The first part resumed all the configurations you must implement without any
explications since all the explanations are given as and when in the document.
The config tag quickly identifies the configurations and the recommendations
to take.
The note tag allows you to notify some additional details.
The todo tag shows the possible improvements.
The second one allows to visualize all the todo notes in order to have a global
vision of the possible improvements of the document.
Config notes
Domain
Object
Recommendations
Hardware-Integrity-1
Bootloader
Must control bootloader integrity.
Hardware-Integrity-2
Board
Must use a HSM.
Hardware-Integrity-3
RTC
Must not be alterable.
Domain
Object
Recommendations
Hardware-Certificate-1
System
Shall allow storing dedicated certificates.
Hardware-Certificate-2
ECU
The ECU must verify the certification authority hierarchy.
Hardware-Certificate-3
System
Allow the modification of certificates only if the source can be authenticated by a certificate already stored or in the higher levels of the chain of trust.
Domain
Object
Recommendations
Hardware-Memory-1
ECU
The ECU shall never expose the unencrypted key in RAM when using cryptographic keys.
Hardware-Memory-2
Bootloader
Internal NVM only
Hardware-Module-3
-
HSM must be used to secure keys.
Domain
Variable / Config name
Value
Boot-Image-Selection-1
CONFIG_BOOTDELAY
-2
Boot-Image-Selection-2
bootdelay
-2
Domain
Config name
State
Boot-Image-Authenticity-1
CONFIG_FIT
Enable
Boot-Image-Authenticity-2
CONFIG_FIT_SIGNATURE
Enable
Boot-Image-Authenticity-3
CONFIG_RSA
Enable
Boot-Image-Authenticity-4
CONFIG_OF_CONTROL
Enable
Boot-Image-Authenticity-5
CONFIG_OF_SEPARATE
Enable
Boot-Image-Authenticity-6
CONFIG_DEFAULT_DEVICE_TREE
Enable
Domain
Communication modes
State
Boot-Communication-1
USB
Disabled and Compiled-out if not required.
Boot-Communication-2
USB
Else, Kernel should be configured to only enable the minimum required USB devices and filesystems should be treated with special care.
Boot-Communication-3
Ethernet
Disabled
Boot-Communication-4
U-boot and sboot DOCSIS
Disabled
Boot-Communication-5
Serial ports
Disabled
Domain
Config name
State
Boot-Communication-USB-1
CONFIG_CMD_USB
Not defined
Boot-Communication-USB-2
CONFIG_USB_UHCI
Not defined
Boot-Communication-USB-3
CONFIG_USB_KEYBOARD
Not defined
Boot-Communication-USB-4
CONFIG_USB_STORAGE
Not defined
Boot-Communication-USB-5
CONFIG_USB_HOST_ETHER
Not defined
Domain
Communication modes
State
Boot-Communication-1
Network interfaces
Preferably no network interface is allowed, otherwise, restrict the services to those used.
Domain
Object
Recommendations
Boot-Communication-1
Services, ports and devices
Restrict the services, ports and devices to those used.
Domain
Command name
State
Boot-Communication-Flash-1
do_nand
Disable
Domain
Config name
Value
Boot-Consoles-Serial-1
CONFIG_SILENT_CONSOLE
Disable
Boot-Consoles-Serial-2
CONFIG_SYS_DEVICE_NULLDEV
Disable
Boot-Consoles-Serial-3
CONFIG_SILENT_CONSOLE_UPDATE_ON_RELOC
Disable
Domain
Environment variable name
State
Boot-Consoles-Serial-1
INC_DEBUG_PRINT
Not defined
Domain
Config name
State
Boot-Consoles-Variables-1
CONFIG_ENV_IS_IN_MMC
#undef
Boot-Consoles-Variables-2
CONFIG_ENV_IS_IN_EEPROM
#undef
Boot-Consoles-Variables-3
CONFIG_ENV_IS_IN_FLASH
#undef
Boot-Consoles-Variables-4
CONFIG_ENV_IS_IN_DATAFLASH
#undef
Boot-Consoles-Variables-5
CONFIG_ENV_IS_IN_FAT
#undef
Boot-Consoles-Variables-6
CONFIG_ENV_IS_IN_NAND
#undef
Boot-Consoles-Variables-7
