From Fedora Project Wiki

(Add Stack Protector Strong)
(Add column for Fedora 34)
 
(82 intermediate revisions by 10 users not shown)
Line 14: Line 14:


{| class="wikitable"
{| class="wikitable"
| Security Features  || RHEL 3               || RHEL 4               || RHEL 5               || RHEL 6              || RHEL 7              || Fedora 19           || Fedora 20           || Fedora 21            || Rawhide           
| Security Features  || RHEL 5               || RHEL 6               || RHEL 7               || RHEL 8 || Fedora 31           || Fedora 32           || Fedora 33          || Fedora 34
|-
|-
| [[#Configurable Firewall|Configurable Firewall]]    || style="background:#00dd00" | iptables            || style="background:#00dd00" | iptables            || style="background:#00dd00" | iptables            || style="background:#00dd00" | iptables            || style="background:#00dd00" | iptables            || style="background:#00dd00" | firewalld          || style="background:#00dd00" | firewalld          || style="background:#00dd00" | firewalld          || style="background:#00dd00" | firewalld         
| '''Configuration'''
|-
|-
| [[#Signed updates|     Signed updates]]    || style="background:#00dd00" | yum                || style="background:#00dd00" | yum                || style="background:#00dd00" | yum                || style="background:#00dd00" | yum                || style="background:#00dd00" | yum                || style="background:#00dd00" | yum / dnf           || style="background:#00dd00" | yum / dnf           || style="background:#00dd00" | yum / dnf           || style="background:#00dd00" | yum / dnf         
| [[#Configurable Firewall|Configurable Firewall]]    || style="background:#00dd00" | iptables            || style="background:#00dd00" | iptables            || style="background:#00dd00" | iptables            || style="background:#00dd00" | firewalld          || style="background:#00dd00" | firewalld           || style="background:#00dd00" | firewalld           || style="background:#00dd00" | firewalld           || style="background:#00dd00" | firewalld
|-
|-
| [[#SELinux|             SELinux]]    || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
| [[#Signed updates|     Signed updates]]    || style="background:#00dd00" | yum                || style="background:#00dd00" | yum                || style="background:#00dd00" | yum                || style="background:#00dd00" | yum / dnf          || style="background:#00dd00" | yum / dnf          || style="background:#00dd00" | yum / dnf          || style="background:#00dd00" | yum / dnf          || style="background:#00dd00" | yum / dnf
|-
|-
| [[#SELinux targeted policy|SELinux targeted policy]]    || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
| [[#Password hashing|   Password hashing]]    || style="background:#00dd00" | md5crypt            || style="background:#00dd00" | sha512crypt        || style="background:#00dd00" | sha512crypt        || style="background:#00dd00" | sha512crypt        || style="background:#00dd00" | sha512crypt        || style="background:#00dd00" | sha512crypt        || style="background:#00dd00" | sha512crypt        || style="background:#00dd00" | sha512crypt 
|-
|-
| [[#SELinux Executable Memory Protection|SELinux Executable Memory Protection]]    || style="background:#ffff00" | N                   || style="background:#ffff00" | N                   || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
| [[#Annotated Binaries|Annotated Binaries]]    || style="background:#ffff00" | N           || style="background:#ffff00" | N           || style="background:#ffff00" | N            || style="background:#00dd00" | package list          || style="background:#00dd00" | package list          || style="background:#00dd00" | package list          || style="background:#00dd00" | package list    || style="background:#00dd00" | package list     
|-
|-
| [[#Password hashing|   Password hashing]]    || style="background:#00dd00" | md5crypt           || style="background:#00dd00" | md5crypt           || style="background:#00dd00" | md5crypt           || style="background:#00dd00" | sha512crypt        || style="background:#00dd00" | sha512crypt        || style="background:#00dd00" | sha512crypt        || style="background:#00dd00" | sha512crypt        || style="background:#00dd00" | sha512crypt        || style="background:#00dd00" | sha512crypt          
| [[#Grub2 Security Modules|Grub2 Security Modules]]    || style="background:#ffff00" | N           || style="background:#ffff00" | N           || style="background:#ffff00" | N           || style="background:#98fd98" | Y || style="background:#98fd98" | Y          || style="background:#98fd98" | Y          || style="background:#98fd98" | || style="background:#98fd98" | Y          
|-
|-
| [[#Filesystem Capabilities|Filesystem Capabilities]]    || style="background:#ffff00" | --                  || style="background:#98fd98" | kernel              || style="background:#98fd98" | kernel              || style="background:#98fd98" | kernel              || style="background:#98fd98" | kernel              || style="background:#98fd98" | kernel              || style="background:#98fd98" | kernel              || style="background:#98fd98" | kernel              || style="background:#98fd98" | kernel             
| [[#SSH Root Password Disabled |SSH Root Password Disabled]]    || style="background:#ffff00" | N            || style="background:#ffff00" | N            || style="background:#ffff00" | N            || style="background:#00dd00" | Y || style="background:#00dd00" | Y          || style="background:#00dd00" | Y          || style="background:#00dd00" | Y    || style="background:#00dd00" | Y     
