due to the vsyscall fixed address mapping.

Disable vsyscall emulate execution only

kernel_config_legacy_vsyscall_xonly

Description

The kernel traps and emulates calls into the fixed vsyscall address mapping and does not allow reads. This configuration is available from kernel 5.3. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_LEGACY_VSYSCALL_XONLY, run the following command: grep CONFIG_LEGACY_VSYSCALL_XONLY /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.

Rationale

Disabling this mitigates certain uses of the vsyscall area as an ASLR-bypassing buffer.

Disable the LDT (local descriptor table)

kernel_config_modify_ldt_syscall

Description

Linux can allow user programs to install a per-process x86 Local Descriptor Table (LDT) using the modify_ldt(2) system call. This is required to run 16-bit or segmented code such as DOSEMU or some Wine programs. It is also used by some very old threading libraries. This configuration is available from kernel 4.3, but may be available if backported by distros. Disable LDT if 16-bit program emulation is not necessary. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_MODIFY_LDT_SYSCALL, run the following command: grep CONFIG_MODIFY_LDT_SYSCALL /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.

Rationale

Disabling support for unnecessary code reduces attack surface.

Enable module signature verification

kernel_config_module_sig

Description

Check modules for valid signatures upon load. Note that this option adds the OpenSSL development packages as a kernel build dependency so that the signing tool can use its crypto library. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_MODULE_SIG, run the following command: grep CONFIG_MODULE_SIG /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

Loaded modules must be signed.

Enable automatic signing of all modules

kernel_config_module_sig_all

Description

Sign all modules during make modules_install. Without this option, modules must be signed manually, using the scripts/sign-file tool. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_MODULE_SIG_ALL, run the following command: grep CONFIG_MODULE_SIG_ALL /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This ensures the modules are signed during install process.

Require modules to be validly signed

kernel_config_module_sig_force

Description

Reject unsigned modules or signed modules with an unknown key. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_MODULE_SIG_FORCE, run the following command: grep CONFIG_MODULE_SIG_FORCE /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

Prevent loading modules that are unsigned or signed with an unknown key.

Specify the hash to use when signing modules

kernel_config_module_sig_hash

Description

This configures the kernel to build and sign modules using $var_kernel_config_module_sig_hash as the hash function. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_MODULE_SIG_HASH, run the following command: grep CONFIG_MODULE_SIG_HASH /boot/config-* For each kernel installed, a line with value "$var_kernel_config_module_sig_hash" should be returned.

Rationale

Use of strong hash function is important to secure the module against counterfeit signatures.

Specify module signing key to use

kernel_config_module_sig_key

Description

Setting this option to something other than its default of certs/signing_key.pem will disable the autogeneration of signing keys and allow the kernel modules to be signed with a key of your choosing. The string provided should identify a file containing both a private key and its corresponding X.509 certificate in PEM form, or — on systems where the OpenSSL ENGINE_pkcs11 is functional — a PKCS#11 URI as defined by RFC7512. In the latter case, the PKCS#11 URI should reference both a certificate and a private key. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_MODULE_SIG_KEY, run the following command: grep CONFIG_MODULE_SIG_KEY /boot/config-* For each kernel installed, a line with value "$var_kernel_config_module_sig_key" should be returned.

Rationale

A key and certificate is required to sign the built modules.

Sign kernel modules with SHA-512

kernel_config_module_sig_sha512

Description

This configures the kernel to build and sign modules using SHA512 as the hash function. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_MODULE_SIG_SHA512, run the following command: grep CONFIG_MODULE_SIG_SHA512 /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

Use of strong hash function is important to secure the module against counterfeit signatures.

Enable poison of pages after freeing

kernel_config_page_poisoning

Description

Fill the pages with poison patterns after free_pages() and verify the patterns before alloc_pages. This does have a potential performance impact if enabled with the "page_poison=1" kernel boot option. This configuration is available from kernel 4.6. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_PAGE_POISONING, run the following command: grep CONFIG_PAGE_POISONING /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

The filling of the memory helps reduce the risk of information leaks from freed data.

Enable poison without sanity check

kernel_config_page_poisoning_no_sanity

Description

Skip the sanity checking on alloc, only fill the pages with poison on free. This reduces some of the overhead of the poisoning feature. This configuration is available from kernel 4.6. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_PAGE_POISONING_NO_SANITY, run the following command: grep CONFIG_PAGE_POISONING_NO_SANITY /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This configuration helps alleviates the performance impact of poisonining.

Use zero for poisoning instead of debugging value

kernel_config_page_poisoning_zero

Description

Instead of using the existing poison value, fill the pages with zeros. This makes it harder to detect when errors are occurring due to sanitization but the zeroing at free means that it is no longer necessary to write zeros when GFP_ZERO is used on allocation. This configuration is available from kernel 4.19. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_PAGE_POISONING_ZERO, run the following command: grep CONFIG_PAGE_POISONING_ZERO /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This configuration helps alleviates the performance impact of poisonining.

Remove the kernel mapping in user mode

kernel_config_page_table_isolation

Description

This feature reduces the number of hardware side channels by ensuring that the majority of kernel addresses are not mapped into userspace. This configuration is available from kernel 4.15, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_PAGE_TABLE_ISOLATION, run the following command: grep CONFIG_PAGE_TABLE_ISOLATION /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This is a countermeasure to the Meltdown attack.

Kernel panic oops

kernel_config_panic_on_oops

Description

Enable the kernel to panic when it oopses. This has the same effect as setting oops=panic on the kernel command line. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_PANIC_ON_OOPS, run the following command: grep CONFIG_PANIC_ON_OOPS /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This feature ensures that the kernel does not do anything erroneous after an oops which could result in data corruption or other issues.

Kernel panic timeout

kernel_config_panic_timeout

Description

Set the timeout value (in seconds) until a reboot occurs when the kernel panics. A timeout of 0 configures the system to wait forever. With a timeout value greater than 0, the system will wait the specified amount of seconds before rebooting. While a timeout value less than 0 makes the system reboot immediately. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_PANIC_TIMEOUT, run the following command: grep CONFIG_PANIC_TIMEOUT /boot/config-* For each kernel installed, a line with value "$var_kernel_config_panic_timeout" should be returned.

Rationale

This is required to enable protection against Spectre v2.

Disable support for /proc/kkcore

kernel_config_proc_kcore

Description

Provides a virtual ELF core file of the live kernel. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_PROC_KCORE, run the following command: grep CONFIG_PROC_KCORE /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.

Rationale

This feature exposes the memory to the userspace and can assist an attacker in discovering attack vectors.