CONFIG_ENV_IS_IN_NVRAM
#undef
Boot-Consoles-Variables-8
CONFIG_ENV_IS_IN_ONENAND
#undef
Boot-Consoles-Variables-9
CONFIG_ENV_IS_IN_SPI_FLASH
#undef
Boot-Consoles-Variables-10
CONFIG_ENV_IS_IN_REMOTE
#undef
Boot-Consoles-Variables-11
CONFIG_ENV_IS_IN_UBI
#undef
Boot-Consoles-Variables-12
CONFIG_ENV_IS_NOWHERE
#define
Domain
Command name
State
Boot-Consoles-MemDump-1
md
Disabled
Boot-Consoles-MemDump-2
mm
Disabled
Boot-Consoles-MemDump-3
nm
Disabled
Boot-Consoles-MemDump-4
mw
Disabled
Boot-Consoles-MemDump-5
cp
Disabled
Boot-Consoles-MemDump-6
mwc
Disabled
Boot-Consoles-MemDump-7
mdc
Disabled
Boot-Consoles-MemDump-8
mtest
Disabled
Boot-Consoles-MemDump-9
loopw
Disabled
Domain
Config name
Value
Kernel-General-MAC-1
CONFIG_IP_NF_SECURITY
m
Kernel-General-MAC-2
CONFIG_IP6_NF_SECURITY
m
Kernel-General-MAC-3
CONFIG_EXT2_FS_SECURITY
y
Kernel-General-MAC-4
CONFIG_EXT3_FS_SECURITY
y
Kernel-General-MAC-5
CONFIG_EXT4_FS_SECURITY
y
Kernel-General-MAC-6
CONFIG_SECURITY
y
Kernel-General-MAC-7
CONFIG_SECURITY_SMACK
y
Kernel-General-MAC-8
CONFIG_TMPFS_XATTR
y
Domain
Config name
Value
Kernel-General-kexec-1
CONFIG_KEXEC
n
Domain
Config name
Value
Kernel-General-IPAutoConf-1
CONFIG_IP_PNP
n
Domain
Config name
Value
Kernel-General-SysCtl_SysCall-1
CONFIG_SYSCTL_SYSCALL
n
Domain
Config name
Value
Kernel-General-LegacyLinux-1
CONFIG_USELIB
n
Domain
Config name
Value
Kernel-General-FirmHelper-1
CONFIG_FW_LOADER_USER_HELPER
n
Domain
Config name
Value
Kernel-General-PanicOnOOPS-1
CONFIG_PANIC_ON_OOPS
y
Domain
Config name
Value
Kernel-General-SocketMon-1
CONFIG_PACKET_DIAG
n
Kernel-General-SocketMon-2
CONFIG_UNIX_DIAG
n
Domain
Config name
Value
Kernel-General-BPF_JIT-1
CONFIG_BPF_JIT
n
Domain
Config name
Value
Kernel-General-ModuleSigning-1
CONFIG_MODULE_SIG_FORCE
y
Domain
Variable name
Value
Kernel-General-ModuleSigning-2
kernel.modules_disabled
1
Domain
Object
State
Kernel-General-Drivers-1
USB
Disabled
Kernel-General-Drivers-2
PCMCIA
Disabled
Kernel-General-Drivers-3
Other hotplug bus
Disabled
Domain
compiler and linker options
State
Kernel-General-IndependentExec-1
-pie -fpic
Enable
Domain
compiler and linker options
State
Kernel-General-OverwriteAttacks-1
-z,relro
Enable
Kernel-General-OverwriteAttacks-2
-z,now
Enable
Domain
Object
Recommendations
Kernel-General-LibraryLinking-1
Dynamic linking
Should generally not be allowed.
Domain
Config name
Value
Kernel-Memory-RestrictAccess-1
CONFIG_DEVKMEM
n
Domain
Config name
Value
Kernel-Memory-CoreDump-1
CONFIG_PROC_KCORE
n
Domain
Config name
Value
Kernel-Memory-Swap-1
CONFIG_SWAP
n
Domain
Config name
Value
Kernel-Memory-LoadAllSymbols-1
CONFIG_KALLSYMS
n
Kernel-Memory-LoadAllSymbols-2
CONFIG_KALLSYMS_ALL
n
Domain
Config name
Value
Kernel-Memory-Stack-1
CONFIG_CC_STACKPROTECTOR
y
Domain
Config name
Value
Kernel-Memory-Access-1
CONFIG_DEVMEM
n
Domain
Config name
Value
Kernel-Memory-CrossMemAttach-1
CROSS_MEMORY_ATTACH
n
Domain
compiler and linker options
State
Kernel-Memory-StackSmashing-1
-fstack-protector-all
Enable
Domain
compiler options and config name
Value
Kernel-Memory-BufferOverflows-1
-D_FORTIFY_SOURCE
2
Kernel-Memory-BufferOverflows-2
CONFIG_FORTIFY_SOURCE
y
Domain
Config name
Value
Kernel-Consoles-Serial-1
CONFIG_SERIAL_8250
n
Kernel-Consoles-Serial-2
CONFIG_SERIAL_8250_CONSOLE
n
Kernel-Consoles-Serial-3
CONFIG_SERIAL_CORE
n
Kernel-Consoles-Serial-4
CONFIG_SERIAL_CORE_CONSOLE
n
Domain
Config name
Value
Kernel-Consoles-CommandLine-1
CONFIG_CMDLINE_BOOL
y
Kernel-Consoles-CommandLine-2
CONFIG_CMDLINE
