Difference between revisions of "Microsoft CBL-Mariner OS Security Features"

Microsoft CBL-Mariner OS Security Features
Source:	DataSource
Language:	English
Topic:	Microsoft
SubTopic:	CBL-Mariner Linux
Last Edit By:	DochyJP
LastEdit:	2022-04-03
Document type:	Documentation
Status:	Active
Access:	free

Revision as of 06:53, 3 April 2022

CBL-Mariner Operating System Security Features

Element	Description
Networking
	Configurable Firewall	By default	iptables
	SYN cookies	By default	CONFIG_SYN_COOKIES=y
Updates	Signed updates	By default	tdnf, dnf
Build options
	Built as PIE	By default	-fPIE, -pie
	Built with Stack Protector Strong	By default	-fstack-protector, -fstack-protector-strong
	Built with Format Security	By default	-Wformat-security
	Built with Fortify Source	By default	_FORTIFY_SOURCE
	Built with --enable-bind-now	By default	--enable-bind-now
	Built with RELRO	By default	relro
Address Space Layout Randomization (ASLR)
	Stack ASLR	By default	Available in the mainline kernel since 2.6.15
	Libs/mmap ASLR	By default	Available in the mainline kernel since 2.6.15
	Exec ASLR	By default	Available in the mainline kernel since 2.6.25
	brk ASLR	By default	Available in the mainline kernel since 2.6.22
	VDSO ASLR	By default	Available for x86_64 in the mainline kernel since 2.6.22
Kernel hardening
	/proc/$pid/maps protection	By default	Enabled by default since mainline kernel 2.6.27
	Symlink restrictions	By default	fs.protected_symlinks
	Hardlink restrictions	By default	fs.protected_hardlinks
	0-address protection	By default	vm.mmap_min_addr
	Kernel Address Display Restriction	By default	kernel.kptr_restrict
	Block module loading	Available	kernel.modules_disabled
	/dev/mem protection	By default	CONFIG_STRICT_DEVMEM=y
	/dev/kmem disabled	By default	CONFIG_DEVKMEM=n
	Kernel Module RO/NX	By default	CONFIG_STRICT_MODULE_RWX=y
	Write-protect kernel .rodata sections	By default	CONFIG_STRICT_KERNEL_RWX=y
	Kernel Stack Protector	By default	CONFIG_STACKPROTECTOR=y
gcc/glibc hardening
	Overflow checking in new operator	By default	gcc
	Pointer Obfuscation	By default	glibc pointer encryption
	Heap Consistency Checking	By default	glibc Heap Consistency Checking
System call filtering
	Syscall Filtering (seccomp)	Available	CONFIG_SECCOMP_FILTER=y
	Seccomp sandbox	Available	PR_SET_SECCOMP
Process isolation
	Ptrace Mitigation	Available	Yama
	User namespaces	Available	CONFIG_USER_NS=y
	Private /tmp for systemd services	Available	PrivateTmp
	Polyinstantiate /tmp, /var/tmp, and user home folders	Available	namespace.conf
	Mandatory access control	By default	SELinux
Encrypted Storage	Encrypted Volumes	Available	Encrypt during OS installation
Miscellaneous
	Password hashing	By default	SHA-512
	Filesystem Capabilities	Available	Capabilities and chattr
	Tamper Resistant Logs	Available	journalctl --verify
	Kernel Lockdown	Integrity mode by default	kernel lockdown

@@ Line 6: / Line 6: @@
 	|Language = [[Language::English]] <!-- [[Language::English]], [[Language::Français]], [[Language::Nederlands]] -->
 	|Topic =  [[Topic ::Microsoft]] <!-- [[Topic ::Mediawiki]], [[Topic ::Microsoft]], ... -->
-	|SubTopic = [[SubTopic::CBl-Mariner Linux]] <!-- [[SubTopic::Mediawiki Extension]], [[SubTopic::Office 365]] , [[Subtopic::Quiz]] ... -->
+	|SubTopic = [[SubTopic::CBL-Mariner Linux]] <!-- [[SubTopic::Mediawiki Extension]], [[SubTopic::Office 365]] , [[Subtopic::Quiz]] ... -->
          |DocumentType =  [[DocumentType::Documentation]] <!-- [[DocumentType::User Guide]], [[DocumentType::Procedure]], [[DocumentType::Script]], [[DocumentType::Gallery]], [[DocumentType::Training]]...-->
 	|LastEditBy = [[LastEditBy::{{REVISIONUSER}}]]

Difference between revisions of "Microsoft CBL-Mariner OS Security Features"

Revision as of 06:53, 3 April 2022

CBL-Mariner Operating System Security Features

Navigation menu

Search