Randomize the address of the kernel image (KASLR)

kernel_config_randomize_base

Description

In support of Kernel Address Space Layout Randomization (KASLR), this randomizes the physical address at which the kernel image is decompressed and the virtual address where the kernel image is mapped. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_RANDOMIZE_BASE, run the following command: grep CONFIG_RANDOMIZE_BASE /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

An unpredictable kernel address makes it more difficult to succeed with exploits that rely on knowledge of the location of kernel code internals.

Randomize the kernel memory sections

kernel_config_randomize_memory

Description

Randomizes the base virtual address of kernel memory sections (physical memory mapping, vmalloc & vmemmap). This configuration is available from kernel 4.8, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_RANDOMIZE_MEMORY, run the following command: grep CONFIG_RANDOMIZE_MEMORY /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This security feature makes exploits relying on predictable memory locations less reliable.

Perform full reference count validation

kernel_config_refcount_full

Description

Enabling this switches the refcounting infrastructure from a fast unchecked atomic_t implementation to a fully state checked implementation, which can have a slight impact in performance. This configuration is available from kernel 4.13, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_REFCOUNT_FULL, run the following command: grep CONFIG_REFCOUNT_FULL /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

Refcounting provides protections against various use-after-free conditions that can be used in security flaw exploits.

Avoid speculative indirect branches in kernel

kernel_config_retpoline

Description

Compile kernel with the retpoline compiler options to guard against kernel-to-user data leaks by avoiding speculative indirect branches. Requires a compiler with -mindirect-branch=thunk-extern support for full protection. The kernel may run slower. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_RETPOLINE, run the following command: grep CONFIG_RETPOLINE /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This is required to enable protection against Spectre v2.

Detect stack corruption on calls to schedule()

kernel_config_sched_stack_end_check

Description

This option checks for a stack overrun on calls to schedule(). If the stack end location is found to be overwritten always panic as the content of the corrupted region can no longer be trusted. This configuration is available from kernel 3.18. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SCHED_STACK_END_CHECK, run the following command: grep CONFIG_SCHED_STACK_END_CHECK /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This ensures no erroneous behaviour occurs which could result in data corruption or a sporadic crash at a later stage once the region is examined.

Enable seccomp to safely compute untrusted bytecode

kernel_config_seccomp

Description

This kernel feature is useful for number crunching applications that may need to compute untrusted bytecode during their execution. By using pipes or other transports made available to the process as file descriptors supporting the read/write syscalls, it's possible to isolate those applications in their own address space using seccomp. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SECCOMP, run the following command: grep CONFIG_SECCOMP /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

seccomp enables the ability to filter system calls made by an application, effectively isolating the system's resources from it.

Enable use of Berkeley Packet Filter with seccomp

kernel_config_seccomp_filter

Description

Enable tasks to build secure computing environments defined in terms of Berkeley Packet Filter programs which implement task-defined system call filtering polices. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SECCOMP_FILTER, run the following command: grep CONFIG_SECCOMP_FILTER /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

Use of BPF filters allows for expressive filtering of system calls using a filter program language with a long history of being exposed to userland.

Enable different security models

kernel_config_security

Description

This allows you to choose different security modules to be configured into your kernel. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SECURITY, run the following command: grep CONFIG_SECURITY /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This is enables kernel security primitives required by the LSM framework.

Restrict unprivileged access to the kernel syslog

kernel_config_security_dmesg_restrict

Description

Enforce restrictions on unprivileged users reading the kernel syslog via dmesg(8). The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SECURITY_DMESG_RESTRICT, run the following command: grep CONFIG_SECURITY_DMESG_RESTRICT /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

Prevents unprivileged users from retrieving kernel addresses with dmesg.

Disable mutable hooks

kernel_config_security_writable_hooks

Description

Ensure kernel structures associated with LSMs are always mapped as read-only after system boot. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SECURITY_WRITABLE_HOOKS, run the following command: grep CONFIG_SECURITY_WRITABLE_HOOKS /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.

Rationale

If CONFIG_SECURITY_WRITABLE_HOOKS is enabled, then hooks can be loaded at runtime and being able to manipulate hooks is a way to bypass all LSMs.

Enable Yama support

kernel_config_security_yama

Description

This enables support for LSM module Yama, which extends DAC support with additional system-wide security settings beyond regular Linux discretionary access controls. The module will limit the use of the system call ptrace(). The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SECURITY_YAMA, run the following command: grep CONFIG_SECURITY_YAMA /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user.

Harden slab freelist metadata

kernel_config_slab_freelist_hardened

Description

This feature protects integrity of the allocator's metadata. This configuration is available from kernel 4.14. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SLAB_FREELIST_HARDENED, run the following command: grep CONFIG_SLAB_FREELIST_HARDENED /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

Many kernel heap attacks try to target slab cache metadata and other infrastructure. This options makes minor performance sacrifices to harden the kernel slab allocator against common freelist exploit methods.

Randomize slab freelist

kernel_config_slab_freelist_random

Description

Randomizes the freelist order used on creating new pages. This configuration is available from kernel 5.9, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SLAB_FREELIST_RANDOM, run the following command: grep CONFIG_SLAB_FREELIST_RANDOM /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This security feature reduces the predictability of the kernel slab allocator against heap overflows.

Disallow merge of slab caches

kernel_config_slab_merge_default

Description

For reduced kernel memory fragmentation, slab caches can be merged when they share the same size and other characteristics. This carries a risk of kernel heap overflows being able to overwrite objects from merged caches (and more easily control cache layout), which makes such heap attacks easier to exploit by attackers. This configuration is available from kernel 4.13. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SLAB_MERGE_DEFAULT, run the following command: grep CONFIG_SLAB_MERGE_DEFAULT /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.

Rationale

Disabling the merge of slabs of similar sizes prevents the kernel from merging a seemingly useless but vulnerable slab with a useful and valuable slab. This increase the risk that a heap overflow could overwrite objects from merged caches, with unmerged caches the heap overflow would only affect the objects in the same cache. Overall, this reduces the kernel attack surface area by isolating slabs from each other.

Enable SLUB debugging support

kernel_config_slub_debug

Description

SLUB has extensive debug support features and this allows the allocator validation checking to be enabled. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SLUB_DEBUG, run the following command: grep CONFIG_SLUB_DEBUG /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This activates the checking of the memory allocator structures and resets to zero the zones allocated when they are released.