"insert kernel command line here"
Kernel-Consoles-CommandLine-3
CONFIG_CMDLINE_OVERRIDE
y
Domain
Config name
Value
Kernel-Consoles-KDBG-1
CONFIG_KGDB
n
Domain
Config name
Value
Kernel-Consoles-SysRQ-1
CONFIG_MAGIC_SYSRQ
n
Domain
Config name
Value
Kernel-Consoles-BinaryFormat-1
CONFIG_BINFMT_MISC
n
Domain
Config name
Value
Kernel-Debug-Symbols-1
CONFIG_DEBUG_INFO
n
Domain
Config name
Value
Kernel-Debug-Kprobes-1
CONFIG_KPROBES
n
Domain
Config name
Value
Kernel-Debug-Tracing-1
CONFIG_FTRACE
n
Domain
Config name
Value
Kernel-Debug-Profiling-1
CONFIG_OPROFILE
n
Kernel-Debug-Profiling-2
CONFIG_PROFILING
n
Domain
Config name
Value
Kernel-Debug-OOPSOnBUG-1
CONFIG_DEBUG_BUGVERBOSE
n
Domain
Config name
Value
Kernel-Debug-Dev-1
CONFIG_DEBUG_KERNEL
n
Kernel-Debug-Dev-2
CONFIG_EMBEDDED
n
Domain
Config name
Value
Kernel-Debug-FileSystem-1
CONFIG_DEBUG_FS
n
Domain
Config name
Value
Kernel-Debug-BUG-1
CONFIG_BUG
n
Domain
Config name
Value
Kernel-Debug-CoreDumps-1
CONFIG_COREDUMP
n
Domain
File name
Value
Kernel-Debug-AdressDisplay-1
/proc/sys/kernel/kptr_restrict
1
Domain
File or Directorie name
State
Kernel-Debug-AdressDisplay-1
/boot/vmlinuz*
Readable Only for root user
Kernel-Debug-AdressDisplay-2
/boot/System.map*
Readable Only for root user
Kernel-Debug-AdressDisplay-3
/sys/kernel/debug/
Readable Only for root user
Kernel-Debug-AdressDisplay-4
/proc/slabinfo
Readable Only for root user
Domain
File name
Value
Kernel-Debug-DMESG-1
/proc/sys/kernel/dmesg_restrict
1
Domain
Config name
Value
Kernel-Debug-Config-1
CONFIG_IKCONFIG
n
Domain
Config name
Value
Kernel-FileSystems-NFS-1
CONFIG_NFSD
n
Kernel-FileSystems-NFS-2
CONFIG_NFS_FS
n
Domain
Partition
Value
Kernel-FileSystems-Mount-1
/boot
nosuid, nodev and noexec.
Kernel-FileSystems-Mount-2
/var & /tmp
In /etc/fstab or vfstab, add nosuid, nodev and noexec.
Kernel-FileSystems-Mount-3
Non-root local
If type is ext2 or ext3 and mount point not '/', add nodev.
Kernel-FileSystems-Mount-4
Removable storage
Add nosuid, nodev and noexec.
Kernel-FileSystems-Mount-5
Temporary storage
Add nosuid, nodev and noexec.
Kernel-FileSystems-Mount-6
/dev/shm
Add nosuid, nodev and noexec.
Kernel-FileSystems-Mount-7
/dev
Add nosuid and noexec.
Domain
Config name
State or Value
Kernel-FileSystems-Mount-1
CONFIG_DEVTMPFS_MOUNT
Disabled or add remount with noexec and nosuid to system startup.
Domain
Label name
Recommendations
Kernel-MAC-Floor-1
^
Only for privileged system services.
Kernel-MAC-Floor-2
*
Used for device files or /tmp Access restriction via DAC.
Domain
Label name
Recommendations
Kernel-MAC-System-1
System
Process should write only to file with transmute attribute.
Kernel-MAC-System-2
System::run
Files are created with the directory label from user and system domain (transmute) Lock is implicit with w.
Kernel-MAC-System-3
System::Shared
Files are created with the directory label from system domain (transmute) User domain has locked privilege.
Kernel-MAC-System-4
System::Log
Some limitation may impose to add w to enable append.
Kernel-MAC-System-5
System::Sub
Isolation of risky Subsystem.
Domain
Label name
Recommendations
Kernel-MAC-System-1
User::Pkg::$AppID
Only one Label is allowed per App. A data directory is created by the AppFw in rwx mode.
Kernel-MAC-System-2
User::Home
AppFw needs to create a directory in /home/$USER/App-Shared at first launch if not present with label app-data access is User::App-Shared without transmute.
Kernel-MAC-System-3
User::App-Shared
Shared space between all App running for a given user.