|-
|-
| [[#SELinux user confinement|SELinux user confinement]]    || style="background:#ffff00" | N                   || style="background:#ffff00" | N                   || style="background:#98fd98" | Y                  || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  
| [[#File Access Policy Daemon|File Access Policy Daemon]]    || style="background:#ffff00" | N           || style="background:#ffff00" | N           || style="background:#ffff00" | N            || style="background:#98fd98" | Y || style="background:#98fd98" | Y           || style="background:#98fd98" | Y           || style="background:#98fd98" | Y   || style="background:#98fd98" | Y        
|-
|-
| [[#SELinux XACE|       SELinux XACE]]    || style="background:#ffff00" | N                   || style="background:#ffff00" | N                   || style="background:#ffff00" | N                   || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y                  
| [[#Network Time Security (NTS)|Network Time Security]]    || style="background:#ffff00" | N           || style="background:#ffff00" | N           || style="background:#ffff00" | N           || style="background:#ffff00" | N || style="background:#ffff00" | N          || style="background:#ffff00" | N          || style="background:#98fd98" | Y   || style="background:#98fd98" | Y        
|-
|-
| [[#SELinux sandbox|    SELinux sandbox]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
| '''Subsystems'''
|-
|-
| [[#PR_SET_SECCOMP|     PR_SET_SECCOMP]]    || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#98fd98" | kernel              || style="background:#98fd98" | kernel             || style="background:#98fd98" | kernel             || style="background:#98fd98" | kernel              || style="background:#98fd98" | kernel             
| [[#Filesystem Capabilities|Filesystem Capabilities]]    || style="background:#98fd98" | Y              || style="background:#98fd98" | Y              || style="background:#98fd98" | Y              || style="background:#98fd98" | Y || style="background:#98fd98" | Y             || style="background:#98fd98" | Y             || style="background:#98fd98" | Y || style="background:#98fd98" | Y           
|-
|-
| [[#SELinux Deny Ptrace| SELinux Deny Ptrace]]    || style="background:#ffff00" | N                   || style="background:#ffff00" | N                   || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y                  
| [[#PR_SET_SECCOMP|     PR_SET_SECCOMP]]    || style="background:#ffff00" | N                 || style="background:#ffff00" | N                 || style="background:#98fd98" | Y          || style="background:#98fd98" | Y     || style="background:#98fd98" | Y             || style="background:#98fd98" | Y             || style="background:#98fd98" | Y   || style="background:#98fd98" | Y          
|-
|-
| [[#SELinux restricted module loading|SELinux restricted module loading]]    || style="background:#ffff00" | N                   || style="background:#ffff00" | N                   || style="background:#ffff00" | ?                  || style="background:#ffff00" | ?                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y                  
| [[#Platform Abstraction For Security (PARSEC)|     PARSEC]]    || style="background:#ffff00" | N                 || style="background:#ffff00" | N                 || style="background:#ffff00" | N          || style="background:#ffff00" | N    || style="background:#ffff00" | N              || style="background:#ffff00" | N              || style="background:#98fd98" | Y || style="background:#98fd98" | Y            
|-
|-
| [[#User namespaces|    User namespaces]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                 
| '''Mandatory Access Control'''
|-
|-
| [[#/tmp namespace for systemd|/tmp namespace for systemd]]    || style="background:#ffff00" | N                   || style="background:#ffff00" | N                   || style="background:#ffff00" | N                  || style="background:#ffff00" | N                   || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y                  
| [[#SELinux|             SELinux]]    || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y       || style="background:#00dd00" | Y            
|-
|-
| [[#Polyinstantiate /tmp, /var/tmp and user home folders|Polyinstantiate /tmp, /var/tmp and user home folders]]    || style="background:#ffff00" | N                   || style="background:#ffff00" | N                   || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y                  
| [[#SELinux targeted policy|SELinux targeted policy]]    ||style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y   || style="background:#00dd00" | Y              
|-
|-
| [[#Encrypted LVM|       Encrypted LVM]]    || style="background:#ffff00" | ?                   || style="background:#ffff00" | ?                   || style="background:#98fd98" | Y                  || style="background:#98fd98" | Standard Installer  || style="background:#98fd98" | Standard Installer  || style="background:#98fd98" | Standard Installer  || style="background:#98fd98" | Standard Installer  || style="background:#98fd98" | Standard Installer  || style="background:#98fd98" | Standard Installer 
| [[#SELinux Executable Memory Protection|SELinux Executable Memory Protection]]    ||style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y    || style="background:#00dd00" | Y               
|-
|-
