Add RDK Linux Hardening specification flags

[frakman1]

The RDK Linux Hardening specification lists many flags that are not checked in this tool. The first five I looked for were not there: CONFIG_DEBUG_KERNEL CONFIG_MARKERS CONFIG_DEBUG_MEMLEAK and CONFIG_ELF_CORE

Perhaps these can be added as part of a new 'RDK security policy' check for the 'decision' column

[frakman1]

Link no longer appears to be up. I saved a cache for reference:

---

RDK Linux Hardening specification
Created on June 21, 2022

1. Ensure no hard-coded credentials are present in the clear
2. Ensure compliance with Comcast specifications for crypto and TLS
   o All STB connections to servers must be secured using TLS 1.2 or above, and verified to be correctly performing server certificate chain validation
3. Build with stack-smashing (at least for modules implementing security)
   o Enable CONFIG_CC_STACKPROTECTOR, -fstack-protector-all, -Wstack-protector
   o Libc function buffer overrun checks: _FORTIFY_SOURCE=2
   o Initial requirement would be to enable this for all security sensitive modules with follow up to enable for the entire build.
4. Scan all non-OSS sources with static analyzer
5. Network port blocking
   o All ports not specifically used must be blocked by ipTables rules
6. Disable all unused devices (USB, Bluetooth, etc)
7. Implement multiuser/sandbox strategy (Restrict Linux process privileges)
   o No applications/utilities within a sandbox should run as root or have any means to achieve root privileges. Sandbox shall not contains hard links to outside files. Every sandbox connected to external network shall contain its own firewall and shall be configured using a whitelist.
   o Configure processes to the minimum capabilities and resources required for their operation. Have unique user and group own service components/applications that need to be isolated. Users have permissions to access the required device files only. Shared files are access controlled using group permissions. Default permissions for newly created files include read/write/exec permissions for the owner only. Always use setresuid() and setresgid() functions to change the current user and group. Always confirm the change with getresuid() and getresgid() function. Users and groups must have unique ID’s
   o In progress, containerization via LXC is being implemented for subset of RDK processes. OEM may choose to use a technology other than LXC to sandbox their processes.
8. Vet all open source
   o Currently being done using Whitesource tool
9. Disable kernel module load
   o Making modules statically linked to the kernel would be a significant effort.
   o Disable module load after boot using /proc/sys/kernel/module_disabled
10. Disable kernel module unload
    o Set CONFIG_MODULE_UNLOAD
11. Kernel module parameters must be R/O or trusted
    o Audit boot scripts to ensure loadable kernel module parameters are hard coded and don’t rely on data from persistent storage or other writable source
12. Remove kernel debugging and profiling options
    o CONFIG_DEBUG_KERNEL CONFIG_MARKERS CONFIG_DEBUG_MEMLEAK CONFIG_KPROBES
    o CONFIG_SLUB_DEBUG CONFIG_PROFILING CONFIG_DEBUG_FS CONFIG_KPTRACE
    o CONFIG_KALLSYMS CONFIG_LTT CONFIG_UNUSED_SYMBOLS CONFIG_TRACE_IRQFLAGS_SUPPORT
    o CONFIG_RELAY CONFIG_MAGIC_SYSRQ CONFIG_VM_EVENT_COUNTERS CONFIGU_UNWIND_INFO
    o CONFIG_BPA2_ALLOC_TRACE CONFIG_PRINTK
    o CONFIG_CRASH_DUMP CONFIG_BUG CONFIG_SCSI_LOGGING CONFIG_ELF_CORE CONFIG_FULL_PANIC
    o CONFIG_TASKSTATUS CONFIG_AUDIT CONFIG_BSD_PROCESS_ACCT CONFIG_KEXEC
    o CONFIG_EARLY_PRINTK CONFIG_IKCONFIG CONFIG_NETFILTER_DEBUG
    o CONFIG_MTD_UBI_DEBUG CONFIG_B43_DEBUG CONFIG_SSB_DEBUG CONFIG_FB_INTEL_DEBUG
    o CONFIG_TRACING CONFIG_PERF_EVENTS
13. Disable unused file system and block device support
14. Enable heap protection and pointer obfuscation features.
    o Enabled by default in glibc. Protects heap from buffer overflows. Available in glibc 2.3.4 or above, Enabled using environment variable malloc_check_
15. Restrict /dev/mem to minimal regions of memory required
16. Remove support for /dev/kmem
17. Remove support for /dev/kcore
