Config notes

Domain Object Recommendations
Hardware-Integrity-1 Bootloader Must control bootloader integrity.
Hardware-Integrity-2 Board Must use a HSM.
Hardware-Integrity-3 RTC Must not be alterable.
Domain Object Recommendations
Hardware-Certificate-1 System Shall allow storing dedicated certificates.
Hardware-Certificate-2 ECU The ECU must verify the certification authority hierarchy.
Hardware-Certificate-3 System Allow the modification of certificates only if the source can be authenticated by a certificate already stored or in the higher levels of the chain of trust.
Domain Object Recommendations
Hardware-Memory-1 ECU The ECU shall never expose the unencrypted key in RAM when using cryptographic keys.
Hardware-Memory-2 Bootloader Internal NVM only
Hardware-Module-3 - HSM must be used to secure keys.
Domain Variable / Config name Value
Boot-Image-Selection-1 CONFIG_BOOTDELAY -2
Boot-Image-Selection-2 bootdelay -2
Domain Config name State
Boot-Image-Authenticity-1 CONFIG_FIT Enable
Boot-Image-Authenticity-2 CONFIG_FIT_SIGNATURE Enable
Boot-Image-Authenticity-3 CONFIG_RSA Enable
Boot-Image-Authenticity-4 CONFIG_OF_CONTROL Enable
Boot-Image-Authenticity-5 CONFIG_OF_SEPARATE Enable
Boot-Image-Authenticity-6 CONFIG_DEFAULT_DEVICE_TREE Enable
Domain Communication modes State
Boot-Communication-1 USB Disabled and Compiled-out if not required.
Boot-Communication-2 USB Else, Kernel should be configured to only enable the minimum required USB devices and filesystems should be treated with special care.
Boot-Communication-3 Ethernet Disabled
Boot-Communication-4 U-boot and sboot DOCSIS Disabled
Boot-Communication-5 Serial ports Disabled
Domain Config name State
Boot-Communication-USB-1 CONFIG_CMD_USB Not defined
Boot-Communication-USB-2 CONFIG_USB_UHCI Not defined
Boot-Communication-USB-3 CONFIG_USB_KEYBOARD Not defined
Boot-Communication-USB-4 CONFIG_USB_STORAGE Not defined
Boot-Communication-USB-5 CONFIG_USB_HOST_ETHER Not defined
Domain Communication modes State
Boot-Communication-1 Network interfaces Preferably no network interface is allowed, otherwise, restrict the services to those used.
Domain Object Recommendations
Boot-Communication-1 Services, ports and devices Restrict the services, ports and devices to those used.
Domain Command name State
Boot-Communication-Flash-1 do_nand Disable
Domain Config name Value
Boot-Consoles-Serial-1 CONFIG_SILENT_CONSOLE Disable
Boot-Consoles-Serial-2 CONFIG_SYS_DEVICE_NULLDEV Disable
Domain Environment variable name State
Boot-Consoles-Serial-1 INC_DEBUG_PRINT Not defined
Domain Config name State
Boot-Consoles-Variables-1 CONFIG_ENV_IS_IN_MMC #undef
Boot-Consoles-Variables-2 CONFIG_ENV_IS_IN_EEPROM #undef
Boot-Consoles-Variables-3 CONFIG_ENV_IS_IN_FLASH #undef
Boot-Consoles-Variables-4 CONFIG_ENV_IS_IN_DATAFLASH #undef
Boot-Consoles-Variables-5 CONFIG_ENV_IS_IN_FAT #undef
Boot-Consoles-Variables-6 CONFIG_ENV_IS_IN_NAND #undef
Boot-Consoles-Variables-7 CONFIG_ENV_IS_IN_NVRAM #undef
Boot-Consoles-Variables-8 CONFIG_ENV_IS_IN_ONENAND #undef
Boot-Consoles-Variables-9 CONFIG_ENV_IS_IN_SPI_FLASH #undef
Boot-Consoles-Variables-10 CONFIG_ENV_IS_IN_REMOTE #undef
Boot-Consoles-Variables-11 CONFIG_ENV_IS_IN_UBI #undef
Boot-Consoles-Variables-12 CONFIG_ENV_IS_NOWHERE #define
Domain Command name State
Boot-Consoles-MemDump-1 md Disabled
Boot-Consoles-MemDump-2 mm Disabled
Boot-Consoles-MemDump-3 nm Disabled
Boot-Consoles-MemDump-4 mw Disabled
Boot-Consoles-MemDump-5 cp Disabled
Boot-Consoles-MemDump-6 mwc Disabled
Boot-Consoles-MemDump-7 mdc Disabled
Boot-Consoles-MemDump-8 mtest Disabled
Boot-Consoles-MemDump-9 loopw Disabled
Domain Object Recommendations
Kernel-General-MAC-1 SMACK Must implement a Mandatory Access Control.
