From Micylou WIKI
This is the latest revision of this page; it has no approved revision.
Jump to navigation
Jump to search
Microsoft CBL-Mariner Operating System Security Features
| Element |
Description
|
| Networking
|
| Configurable Firewall |
By default |
iptables
|
| SYN cookies |
By default |
CONFIG_SYN_COOKIES=y
|
| Updates |
Signed updates |
By default |
tdnf, dnf
|
| Build options
|
| Built as PIE |
By default |
-fPIE, -pie
|
| Built with Stack Protector Strong |
By default |
-fstack-protector, -fstack-protector-strong
|
| Built with Format Security |
By default |
-Wformat-security
|
| Built with Fortify Source |
By default |
_FORTIFY_SOURCE
|
| Built with --enable-bind-now |
By default |
--enable-bind-now
|
| Built with RELRO |
By default |
relro
|
| Address Space Layout Randomization (ASLR)
|
| Stack ASLR |
By default |
Available in the mainline kernel since 2.6.15
|
| Libs/mmap ASLR |
By default |
Available in the mainline kernel since 2.6.15
|
| Exec ASLR |
By default |
Available in the mainline kernel since 2.6.25
|
| brk ASLR |
By default |
Available in the mainline kernel since 2.6.22
|
| VDSO ASLR |
By default |
Available for x86_64 in the mainline kernel since 2.6.22
|
| Kernel hardening
|
| /proc/$pid/maps protection |
By default |
Enabled by default since mainline kernel 2.6.27
|
| Symlink restrictions |
By default |
fs.protected_symlinks
|
| Hardlink restrictions |
By default |
fs.protected_hardlinks
|
| 0-address protection |
By default |
vm.mmap_min_addr
|
| Kernel Address Display Restriction |
By default |
kernel.kptr_restrict
|
| Block module loading |
Available |
kernel.modules_disabled
|
| /dev/mem protection |
By default |
CONFIG_STRICT_DEVMEM=y
|
| /dev/kmem disabled |
By default |
CONFIG_DEVKMEM=n
|
| Kernel Module RO/NX |
By default |
CONFIG_STRICT_MODULE_RWX=y
|
| Write-protect kernel .rodata sections |
By default |
CONFIG_STRICT_KERNEL_RWX=y
|
| Kernel Stack Protector |
By default |
CONFIG_STACKPROTECTOR=y
|
| gcc/glibc hardening
|
| Overflow checking in new operator |
By default |
gcc
|
| Pointer Obfuscation |
By default |
glibc pointer encryption
|
| Heap Consistency Checking |
By default |
glibc Heap Consistency Checking
|
| System call filtering
|
| Syscall Filtering (seccomp) |
Available |
CONFIG_SECCOMP_FILTER=y
|
| Seccomp sandbox |
Available |
PR_SET_SECCOMP
|
| Process isolation
|
| Ptrace Mitigation |
Available |
Yama
|
| User namespaces |
Available |
CONFIG_USER_NS=y
|
| Private /tmp for systemd services |
Available |
PrivateTmp
|
| Polyinstantiate /tmp, /var/tmp, and user home folders |
Available |
namespace.conf
|
| Mandatory access control |
By default |
SELinux
|
| Encrypted Storage |
Encrypted Volumes |
Available |
Encrypt during OS installation
|
| Miscellaneous
|
| Password hashing |
By default |
SHA-512
|
| Filesystem Capabilities |
Available |
Capabilities and chattr
|
| Tamper Resistant Logs |
Available |
journalctl --verify
|
| Kernel Lockdown |
Integrity mode by default |
kernel lockdown
|