    o Kernel core dumping should be disabled in production
18. Enable format, buffer, and object size checks
19. Restrict /proc to process owners (except for IDS)
20. Disable kernel configfs
    o Allows modification of kernel objects
21. Remove ldconfig from target filesystem and ld.so.conf and ld.so.cache should be empty
    o Removes caching of symbolic links. Will cause a performance hit.
    o Impact: glibc changes. Would allow loading libraries from a non-standard library path even if we don’t use LD_LIBRARY_PATH.
22. Security critical software are compiled as PIE (Position Independent Executable), if supported
23. Kernel boots with “ro” in command line
    o Mount filesystem as readonly.
24. Mount filesystems with minimal privileges. For example, filesystem containing no executable code shall have “noexec” option specified.
25. Mount temporary storage (/tmp) shall in dedicated filesystem (eg. tmpfs) and its contents does not survive reboots
26. Flush cache after accessing sensitive data
27. No overlay of writable mounts on read-only data
28. system directories such as /proc or /dev shall not be writable within a sandbox
29. Applications and utilities shall not have the setgid or setuid bit set
30. Configure default shell to /dev/null
31. Remove all unused executables and libraries
32. Disable PTRACE, General restriction on PTRACE should be applied at kernel level with Yama LSM
    o http://linux-audit.com/protect-ptrace-processes-kernel-yama-ptrace_scope/
    o PTRACE is used by GDB. Disable only for production builds. Both compile time and runtime changes required (can restrict PTRACE to root if required)
33. Don’t use LD_LIBRARY_PATH (loads libraries from default locations only)
34. Full runtime path for non-standard libraries included in code image
    o Use -rpath and -rpath-link
35. Mount filesystems with ro option and change permission temporarily when needed
36. Kernel init parameters / command line must be R/O and trusted
37. Restrict kernel syslog (dmesg) to root user only
38. Disable kernel debugfs
    o Part of sysfs used to enable kernel debug messaging. If printk is disabled this becomes irrelevant
39. Use ELF format only
    o May break scripts like Python
40. Dynamic linker configuration changes
    o Remove LD_DEBUG support from dynamic linker
    o Remove LD_PRELOAD support from dynamic linker
    o Remove LD_PROFILE support from the dynamic linker
    o Remove LD_AUDIT support from the dynamic linker
    o Remove LD_SHOW_AUXV support from the dynamic linker
    o Remove LD_TRACE_LOADED_OBJECTS support from the dynamic linker
    o Link dynamic programs with -z now and -z relro options
41. Hide restricted kernel pointers
    o Restricted pointers replaced with 0’s.
    o Relates to printk handling of printing pointer values. This is a runtime setting, enable/disable via /proc/sys/kernel/kptr_restrict
42. Review use of SYSFS, disable it if possible
43. Mark unchanging files in writable partition with “immutable”
44. Use all compiler security features
    o Compile -wall, -Werror and fail on warnings (and possibly -Wextra)
45. Replace strcpy with strncpy
    o All code should use safer, bounds checking versions of string library functions (such as strncpy instead of strcpy) to avoid potential buffer overruns.
46. Prevent file races, open temp files with O_CREAT | O_EXCL
    o Makes check for file existence and creation atomic. Prevents multiple threads creating same file.
47. Set sticky bit for temporary directories to prevent acc
    idental deletion
    o Only owner and root can delete directory
48. Restrict kernel network settings to be the most restrictive possible
49. Limit temporary storage (tmpfs) memory size
50. Enable kernel ABI Version Check
51. Disable kernel symbol resolution
    o Disable CONFIG_KALLSYMS
    o Limits our ability to debug kernel crash dumps
52. Disable kernel crashdump
    o Disable CONFIG_CRASH_DUMP
53. Minimum MMAPable address set to 4K min.
    o This prevents mapping NULL address

[a13xp0p0v]

Need to compare these recommendations with the current kernel-hardening-checker rules.

Gonna do that after preparing the next release of the tool.