Domain Config name Value
Kernel-General-kexec-1 CONFIG_KEXEC n
Domain Config name Value
Kernel-General-IPAutoConf-1 CONFIG_IP_PNP n
Domain Config name Value
Kernel-General-SysCtl_SysCall-1 CONFIG_SYSCTL_SYSCALL n
Domain Config name Value
Kernel-General-LegacyLinux-1 CONFIG_USELIB n
Domain Config name Value
Kernel-General-FirmHelper-1 CONFIG_FW_LOADER_USER_HELPER n
Domain Config name Value
Kernel-General-PanicOnOOPS-1 CONFIG_PANIC_ON_OOPS y
Domain Config name Value
Kernel-General-SocketMon-1 CONFIG_PACKET_DIAG n
Kernel-General-SocketMon-2 CONFIG_UNIX_DIAG n
Domain Config name Value
Kernel-General-BPF_JIT-1 CONFIG_BPF_JIT n
Domain Config name Value
Kernel-General-ModuleSigning-1 CONFIG_MODULE_SIG_FORCE y
Domain Object State
Kernel-General-Drivers-1 USB Disabled
Kernel-General-Drivers-2 PCMCIA Disabled
Kernel-General-Drivers-3 Other hotplug bus Disabled
Domain compiler and linker options State
Kernel-General-IndependentExec-1 -pie -fpic Enable
Domain compiler and linker options State
Kernel-General-OverwriteAttacks-1 -z,relro Enable
Kernel-General-OverwriteAttacks-2 -z,now Enable
Domain compiler and linker options State
Kernel-General-LibraryLinking-1 -static Enable
Domain Config name Value
Kernel-Memory-RestrictAccess-1 CONFIG_DEVKMEM n
Domain Config name Value
Kernel-Memory-CoreDump-1 CONFIG_PROC_KCORE n
Domain Config name Value
Kernel-Memory-Swap-1 CONFIG_SWAP n
Domain Config name Value
Kernel-Memory-LoadAllSymbols-1 CONFIG_KALLSYMS n
Kernel-Memory-LoadAllSymbols-2 CONFIG_KALLSYMS_ALL n

Domain | Config name | Value ——————— | ————————– | ——- Kernel-Memory-Stack-1 | CONFIG_CC_STACKPROTECTOR | y Other defenses include things like shadow stacks.