Stack Protector buffer overlow detection

kernel_config_stackprotector

Description

This feature puts, at the beginning of functions, a canary value on the stack just before the return address, and validates the value just before actually returning. This configuration is available from kernel 4.18. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_STACKPROTECTOR, run the following command: grep CONFIG_STACKPROTECTOR /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This halts the program when a stack overflow is detected, potentially reducing the impact of exploits.

Strong Stack Protector

kernel_config_stackprotector_strong

Description

This features adds canary logic protection to more kinds of vulnerable functions than CONFIG_STACKPROTECTOR, but not to all functions so that performance is not severily impacted. This configuration is available from kernel 4.18. This config requires gcc version 4.9 or above, or a distribution gcc with the feature backported ("-fstack-protector-strong"). The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_STACKPROTECTOR_STRONG, run the following command: grep CONFIG_STACKPROTECTOR_STRONG /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This provides a mechanism that protects more vulnerable functions than CONFIG_STACKPROTECTOR, balancing between security and performance.

Make the kernel text and rodata read-only

kernel_config_strict_kernel_rwx

Description

When set, kernel text and rodata memory will be made read-only, and non-text memory will be made non-executable. This configuration is available from kernel 4.11. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_STRICT_KERNEL_RWX, run the following command: grep CONFIG_STRICT_KERNEL_RWX /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This provides protection against certain security exploits (e.g. executing the heap or modifying text)

Make the module text and rodata read-only

kernel_config_strict_module_rwx

Description

When set, module text and rodata memory will be made read-only, and non-text memory will be made non-executable. This configuration is available from kernel 4.11. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_STRICT_MODULE_RWX, run the following command: grep CONFIG_STRICT_MODULE_RWX /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This provides protection against certain security exploits (e.g. executing the heap or modifying text)

Enable TCP/IP syncookie support

kernel_config_syn_cookies

Description

Normal TCP/IP networking is open to an attack known as SYN flooding. It is denial-of-service attack that prevents legitimate remote users from being able to connect to your computer during an ongoing attack. When enabled the TCP/IP stack will use a cryptographic challenge protocol known as SYN cookies to enable legitimate users to continue to connect, even when your machine is under attack. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SYN_COOKIES, run the following command: grep CONFIG_SYN_COOKIES /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

SYN cookies provide protection against SYN flooding attacks.

Unmap kernel when running in userspace (aka KAISER)

kernel_config_unmap_kernel_at_el0

Description

Speculation attacks against some high-performance processors can be used to bypass MMU permission checks and leak kernel data to userspace. This can be defended against by unmapping the kernel when running in userspace, mapping it back in on exception entry via a trampoline page in the vector table. This configuration is available from kernel 4.16, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_UNMAP_KERNEL_AT_EL0, run the following command: grep CONFIG_UNMAP_KERNEL_AT_EL0 /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This is a countermeasure to the Meltdown attack.

User a virtually-mapped stack

kernel_config_vmap_stack

Description

Enable this to use virtually-mapped kernel stacks with guard pages. This configuration is available from kernel 4.9. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_VMAP_STACK, run the following command: grep CONFIG_VMAP_STACK /boot/config-* For each kernel installed, a line with value "y" should be returned.

Rationale

This causes kernel stack overflows to be caught immediately rather than causing difficult-to-diagnose corruption.

Disable x86 vsyscall emulation

kernel_config_x86_vsyscall_emulation

Description

Disabling it is roughly equivalent to booting with vsyscall=none, except that it will also disable the helpful warning if a program tries to use a vsyscall. With this option set to N, offending programs will just segfault, citing addresses of the form 0xffffffffff600?00. This configuration is available from kernel 3.19. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_X86_VSYSCALL_EMULATION, run the following command: grep CONFIG_X86_VSYSCALL_EMULATION /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.

Rationale

The vsyscall table is no longer required and is a potential source of ROP gadgets.

Ensure Solid State Drives Do Not Contribute To Random-Number Entropy Pool

kernel_disable_entropy_contribution_for_solid_state_drives

Description

For each solid-state drive on the system, run:

 # echo 0 > /sys/block/DRIVE/queue/add_random

Rationale

In contrast to traditional electromechanical magnetic disks, containing spinning disks and / or movable read / write heads, the solid-state storage devices (SSDs) do not contain moving / mechanical components. Therefore the I/O operation completion times are much more predictable for them.

Disable ATM Support

kernel_module_atm_disabled

Description

The Asynchronous Transfer Mode (ATM) is a protocol operating on network, data link, and physical layers, based on virtual circuits and virtual paths. To configure the system to prevent the atm kernel module from being loaded, add the following line to the file /etc/modprobe.d/atm.conf:

install atm /bin/false

Rationale

Disabling ATM protects the system against exploitation of any flaws in its implementation.

Disable Bluetooth Kernel Module

kernel_module_bluetooth_disabled

Description

The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate /etc/modprobe.d configuration file to prevent the loading of the Bluetooth module:

install bluetooth /bin/true

Rationale

If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.

Disable CAN Support

kernel_module_can_disabled

Description

The Controller Area Network (CAN) is a serial communications protocol which was initially developed for automotive and is now also used in marine, industrial, and medical applications. To configure the system to prevent the can kernel module from being loaded, add the following line to the file /etc/modprobe.d/can.conf:

install can /bin/false

Rationale

Disabling CAN protects the system against exploitation of any flaws in its implementation.

Disable Kernel cfg80211 Module

kernel_module_cfg80211_disabled

Description

To configure the system to prevent the cfg80211 kernel module from being loaded, add the following line to the file /etc/modprobe.d/cfg80211.conf:

install cfg80211 /bin/false

Rationale

If Wireless functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.

Disable Mounting of cramfs

kernel_module_cramfs_disabled

Description

To configure the system to prevent the cramfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/cramfs.conf:

install cramfs /bin/false
This effectively prevents usage of this uncommon filesystem. The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.

Rationale

Removing support for unneeded filesystem types reduces the local attack surface of the server.

Disable DCCP Support

kernel_module_dccp_disabled

Description

The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the dccp kernel module from being loaded, add the following line to the file /etc/modprobe.d/dccp.conf:

install dccp /bin/false

Rationale

Disabling DCCP protects the system against exploitation of any flaws in its implementation.

Disable IEEE 1394 (FireWire) Support

kernel_module_firewire-core_disabled

Description

The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. To configure the system to prevent the firewire-core kernel module from being loaded, add the following line to the file /etc/modprobe.d/firewire-core.conf:

install firewire-core /bin/false

Rationale

Disabling FireWire protects the system against exploitation of any flaws in its implementation.

Disable Mounting of freevxfs

kernel_module_freevxfs_disabled

Description

To configure the system to prevent the freevxfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/freevxfs.conf:

install freevxfs /bin/false
This effectively prevents usage of this uncommon filesystem.

