DochyJP: DochyJP moved page CBL-Mariner OS Security Features to Microsoft CBL-Mariner OS Security Features without leaving a redirect

2022-04-03T05:58:47Z

DochyJP moved page CBL-Mariner OS Security Features to Microsoft CBL-Mariner OS Security Features without leaving a redirect

DochyJP: /* CBL-Mariner Operating System Security Features */

2022-04-03T05:58:17Z

CBL-Mariner Operating System Security Features

DochyJP: Typing fault update

2022-04-03T05:53:18Z

Typing fault update

DochyJP: Page creation

2022-04-03T05:52:21Z

Page creation

New page

{{Template:Class-Infobox-Generic
|image = 
|Section = [[Section::{{PAGENAME}}]]
|Source = [[Source::DataSource]] 
|Language = [[Language::English]] 
|Topic = [[Topic ::Microsoft]] 
|SubTopic = [[SubTopic::CBl-Mariner Linux]] 
|DocumentType = [[DocumentType::Documentation]] 
|LastEditBy = [[LastEditBy::{{REVISIONUSER}}]]
|LastEdit = [[LastEdit::{{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}]]
|Status = [[Status::Active]] 
|Access = [[Access::free]] 

}}


== CBL-Mariner Operating System Security Features ==

{| class="wikitable sortable"
|-
! '''Element''' !! colspan="3" | '''Description'''
|-
| rowspan="3" | '''Networking'''
|-
| Configurable Firewall || By default || iptables
|-
| SYN cookies || By default || CONFIG_SYN_COOKIES=y
|-
| '''Updates''' || Signed updates || By default || tdnf, dnf
|-
| rowspan="7" | '''Build options'''
|-
| Built as PIE || By default || -fPIE, -pie
|-
| Built with Stack Protector Strong || By default || -fstack-protector, -fstack-protector-strong
|-
| Built with Format Security || By default || -Wformat-security
|-
| Built with Fortify Source || By default || _FORTIFY_SOURCE
|-
| Built with --enable-bind-now || By default || --enable-bind-now
|-
| Built with RELRO || By default || relro
|-
| rowspan="6" | '''Address Space Layout Randomization (ASLR)'''
|-
| Stack ASLR || By default || Available in the mainline kernel since 2.6.15
|-
| Libs/mmap ASLR || By default || Available in the mainline kernel since 2.6.15
|-
| Exec ASLR || By default || Available in the mainline kernel since 2.6.25
|-
| brk ASLR || By default || Available in the mainline kernel since 2.6.22
|-
| VDSO ASLR || By default || Available for x86_64 in the mainline kernel since 2.6.22
|-
| rowspan="12" | '''Kernel hardening'''
|-
| /proc/$pid/maps protection || By default || Enabled by default since mainline kernel 2.6.27
|-
| Symlink restrictions || By default || fs.protected_symlinks
|-
| Hardlink restrictions || By default || fs.protected_hardlinks
|-
| 0-address protection || By default || vm.mmap_min_addr
|-
| Kernel Address Display Restriction || By default || kernel.kptr_restrict
|-
| Block module loading || Available || kernel.modules_disabled
|-
| /dev/mem protection || By default || CONFIG_STRICT_DEVMEM=y
|-
| /dev/kmem disabled || By default || CONFIG_DEVKMEM=n
|-
| Kernel Module RO/NX || By default || CONFIG_STRICT_MODULE_RWX=y
|-
| Write-protect kernel .rodata sections || By default || CONFIG_STRICT_KERNEL_RWX=y
|-
| Kernel Stack Protector || By default || CONFIG_STACKPROTECTOR=y
|-
| rowspan="4" | '''gcc/glibc hardening'''
|-
| Overflow checking in new operator || By default || gcc
|-
| Pointer Obfuscation || By default || glibc pointer encryption
|-
| Heap Consistency Checking || By default || glibc Heap Consistency Checking
|-
| rowspan="3" | '''System call filtering'''
|-
| Syscall Filtering (seccomp) || Available || CONFIG_SECCOMP_FILTER=y
|-
| Seccomp sandbox || Available || PR_SET_SECCOMP
|-
| rowspan="6" | '''Process isolation'''
|-
| Ptrace Mitigation || Available || Yama
|-
| User namespaces || Available || CONFIG_USER_NS=y
|-
| Private /tmp for systemd services || Available || PrivateTmp
|-
| Polyinstantiate /tmp, /var/tmp, and user home folders|| Available || namespace.conf
|-
| Mandatory access control || By default || SELinux
|-
| '''Encrypted Storage''' || Encrypted Volumes || Available || Encrypt during OS installation
|-
| rowspan="5" | '''Miscellaneous'''
|-
| Password hashing || By default || SHA-512
|-
| Filesystem Capabilities || Available || Capabilities and chattr
|-
| Tamper Resistant Logs || Available || journalctl --verify
|-
| Kernel Lockdown || Integrity mode by default || kernel lockdown
|}

← Older revision	Revision as of 05:58, 3 April 2022
(No difference)

@@ Line 16: / Line 16: @@
 <!-- End of Template Infobox Generic-->
-== CBL-Mariner Operating System Security Features ==
+== Microsoft CBL-Mariner Operating System Security Features ==
 {| class="wikitable sortable"

@@ Line 6: / Line 6: @@
 	|Language = [[Language::English]] <!-- [[Language::English]], [[Language::Français]], [[Language::Nederlands]] -->
 	|Topic =  [[Topic ::Microsoft]] <!-- [[Topic ::Mediawiki]], [[Topic ::Microsoft]], ... -->
-	|SubTopic = [[SubTopic::CBl-Mariner Linux]] <!-- [[SubTopic::Mediawiki Extension]], [[SubTopic::Office 365]] , [[Subtopic::Quiz]] ... -->
+	|SubTopic = [[SubTopic::CBL-Mariner Linux]] <!-- [[SubTopic::Mediawiki Extension]], [[SubTopic::Office 365]] , [[Subtopic::Quiz]] ... -->
          |DocumentType =  [[DocumentType::Documentation]] <!-- [[DocumentType::User Guide]], [[DocumentType::Procedure]], [[DocumentType::Script]], [[DocumentType::Gallery]], [[DocumentType::Training]]...-->
 	|LastEditBy = [[LastEditBy::{{REVISIONUSER}}]]

Microsoft CBL-Mariner OS Security Features - Revision history

DochyJP: DochyJP moved page CBL-Mariner OS Security Features to Microsoft CBL-Mariner OS Security Features without leaving a redirect

DochyJP: /* CBL-Mariner Operating System Security Features */

DochyJP: Typing fault update

DochyJP: Page creation