Domain Config name Value
Kernel-Memory-Access-1 CONFIG_DEVMEM n
Domain Config name Value
Kernel-Memory-CrossMemAttach-1 CROSS_MEMORY_ATTACH n
Domain compiler and linker options State
Kernel-Memory-StackSmashing-1 -fstack-protector-all Enable
Domain compiler and linker options Value
Kernel-Memory-BufferOverflows-1 -D_FORTIFY_SOURCE 2
Domain Config name Value
Kernel-Consoles-Serial-1 CONFIG_SERIAL_8250 n
Kernel-Consoles-Serial-2 CONFIG_SERIAL_8250_CONSOLE n
Kernel-Consoles-Serial-3 CONFIG_SERIAL_CORE n
Kernel-Consoles-Serial-4 CONFIG_SERIAL_CORE_CONSOLE n
Domain Config name Value
Kernel-Consoles-CommandLine-1 CONFIG_CMDLINE_BOOL y
Kernel-Consoles-CommandLine-2 CONFIG_CMDLINE "insert kernel command line here"
Kernel-Consoles-CommandLine-3 CONFIG_CMDLINE_OVERRIDE y
Domain Config name Value
Kernel-Consoles-KDBG-1 CONFIG_KGDB n
Domain Config name Value
Kernel-Consoles-SysRQ-1 CONFIG_MAGIC_SYSRQ n
Domain Config name Value
Kernel-Consoles-BinaryFormat-1 CONFIG_BINFMT_MISC n
Domain Config name Value
Kernel-Debug-Symbols-1 CONFIG_DEBUG_INFO n
Domain Config name Value
Kernel-Debug-Kprobes-1 CONFIG_KPROBES n
Domain Config name Value
Kernel-Debug-Tracing-1 CONFIG_FTRACE n
Domain Config name Value
Kernel-Debug-Profiling-1 CONFIG_OPROFILE n
Kernel-Debug-Profiling-2 CONFIG_PROFILING n
Domain Config name Value
Domain Config name Value
Kernel-Debug-Dev-1 CONFIG_DEBUG_KERNEL n
Kernel-Debug-Dev-2 CONFIG_EMBEDDED n
Domain Config name Value
Kernel-Debug-FileSystem-1 CONFIG_DEBUG_FS n
Domain Config name Value
Kernel-Debug-BUG-1 CONFIG_BUG n
Domain Config name Value
Kernel-Debug-CoreDumps-1 CONFIG_COREDUMP n
Domain File name Value
Kernel-Debug-AdressDisplay-1 /proc/sys/kernel/kptr_restrict 1
Domain File or Directorie name State
Kernel-Debug-AdressDisplay-1 /boot/vmlinuz* Readable Only for root user
Kernel-Debug-AdressDisplay-2 /boot/* Readable Only for root user
Kernel-Debug-AdressDisplay-3 /sys/kernel/debug/ Readable Only for root user
Kernel-Debug-AdressDisplay-4 /proc/slabinfo Readable Only for root user
Domain File name Value
Kernel-Debug-DMESG-1 /proc/sys/kernel/dmesg_restrict 1
Domain Config name Value
Kernel-Debug-Config-1 CONFIG_IKCONFIG n
Domain Config name Value
Kernel-FileSystems-NFS-1 CONFIG_NFSD n
Kernel-FileSystems-NFS-2 CONFIG_NFS_FS n
Domain Partition Value
Kernel-FileSystems-Mount-1 /boot nosuid, nodev and noexec.
Kernel-FileSystems-Mount-2 /var & /tmp In /etc/fstab or vfstab, add nosuid, nodev and noexec.
Kernel-FileSystems-Mount-3 Non-root local If type is ext2 or ext3 and mount point not ‘/’, add nodev.
Kernel-FileSystems-Mount-4 Removable storage Add nosuid, nodev and noexec.
Kernel-FileSystems-Mount-5 Temporary storage Add nosuid, nodev and noexec.
Kernel-FileSystems-Mount-6 /dev/shm Add nosuid, nodev and noexec.
Kernel-FileSystems-Mount-7 /dev Add nosuid and noexec.
Domain Config name State or Value
Kernel-FileSystems-Mount-1 CONFIG_DEVTMPFS_MOUNT Disabled or add remount with noexec and nosuid to system startup.
Domain Label name Recommendations
Kernel-MAC-Floor-1 ^ Only for privileged system services.
Kernel-MAC-Floor-2 * Used for device files or /tmp Access restriction via DAC.
Domain Label name Recommendations
Kernel-MAC-System-1 System Process should write only to file with transmute attribute.
Kernel-MAC-System-2 System::run Files are created with the directory label from user and system domain (transmute) Lock is implicit with w.
Kernel-MAC-System-3 System::Shared Files are created with the directory label from system domain (transmute) User domain has locked privilege.
Kernel-MAC-System-4 System::Log Some limitation may impose to add w to enable append.