Rationale

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

Disable Mounting of hfs

kernel_module_hfs_disabled

Description

To configure the system to prevent the hfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/hfs.conf:

install hfs /bin/false
This effectively prevents usage of this uncommon filesystem.

Rationale

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

Disable Mounting of hfsplus

kernel_module_hfsplus_disabled

Description

To configure the system to prevent the hfsplus kernel module from being loaded, add the following line to the file /etc/modprobe.d/hfsplus.conf:

install hfsplus /bin/false
This effectively prevents usage of this uncommon filesystem.

Rationale

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

Disable IPv6 Networking Support Automatic Loading

kernel_module_ipv6_option_disabled

Description

To prevent the IPv6 kernel module (ipv6) from binding to the IPv6 networking stack, add the following line to /etc/modprobe.d/disabled.conf (or another file in /etc/modprobe.d):

options ipv6 disable=1
This permits the IPv6 module to be loaded (and thus satisfy other modules that depend on it), while disabling support for the IPv6 protocol.

Rationale

Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation.

Disable Kernel iwlmvm Module

kernel_module_iwlmvm_disabled

Description

To configure the system to prevent the iwlmvm kernel module from being loaded, add the following line to the file /etc/modprobe.d/iwlmvm.conf:

install iwlmvm /bin/false

Rationale

If Wireless functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.

Disable Kernel iwlwifi Module

kernel_module_iwlwifi_disabled

Description

To configure the system to prevent the iwlwifi kernel module from being loaded, add the following line to the file /etc/modprobe.d/iwlwifi.conf:

install iwlwifi /bin/false

Rationale

If Wireless functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.

Disable Mounting of jffs2

kernel_module_jffs2_disabled

Description

To configure the system to prevent the jffs2 kernel module from being loaded, add the following line to the file /etc/modprobe.d/jffs2.conf:

install jffs2 /bin/false
This effectively prevents usage of this uncommon filesystem.

Rationale

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

Disable Kernel mac80211 Module

kernel_module_mac80211_disabled

Description

To configure the system to prevent the mac80211 kernel module from being loaded, add the following line to the file /etc/modprobe.d/mac80211.conf:

install mac80211 /bin/false

Rationale

If Wireless functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.

Disable RDS Support

kernel_module_rds_disabled

Description

The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the rds kernel module from being loaded, add the following line to the file /etc/modprobe.d/rds.conf:

install rds /bin/false

Rationale

Disabling RDS protects the system against exploitation of any flaws in its implementation.

Disable SCTP Support

kernel_module_sctp_disabled

Description

The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the sctp kernel module from being loaded, add the following line to the file /etc/modprobe.d/sctp.conf:

install sctp /bin/false

Rationale

Disabling SCTP protects the system against exploitation of any flaws in its implementation.

Disable Mounting of squashfs

kernel_module_squashfs_disabled

Description

To configure the system to prevent the squashfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/squashfs.conf:

install squashfs /bin/false
This effectively prevents usage of this uncommon filesystem. The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs). A squashfs image can be used without having to first decompress the image.

Rationale

Removing support for unneeded filesystem types reduces the local attack surface of the system.

Disable TIPC Support

kernel_module_tipc_disabled

Description

The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the tipc kernel module from being loaded, add the following line to the file /etc/modprobe.d/tipc.conf:

install tipc /bin/false

Rationale

Disabling TIPC protects the system against exploitation of any flaws in its implementation.

Disable Mounting of udf

kernel_module_udf_disabled

Description

To configure the system to prevent the udf kernel module from being loaded, add the following line to the file /etc/modprobe.d/udf.conf:

install udf /bin/false
This effectively prevents usage of this uncommon filesystem. The udf filesystem type is the universal disk format used to implement the ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is neccessary to support writing DVDs and newer optical disc formats.

Rationale

Removing support for unneeded filesystem types reduces the local attack surface of the system.

Disable Modprobe Loading of USB Storage Driver

kernel_module_usb-storage_disabled

Description

To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf:

install usb-storage /bin/false
This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.

Rationale

USB storage devices such as thumb drives can be used to introduce malicious software.

Disable the uvcvideo module

kernel_module_uvcvideo_disabled

Description

If the device contains a camera it should be covered or disabled when not in use.

Rationale

Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures.

Disable Mounting of vFAT filesystems

kernel_module_vfat_disabled

Description

To configure the system to prevent the vfat kernel module from being loaded, add the following line to the file /etc/modprobe.d/vfat.conf:

install vfat /bin/false
This effectively prevents usage of this uncommon filesystem. The vFAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12, FAT16, and FAT32 all of which are supported by the vfat kernel module.

Rationale

Removing support for unneeded filesystems reduces the local attack surface of the system.

Manually Assign IPv6 Router Address

network_ipv6_default_gateway

Description

Edit the file /etc/sysconfig/network-scripts/ifcfg-interface, and add or correct the following line (substituting your gateway IP as appropriate):

IPV6_DEFAULTGW=2001:0DB8::0001
Router addresses should be manually set and not accepted via any auto-configuration or router advertisement.

Rationale

Disable Interface Usage of IPv6

network_ipv6_disable_interfaces

Description

To disable interface usage of IPv6, add or correct the following lines in /etc/sysconfig/network:

NETWORKING_IPV6=no
IPV6INIT=no

Rationale

Disable Support for RPC IPv6

network_ipv6_disable_rpc

Description

RPC services for NFSv4 try to load transport modules for udp6 and tcp6 by default, even if IPv6 has been disabled in /etc/modprobe.d. To prevent RPC services such as rpc.mountd from attempting to start IPv6 network listeners, remove or comment out the following two lines in /etc/netconfig:

udp6       tpi_clts      v     inet6    udp     -       -
tcp6       tpi_cots_ord  v     inet6    tcp     -       -

Rationale

Use Privacy Extensions for Address

network_ipv6_privacy_extensions

Description

To introduce randomness into the automatic generation of IPv6 addresses, add or correct the following line in /etc/sysconfig/network-scripts/ifcfg-interface:

IPV6_PRIVACY=rfc3041
Automatically-generated IPv6 addresses are based on the underlying hardware (e.g. Ethernet) address, and so it becomes possible to track a piece of hardware over its lifetime using its traffic. If it is important for a system's IP address to not trivially reveal its hardware address, this setting should be applied.