Kernel-MAC-System-5 System::Sub Isolation of risky Subsystem.
Domain Label name Recommendations
Kernel-MAC-System-1 User::Pkg::$AppID Only one Label is allowed per App. A data directory is created by the AppFw in rwx mode.
Kernel-MAC-System-2 User::Home AppFw needs to create a directory in /home/$USER/App-Shared at first launch if not present with label app-data access is User::App-Shared without transmute.
Kernel-MAC-System-3 User::App-Shared Shared space between all App running for a given user.
Domain Object Recommendations
Platform-SystemD-1 Security model Use Namespaces for containerization.
Platform-SystemD-2 Security model Use CGroups to organise processes.
Domain Object Recommendations
Platform-DBus-1 Security model Use D-Bus as IPC.
Platform-DBus-2 Security model Apply D-BUS security patches: D-Bus CVE
Domain Tool name State
Platform-Utilities-1 connman Used as a connection manager.
Platform-Utilities-2 bluez Used as a Bluetooth manager.
Platform-Utilities-3 gstreamer Used to manage multimedia file format.
Platform-Utilities-4 alsa Used to provides an API for sound card device drivers.
Domain Object Recommendations
Platform-AGLFw-AppFw-1 Security model Use the AppFw as Security model.
Domain Object Recommendations
Platform-AGLFw-Cynara-1 Permissions Use Cynara as policy-checker service.
Domain Tool name State
Platform-Utilities-1 busybox Used to provide a number of tools. Do not compile development tools.
Domain Utility name and normal path State
Platform-Utilities-1 chgrp in /bin/chgrp Disabled
Platform-Utilities-2 chmod in /bin/chmod Disabled
Platform-Utilities-3 chown in /bin/chown Disabled
Platform-Utilities-4 dmesg in /bin/dmesg Disabled
Platform-Utilities-5 Dnsdomainname in /bin/dnsdomainname Disabled
Platform-Utilities-6 dropbear, Remove “dropbear” from /etc/init.d/rcs Disabled
Platform-Utilities-7 Editors in (vi) /bin/vi Disabled
Platform-Utilities-8 find in /bin/find Disabled
Platform-Utilities-9 gdbserver in /bin/gdbserver Disabled
Platform-Utilities-10 hexdump in /bin/hexdump Disabled
Platform-Utilities-11 hostname in /bin/hostname Disabled
Platform-Utilities-12 install in /bin/install Disabled
Platform-Utilities-13 iostat in /bin/iostat Disabled
Platform-Utilities-14 killall in /bin/killall Disabled
Platform-Utilities-15 klogd in /sbin/klogd Disabled
Platform-Utilities-16 logger in /bin/logger Disabled
Platform-Utilities-17 lsmod in /sbin/lsmod Disabled
Platform-Utilities-18 pmap in /bin/pmap Disabled
Platform-Utilities-19 ps in /bin/ps Disabled
Platform-Utilities-20 ps in /bin/ps Disabled
Platform-Utilities-21 rpm in /bin/rpm Disabled
Platform-Utilities-22 SSH Disabled
Platform-Utilities-23 stbhotplug in /sbin/stbhotplug Disabled
Platform-Utilities-24 strace in /bin/trace Disabled
Platform-Utilities-25 su in /bin/su Disabled
Platform-Utilities-26 syslogd in (logger) /bin/logger Disabled
Platform-Utilities-27 top in /bin/top Disabled
Platform-Utilities-28 UART in /proc/tty/driver/ Disabled
Platform-Utilities-29 which in /bin/which Disabled
Platform-Utilities-30 who and whoami in /bin/whoami Disabled
Platform-Utilities-31 awk (busybox) Enabled
Platform-Utilities-32 cut (busybox) Enabled
Platform-Utilities-33 df (busybox) Enabled
Platform-Utilities-34 echo (busybox) Enabled
Platform-Utilities-35 fdisk (busybox) Enabled
Platform-Utilities-36 grep (busybox) Enabled
Platform-Utilities-37 mkdir (busybox) Enabled
Platform-Utilities-38 mount (vfat) (busybox) Enabled
Platform-Utilities-39 printf (busybox) Enabled
Platform-Utilities-40 sed in /bin/sed (busybox) Enabled
Platform-Utilities-41 tail (busybox) Enabled
Platform-Utilities-42 tee (busybox) Enabled
Platform-Utilities-43 test (busybox) Enabled
Domain Object Recommendations
Platform-Users-root-1 Main application Should not execute as root.