Rationale

Manually Assign Global IPv6 Address

network_ipv6_static_address

Description

To manually assign an IP address for an interface, edit the file /etc/sysconfig/network-scripts/ifcfg-interface. Add or correct the following line (substituting the correct IPv6 address):

IPV6ADDR=2001:0DB8::ABCD/64
Manually assigning an IP address is preferable to accepting one from routers or from the network otherwise. The example address here is an IPv6 address reserved for documentation purposes, as defined by RFC3849.

Rationale

Uninstall abrt-addon-kerneloops Package

package_abrt-addon-kerneloops_removed

Description

The abrt-addon-kerneloops package can be removed with the following command:

$ sudo dnf remove abrt-addon-kerneloops

Rationale

abrt-addon-kerneloops contains plugins for collecting kernel crash information and reporter plugin which sends this information to a specified server, usually to kerneloops.org.

Install iptables-nft Package

package_iptables-nft_installed

Description

The iptables-nft package can be installed with the following command:

$ sudo dnf install iptables-nft

Rationale

iptables-nft controls the Linux kernel network packet filtering code. iptables-nft allows system operators to set up firewalls and IP masquerading, etc.

Uninstall nfs-kernel-server Package

package_nfs-kernel-server_removed

Description

The nfs-kernel-server package can be removed with the following command:

$ sudo dnf remove nfs-kernel-server

Rationale

If the system does not export NFS shares or act as an NFS client, it is recommended that these services be removed to reduce the remote attack surface.

Disable the domain_kernel_load_modules SELinux Boolean

sebool_domain_kernel_load_modules

Description

By default, the SELinux boolean domain_kernel_load_modules is disabled. If this setting is enabled, it should be disabled. To disable the domain_kernel_load_modules SELinux boolean, run the following command:

$ sudo setsebool -P domain_kernel_load_modules off

Rationale

Enable Kernel Parameter to Enforce DAC on FIFOs

sysctl_fs_protected_fifos

Description

To set the runtime status of the fs.protected_fifos kernel parameter, run the following command:

$ sudo sysctl -w fs.protected_fifos=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
fs.protected_fifos = 2

Rationale

This parameter is available since Linux Kernel 4.19 and allows to prohibit opening FIFOs that are not owned by the user in world and group writeable sticky directories. It avoids unintentional writes to an attacker-controlled FIFO where a program expects to create the regular file.

Enable Kernel Parameter to Enforce DAC on Regular files

sysctl_fs_protected_regular

Description

To set the runtime status of the fs.protected_regular kernel parameter, run the following command:

$ sudo sysctl -w fs.protected_regular=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
fs.protected_regular = 2

Rationale

This parameter is available since Linux Kernel 4.19 and allows to prohibit opening "regular" files that are not owned by the user in world and group writeable sticky directories. It avoids writes to an attacker-controlled regular file, for example, when a program expects to create the regular file.

Disable Core Dumps for SUID programs

sysctl_fs_suid_dumpable

Description

To set the runtime status of the fs.suid_dumpable kernel parameter, run the following command:

$ sudo sysctl -w fs.suid_dumpable=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
fs.suid_dumpable = 0

Rationale

The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data.

Disable storing core dumps

sysctl_kernel_core_pattern

Description

To set the runtime status of the kernel.core_pattern kernel parameter, run the following command:

$ sudo sysctl -w kernel.core_pattern=|/bin/false
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.core_pattern = |/bin/false

Rationale

A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.

Disable storing core dumps

sysctl_kernel_core_pattern_empty_string

Description

The kernel.core_pattern option specifies the core dumpfile pattern name. It can be set to an empty string. In this case, the kernel behaves differently based on another related option. If kernel.core_uses_pid is set to 1, then a file named as .PID (where PID is process ID of the crashed process) is created in the working directory. If kernel.core_uses_pid is set to 0, no coredump is saved. To set the runtime status of the kernel.core_pattern kernel parameter, run the following command:

$ sudo sysctl -w kernel.core_pattern=
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.core_pattern = 

Rationale

A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.

Configure file name of core dumps

sysctl_kernel_core_uses_pid

Description

To set the runtime status of the kernel.core_uses_pid kernel parameter, run the following command:

$ sudo sysctl -w kernel.core_uses_pid=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.core_uses_pid = 0

Rationale

The default coredump filename is core. By setting core_uses_pid to 1, the coredump filename becomes core.PID. If core_pattern does not include %p (default does not) and core_uses_pid is set, then .PID will be appended to the filename. When combined with kernel.core_pattern = "" configuration, it is ensured that no core dumps are generated and also no confusing error messages are printed by a shell.

Restrict Access to Kernel Message Buffer

sysctl_kernel_dmesg_restrict

Description

To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command:

$ sudo sysctl -w kernel.dmesg_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.dmesg_restrict = 1

Rationale

Unprivileged access to the kernel syslog can expose sensitive kernel address information.

Enable ExecShield via sysctl

sysctl_kernel_exec_shield

Description

By default on Red Hat Enterprise Linux 9 64-bit systems, ExecShield is enabled and can only be disabled if the hardware does not support ExecShield or is disabled in /etc/default/grub.

Rationale

ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware.

Disable Kernel Image Loading

sysctl_kernel_kexec_load_disabled

Description

To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command:

$ sudo sysctl -w kernel.kexec_load_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.kexec_load_disabled = 1

Rationale

Disabling kexec_load allows greater control of the kernel memory. It makes it impossible to load another kernel image after it has been disabled.

Restrict Exposed Kernel Pointer Addresses Access

sysctl_kernel_kptr_restrict

Description

To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command:

$ sudo sysctl -w kernel.kptr_restrict=$sysctl_kernel_kptr_restrict_value
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.kptr_restrict = $sysctl_kernel_kptr_restrict_value

Rationale

Exposing kernel pointers (through procfs or seq_printf()) exposes kernel writeable structures which may contain functions pointers. If a write vulnerability occurs in the kernel, allowing write access to any of this structure, the kernel can be compromised. This option disallow any program without the CAP_SYSLOG capability to get the addresses of kernel pointers by replacing them with 0.

Disable loading and unloading of kernel modules

sysctl_kernel_modules_disabled

Description

To set the runtime status of the kernel.modules_disabled kernel parameter, run the following command:

$ sudo sysctl -w kernel.modules_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.modules_disabled = 1

Rationale

Malicious kernel modules can have a significant impact on system security and availability. Disabling loading of kernel modules prevents this threat. Note that once this option has been set, it cannot be reverted without doing a system reboot. Make sure that all needed kernel modules are loaded before setting this option.

Kernel panic on oops

sysctl_kernel_panic_on_oops

Description

To set the runtime status of the kernel.panic_on_oops kernel parameter, run the following command:

$ sudo sysctl -w kernel.panic_on_oops=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.panic_on_oops = 1

Rationale

An attacker trying to exploit the kernel may trigger kernel OOPSes, panicking the system will impede them from continuing.

Limit CPU consumption of the Perf system

sysctl_kernel_perf_cpu_time_max_percent

Description

To set the runtime status of the kernel.perf_cpu_time_max_percent kernel parameter, run the following command:

$ sudo sysctl -w kernel.perf_cpu_time_max_percent=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.perf_cpu_time_max_percent = 1

Rationale

The kernel.perf_cpu_time_max_percent configures a treshold of maximum percentile of CPU that can be used by Perf system. Restricting usage of Perf system decreases risk of potential availability problems.

Limit sampling frequency of the Perf system

sysctl_kernel_perf_event_max_sample_rate

Description

To set the runtime status of the kernel.perf_event_max_sample_rate kernel parameter, run the following command:

$ sudo sysctl -w kernel.perf_event_max_sample_rate=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.perf_event_max_sample_rate = 1

Rationale

The kernel.perf_event_max_sample_rate parameter configures maximum frequency of collecting of samples for the Perf system. It is expressed in samples per second. Restricting usage of Perf system decreases risk of potential availability problems.

Disallow kernel profiling by unprivileged users

sysctl_kernel_perf_event_paranoid

Description

To set the runtime status of the kernel.perf_event_paranoid kernel parameter, run the following command:

$ sudo sysctl -w kernel.perf_event_paranoid=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.perf_event_paranoid = 2

Rationale

Kernel profiling can reveal sensitive information about kernel behaviour.

Configure maximum number of process identifiers

sysctl_kernel_pid_max

Description

To set the runtime status of the kernel.pid_max kernel parameter, run the following command:

$ sudo sysctl -w kernel.pid_max=65536
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.pid_max = 65536

Rationale

The kernel.pid_max parameter configures upper limit on process identifiers (PID). If this number is not high enough, it might happen that forking of new processes is not possible, because all available PIDs are exhausted. Increasing this number enhances availability.

Enable Randomized Layout of Virtual Address Space

sysctl_kernel_randomize_va_space

Description

To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:

$ sudo sysctl -w kernel.randomize_va_space=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.randomize_va_space = 2

Rationale

Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.

Disallow magic SysRq key

sysctl_kernel_sysrq

Description

To set the runtime status of the kernel.sysrq kernel parameter, run the following command:

$ sudo sysctl -w kernel.sysrq=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.sysrq = 0

Rationale

The Magic SysRq key allows sending certain commands directly to the running kernel. It can dump various system and process information, potentially revealing sensitive information. It can also reboot or shutdown the machine, disturbing its availability.

Disable Access to Network bpf() Syscall From Unprivileged Processes

sysctl_kernel_unprivileged_bpf_disabled

Description

To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command:

$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.unprivileged_bpf_disabled = 1

Rationale

Loading and accessing the packet filters programs and maps using the bpf() syscall has the potential of revealing sensitive information about the kernel state.

Disable Access to Network bpf() Syscall From Unprivileged Processes

sysctl_kernel_unprivileged_bpf_disabled_accept_default

Description

To prevent unprivileged processes from using the bpf() syscall the kernel.unprivileged_bpf_disabled kernel parameter must be set to 1 or 2. Writing 1 to this entry will disable unprivileged calls to bpf(); once disabled, calling bpf() without CAP_SYS_ADMIN or CAP_BPF will return -EPERM. Once set to 1, this can't be cleared from the running kernel anymore. To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command:

$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.unprivileged_bpf_disabled = 1
Writing 2 to this entry will also disable unprivileged calls to bpf(), however, an admin can still change this setting later on, if needed, by writing 0 or 1 to this entry. To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command:
$ sudo sysctl -w kernel.unprivileged_bpf_disabled=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.unprivileged_bpf_disabled = 2

Rationale

Loading and accessing the packet filters programs and maps using the bpf() syscall has the potential of revealing sensitive information about the kernel state.

Restrict usage of ptrace to descendant processes

sysctl_kernel_yama_ptrace_scope

Description

To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command:

$ sudo sysctl -w kernel.yama.ptrace_scope=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.yama.ptrace_scope = 1

Rationale

Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g. SSH sessions, web browser, ...) without any additional assistance from the user (i.e. without resorting to phishing).

Harden the operation of the BPF just-in-time compiler

sysctl_net_core_bpf_jit_harden

Description

To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command:

$ sudo sysctl -w net.core.bpf_jit_harden=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.core.bpf_jit_harden = 2

Rationale

When hardened, the extended Berkeley Packet Filter just-in-time compiler will randomize any kernel addresses in the BPF programs and maps, and will not expose the JIT addresses in /proc/kallsyms.

Disable Accepting Packets Routed Between Local Interfaces

sysctl_net_ipv4_conf_all_accept_local

Description

To set the runtime status of the net.ipv4.conf.all.accept_local kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.accept_local=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.accept_local = 0

Rationale

Configure net.ipv4.conf.all.accept_local=0 to consider as invalid the packets received from outside whose source is the 127.0.0.0/8 address block. In combination with suitable routing, this can be used to direct packets between two local interfaces over the wire and have them accepted properly.

Disable Accepting ICMP Redirects for All IPv4 Interfaces

sysctl_net_ipv4_conf_all_accept_redirects

Description

To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.accept_redirects = 0

Rationale

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required."

Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces

sysctl_net_ipv4_conf_all_accept_source_route

Description

To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.accept_source_route = 0

Rationale

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Configure ARP filtering for All IPv4 Interfaces

sysctl_net_ipv4_conf_all_arp_filter

Description

To set the runtime status of the net.ipv4.conf.all.arp_filter kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.arp_filter=$sysctl_net_ipv4_conf_all_arp_filter_value
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.arp_filter = $sysctl_net_ipv4_conf_all_arp_filter_value

Rationale

Prevents the Linux Kernel from handling the ARP table globally. By default, the kernel may respond to an ARP request from a certain interface with information from another interface.

Configure Response Mode of ARP Requests for All IPv4 Interfaces

sysctl_net_ipv4_conf_all_arp_ignore

Description

To set the runtime status of the net.ipv4.conf.all.arp_ignore kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.arp_ignore=$sysctl_net_ipv4_conf_all_arp_ignore_value
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.arp_ignore = $sysctl_net_ipv4_conf_all_arp_ignore_value

Rationale

Avoids ARP Flux on system that have more than one interface on the same subnet.