Platform-Users-root-2 UI Should run in a context on a user with no capability.
Domain Utility name State
Platform-Users-root-3 login Not allowed
Platform-Users-root-4 su Not allowed
Platform-Users-root-5 ssh Not allowed
Platform-Users-root-6 scp Not allowed
Platform-Users-root-7 sftp Not allowed
Domain Object Recommendations
Application-Installation-1 AppFw Provide offline-mode in order to install app with the base image.
Application-Installation-2 Integrity Allow the installation of applications only if their integrity is good.
Domain Tech name Recommendations
Connectivity-BusAndConnector-Bus-1 CAN Implement hardware solution in order to prohibit sending unwanted signals.
Domain Tech name Recommendations
Connectivity-BusAndConnector-Connectors-1 USB Must be disabled. If not, only enable the minimum require USB devices.
Connectivity-BusAndConnector-Connectors-2 USB Confidential data exchanged with the ECU over USB must be secure.
Connectivity-BusAndConnector-Connectors-3 USB USB Boot on a ECU must be disable.
Connectivity-BusAndConnector-Connectors-4 OBD-II Must be disabled outside garages.
Domain Object Recommendations
Connectivity-Wireless-1 Update Always follow the latest updates of remote communication channels.
Domain Tech name or object Recommendations
Connectivity-Wireless-Wifi-1 WEP, PSK, TKIP Disabled
Connectivity-Wireless-Wifi-2 WPA2 and AES-CCMP Used
Connectivity-Wireless-Wifi-3 WPA2 Should protect data sniffing.
Connectivity-Wireless-Wifi-4 PSK Changing regularly the password.
Connectivity-Wireless-Wifi-5 Device Upgraded easily in software or firmware to have the last security update.
Domain Tech name Recommendations
Connectivity-Wireless-Bluetooth-1 BLE Use with caution.
Connectivity-Wireless-Bluetooth-2 Bluetooth Monitoring
Connectivity-Wireless-Bluetooth-3 SSP Avoid using the “Just Works” association model.
Connectivity-Wireless-Bluetooth-4 Visibility Configured by default as undiscoverable. Except when needed.
Connectivity-Wireless-Bluetooth-5 Anti-scanning Used, inter alia, to slow down brute force attacks.
Domain Tech name Recommendations
Connectivity-Wireless-Cellular-1 GPRS/EDGE Avoid
Connectivity-Wireless-Cellular-2 UMTS/HSPA Protected against Jamming.
Domain Tech name Recommendations
Connectivity-Wireless-Radio-1 RDS Only audio output and meta concerning radio.
Domain Tech name Recommendations
Connectivity-Wireless-NFC-1 NFC Protected against relay and replay attacks.
Connectivity-Wireless-NFC-2 Device Disable unneeded and unapproved services and profiles.
Domain Object Recommendations
Application-Cloud-Download-1 authentication Must implement authentication process.
Application-Cloud-Download-2 Authorization Must implement Authorization process.
Domain Object Recommendations
Application-Cloud-Infrastructure-1 Packet Should implement a DPI.
Application-Cloud-Infrastructure-2 DoS Must implement a DoS protection.
Application-Cloud-Infrastructure-3 Test Should implement scanning tools like SATS and DAST.
Application-Cloud-Infrastructure-4 Log Should implement security tools (IDS and IPS).
Application-Cloud-Infrastructure-5 App integrity Applications must be signed by the code signing authority.
Domain Object Recommendations
Application-Cloud-Transport-1 Integrity, confidentiality and legitimacy Should implement IPSec standards.
Domain Object Recommendations
Update-FOTA-1 Integrity, confidentiality and legitimacy Must be secure.