Drop Gratuitious ARP frames on All IPv4 Interfaces

sysctl_net_ipv4_conf_all_drop_gratuitous_arp

Description

To set the runtime status of the net.ipv4.conf.all.drop_gratuitous_arp kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.drop_gratuitous_arp=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.drop_gratuitous_arp = 1

Rationale

Drop Gratuitous ARP frames to prevent ARP poisoning.

Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces

sysctl_net_ipv4_conf_all_forwarding

Description

To set the runtime status of the net.ipv4.conf.all.forwarding kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.forwarding = 0

Rationale

IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.

Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces

sysctl_net_ipv4_conf_all_log_martians

Description

To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.log_martians=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.log_martians = 1

Rationale

The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.

Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces

sysctl_net_ipv4_conf_all_route_localnet

Description

To set the runtime status of the net.ipv4.conf.all.route_localnet kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.route_localnet=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.route_localnet = 0

Rationale

Refuse the routing of packets whose source or destination address is the local loopback. This prohibits the use of network 127/8 for local routing purposes. Enabling route_localnet can expose applications listening on localhost to external traffic.

Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces

sysctl_net_ipv4_conf_all_rp_filter

Description

To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.rp_filter = 1

Rationale

Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.

Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces

sysctl_net_ipv4_conf_all_secure_redirects

Description

To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.secure_redirects = 0

Rationale

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces

sysctl_net_ipv4_conf_all_send_redirects

Description

To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.send_redirects = 0

Rationale

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.

Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces

sysctl_net_ipv4_conf_all_shared_media

Description

To set the runtime status of the net.ipv4.conf.all.shared_media kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.shared_media=$sysctl_net_ipv4_conf_all_shared_media_value
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.shared_media = $sysctl_net_ipv4_conf_all_shared_media_value

Rationale

This setting should be aligned with net.ipv4.conf.all.secure_redirects because it overrides it. If shared_media is enabled for an interface secure_redirects will be enabled too.

Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces

sysctl_net_ipv4_conf_default_accept_redirects

Description

To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.accept_redirects = 0

Rationale

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.

Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default

sysctl_net_ipv4_conf_default_accept_source_route

Description

To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.accept_source_route = 0

Rationale

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.

Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default

sysctl_net_ipv4_conf_default_log_martians

Description

To set the runtime status of the net.ipv4.conf.default.log_martians kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.log_martians=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.log_martians = 1

Rationale

The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.

Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default

sysctl_net_ipv4_conf_default_rp_filter

Description

To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.rp_filter = 1

Rationale

Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.

Configure Kernel Parameter for Accepting Secure Redirects By Default

sysctl_net_ipv4_conf_default_secure_redirects

Description

To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.secure_redirects = 0

Rationale

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default

sysctl_net_ipv4_conf_default_send_redirects

Description

To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.send_redirects = 0

Rationale

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.

Configure Sending and Accepting Shared Media Redirects by Default

sysctl_net_ipv4_conf_default_shared_media

Description

To set the runtime status of the net.ipv4.conf.default.shared_media kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.shared_media=$sysctl_net_ipv4_conf_default_shared_media_value
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.shared_media = $sysctl_net_ipv4_conf_default_shared_media_value

Rationale

This setting should be aligned with net.ipv4.conf.default.secure_redirects because it overrides it. If shared_media is enabled for an interface secure_redirects will be enabled too.

Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces

sysctl_net_ipv4_icmp_echo_ignore_broadcasts

Description

To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.icmp_echo_ignore_broadcasts = 1

Rationale

Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.

Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces

sysctl_net_ipv4_icmp_ignore_bogus_error_responses

Description

To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.icmp_ignore_bogus_error_responses = 1

Rationale

Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.

Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces

sysctl_net_ipv4_ip_forward

Description

To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.ip_forward=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.ip_forward = 0

Rationale

Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network.

Set Kernel Parameter to Increase Local Port Range

sysctl_net_ipv4_ip_local_port_range

Description

To set the runtime status of the net.ipv4.ip_local_port_range kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.ip_local_port_range=32768 65535
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.ip_local_port_range = 32768 65535

Rationale

This setting defines the local port range that is used by TCP and UDP to choose the local port. The first number is the first, the second the last local port number.

Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments

sysctl_net_ipv4_tcp_invalid_ratelimit

Description

Make sure that the system is configured to limit the maximal rate for sending duplicate acknowledgments in response to incoming TCP packets that are for an existing connection but that are invalid due to any of these reasons: (a) out-of-window sequence number, (b) out-of-window acknowledgment number, or (c) PAWS (Protection Against Wrapped Sequence numbers) check failure This measure protects against or limits effects of DoS attacks against the system. Set the system to implement rate-limiting measures by adding the following line to /etc/sysctl.conf or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):

net.ipv4.tcp_invalid_ratelimit = $sysctl_net_ipv4_tcp_invalid_ratelimit_value
Issue the following command to make the changes take effect:
# sysctl --system

Rationale

Denial of Service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.

This can help mitigate simple “ack loop” DoS attacks, wherein a buggy or malicious middlebox or man-in-the-middle can rewrite TCP header fields in manner that causes each endpoint to think that the other is sending invalid TCP segments, thus causing each side to send an unterminating stream of duplicate acknowledgments for invalid segments.

Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces

sysctl_net_ipv4_tcp_rfc1337

Description

To set the runtime status of the net.ipv4.tcp_rfc1337 kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.tcp_rfc1337=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.tcp_rfc1337 = 1

Rationale

Enable TCP behavior conformant with RFC 1337. When disabled, if a RST is received in TIME_WAIT state, we close the socket immediately without waiting for the end of the TIME_WAIT period.

Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces

sysctl_net_ipv4_tcp_syncookies

Description

To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.tcp_syncookies=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.tcp_syncookies = 1

Rationale

A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.

Configure Accepting Router Advertisements on All IPv6 Interfaces

sysctl_net_ipv6_conf_all_accept_ra

Description

To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.accept_ra = 0

Rationale

An illicit router advertisement message could result in a man-in-the-middle attack.

Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces

sysctl_net_ipv6_conf_all_accept_ra_defrtr

Description

To set the runtime status of the net.ipv6.conf.all.accept_ra_defrtr kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.all.accept_ra_defrtr=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.accept_ra_defrtr = 0

Rationale

An illicit router advertisement message could result in a man-in-the-middle attack.

Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces

sysctl_net_ipv6_conf_all_accept_ra_pinfo

Description

To set the runtime status of the net.ipv6.conf.all.accept_ra_pinfo kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.all.accept_ra_pinfo=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.accept_ra_pinfo = 0

Rationale

An illicit router advertisement message could result in a man-in-the-middle attack.

Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces

sysctl_net_ipv6_conf_all_accept_ra_rtr_pref

Description

To set the runtime status of the net.ipv6.conf.all.accept_ra_rtr_pref kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.all.accept_ra_rtr_pref=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.accept_ra_rtr_pref = 0

Rationale

An illicit router advertisement message could result in a man-in-the-middle attack.

Disable Accepting ICMP Redirects for All IPv6 Interfaces

sysctl_net_ipv6_conf_all_accept_redirects

Description

To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.accept_redirects = 0

Rationale

An illicit ICMP redirect message could result in a man-in-the-middle attack.

Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces

sysctl_net_ipv6_conf_all_accept_source_route

Description

To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.accept_source_route = 0

Rationale

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Configure Auto Configuration on All IPv6 Interfaces

sysctl_net_ipv6_conf_all_autoconf

Description

To set the runtime status of the net.ipv6.conf.all.autoconf kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.all.autoconf=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.autoconf = 0

Rationale

An illicit router advertisement message could result in a man-in-the-middle attack.

Disable IPv6 Addressing on All IPv6 Interfaces

sysctl_net_ipv6_conf_all_disable_ipv6

Description

To disable support for (ipv6) addressing on all interface add the following line to /etc/sysctl.d/ipv6.conf (or another file in /etc/sysctl.d):

net.ipv6.conf.all.disable_ipv6 = 1
This disables IPv6 on all network interfaces as other services and system functionality require the IPv6 stack loaded to work.

Rationale

Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation.

Disable Kernel Parameter for IPv6 Forwarding

sysctl_net_ipv6_conf_all_forwarding

Description

To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.all.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.forwarding = 0

Rationale

IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.

Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces

sysctl_net_ipv6_conf_all_max_addresses

Description

To set the runtime status of the net.ipv6.conf.all.max_addresses kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.all.max_addresses=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.max_addresses = 1

Rationale

The number of global unicast IPv6 addresses for each interface should be limited exactly to the number of statically configured addresses.

Configure Denying Router Solicitations on All IPv6 Interfaces

sysctl_net_ipv6_conf_all_router_solicitations

Description

To set the runtime status of the net.ipv6.conf.all.router_solicitations kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.all.router_solicitations=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.router_solicitations = 0

Rationale

To prevent discovery of the system by other systems, router solicitation requests should be denied.

Disable Accepting Router Advertisements on all IPv6 Interfaces by Default

sysctl_net_ipv6_conf_default_accept_ra

Description

To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.accept_ra = 0

Rationale

An illicit router advertisement message could result in a man-in-the-middle attack.

Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default

sysctl_net_ipv6_conf_default_accept_ra_defrtr

Description

To set the runtime status of the net.ipv6.conf.default.accept_ra_defrtr kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.default.accept_ra_defrtr=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.accept_ra_defrtr = 0

Rationale

An illicit router advertisement message could result in a man-in-the-middle attack.

Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default

sysctl_net_ipv6_conf_default_accept_ra_pinfo

Description

To set the runtime status of the net.ipv6.conf.default.accept_ra_pinfo kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.default.accept_ra_pinfo=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.accept_ra_pinfo = 0

Rationale

An illicit router advertisement message could result in a man-in-the-middle attack.

Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default

sysctl_net_ipv6_conf_default_accept_ra_rtr_pref

Description

To set the runtime status of the net.ipv6.conf.default.accept_ra_rtr_pref kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.default.accept_ra_rtr_pref=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.accept_ra_rtr_pref = 0

Rationale

An illicit router advertisement message could result in a man-in-the-middle attack.

Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces

sysctl_net_ipv6_conf_default_accept_redirects

Description

To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.accept_redirects = 0

Rationale

An illicit ICMP redirect message could result in a man-in-the-middle attack.

Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default

sysctl_net_ipv6_conf_default_accept_source_route

Description

To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.accept_source_route = 0

Rationale

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Configure Auto Configuration on All IPv6 Interfaces By Default

sysctl_net_ipv6_conf_default_autoconf

Description

To set the runtime status of the net.ipv6.conf.default.autoconf kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.default.autoconf=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.autoconf = 0

Rationale

An illicit router advertisement message could result in a man-in-the-middle attack.

Disable IPv6 Addressing on IPv6 Interfaces by Default

sysctl_net_ipv6_conf_default_disable_ipv6

Description

To disable support for (ipv6) addressing on interfaces by default add the following line to /etc/sysctl.d/ipv6.conf (or another file in /etc/sysctl.d):

net.ipv6.conf.default.disable_ipv6 = 1
This disables IPv6 on network interfaces by default as other services and system functionality require the IPv6 stack loaded to work.

Rationale

Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation.

Disable Kernel Parameter for IPv6 Forwarding by default

sysctl_net_ipv6_conf_default_forwarding

Description

To set the runtime status of the net.ipv6.conf.default.forwarding kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.default.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.forwarding = 0

Rationale

IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.

Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default

sysctl_net_ipv6_conf_default_max_addresses

Description

To set the runtime status of the net.ipv6.conf.default.max_addresses kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.default.max_addresses=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.max_addresses = 1

Rationale

The number of global unicast IPv6 addresses for each interface should be limited exactly to the number of statically configured addresses.

Configure Denying Router Solicitations on All IPv6 Interfaces By Default

sysctl_net_ipv6_conf_default_router_solicitations

Description

To set the runtime status of the net.ipv6.conf.default.router_solicitations kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.default.router_solicitations=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.router_solicitations = 0

Rationale

To prevent discovery of the system by other systems, router solicitation requests should be denied.

Disable the use of user namespaces

sysctl_user_max_user_namespaces

Description

To set the runtime status of the user.max_user_namespaces kernel parameter, run the following command:

$ sudo sysctl -w user.max_user_namespaces=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
user.max_user_namespaces = 0
When containers are deployed on the machine, the value should be set to large non-zero value.

Rationale

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or system objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. User namespaces are used primarily for Linux containers. The value 0 disallows the use of user namespaces.

Prevent applications from mapping low portion of virtual memory

sysctl_vm_mmap_min_addr

Description

To set the runtime status of the vm.mmap_min_addr kernel parameter, run the following command:

$ sudo sysctl -w vm.mmap_min_addr=65536
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
vm.mmap_min_addr = 65536

Rationale

The vm.mmap_min_addr parameter specifies the minimum virtual address that a process is allowed to mmap. Allowing a process to mmap low portion of virtual memory can have security implications such as such as heightened risk of kernel null pointer dereference defects.