| [[#eCryptfs|           eCryptfs]]    || style="background:#ffff00" | N                   || style="background:#ffff00" | N                   || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Optional Package    || style="background:#98fd98" | Optional Package    || style="background:#98fd98" | Optional Package    || style="background:#98fd98" | Optional Package   
| [[#SELinux user confinement|SELinux user confinement]]    || style="background:#98fd98" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y          || style="background:#00dd00" | Y           
|-
|-
| [[#Non-Executable Memory (NX)|Non-Executable Memory (NX)]]    || style="background:#00dd00" | Y (since 9/2004)    || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                  
| [[#SELinux XACE|       SELinux XACE]]    || style="background:#ffff00" | N                   || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y   || style="background:#98fd98" | Y              
|-
|-
| [[#Built as PIE|       Built as PIE]]    || style="background:#00dd00" | package list (since 9/2004)|| style="background:#00dd00" | package list        || style="background:#00dd00" | package list        || style="background:#00dd00" | package list        || style="background:#00dd00" | package list        || style="background:#00dd00" | package list        || style="background:#00dd00" | package list        || style="background:#00dd00" | package list        || style="background:#00dd00" | package list       
| [[#SELinux sandbox|     SELinux sandbox]]    || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y      || style="background:#00dd00" | Y             
|-
|-
| [[#Pointer Obfuscation| Pointer Obfuscation]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc                
| [[#SELinux Deny Ptrace| SELinux Deny Ptrace]]    ||style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y        || style="background:#98fd98" | Y                
|-
|-
| [[#Heap Protector|     Heap Protector]]    || style="background:#ffff00" | N                  || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc             
| [[#SELinux restricted module loading|SELinux restricted module loading]]    || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y        || style="background:#98fd98" | Y           
|-
|-
| [[#Built with Fortify Source|Built with Fortify Source]]    || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                   || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                 
| [[#User namespaces|     User namespaces]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                   || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y       || style="background:#98fd98" | Y            
|-
|-
| [[#Stack Protector|     Stack Protector]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                 
| [[#/tmp namespace for systemd|/tmp namespace for systemd]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y     || style="background:#98fd98" | Y            
|-
|-
| [[#Stack ASLR|         Stack ASLR]]    || style="background:#00dd00" | Y (since 9/2004)    || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel             
| [[#Polyinstantiate /tmp, /var/tmp and user home folders|Polyinstantiate /tmp, /var/tmp and user home folders]]    || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y         
|-
|-
| [[#Libs/mmap ASLR|      Libs/mmap ASLR]]    || style="background:#00dd00" | kernel (since 9/2004)|| style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel             
| '''Filesystem Encryption'''
|-
|-
| [[#Exec ASLR|           Exec ASLR]]    || style="background:#00dd00" | (since 9/2004)      || style="background:#00dd00" | Y                  || style="background:#00dd00" | y                  || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
| [[#Encrypted LVM|       Encrypted LVM]]    || style="background:#98fd98" | Y                  || style="background:#98fd98" | || style="background:#98fd98" | Y || style="background:#98fd98" | Y || style="background:#98fd98" | Standard Installer  || style="background:#98fd98" | Standard Installer  || style="background:#98fd98" | Standard Installer  || style="background:#98fd98" | Standard Installer
|-
|-
| [[#brk ASLR|            brk ASLR]]    || style="background:#ffff00" | N                   || style="background:#ffff00" | N                   || style="background:#ffff00" | ?                   || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
| [[#eCryptfs|            eCryptfs]]    || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y                   || style="background:#ffff00" | N                   || style="background:#ffff00" | N        || style="background:#98fd98" | Optional Package    || style="background:#98fd98" | Optional Package    || style="background:#98fd98" | Optional Package  || style="background:#98fd98" | Optional Package
|-
|-
| [[#VDSO ASLR|          VDSO ASLR]]    || style="background:#00dd00" | no vDSO            || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel             
| '''User Space Hardening'''
|-
|-
| [[#Built with RELRO|   Built with RELRO]]    || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#00dd00" | gcc patch          || style="background:#00dd00" | gcc patch          || style="background:#00dd00" | gcc patch          || style="background:#00dd00" | gcc patch          || style="background:#00dd00" | gcc patch         
| [[#Non-Executable Memory (NX)|Non-Executable Memory (NX)]]    || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y            || style="background:#00dd00" | Y       
|-
|-
| [[#Built with BIND_NOW| Built with BIND_NOW]]    || style="background:#ffff00" | N                  || style="background:#98fd98" | ?                  || style="background:#00dd00" | package list        || style="background:#00dd00" | package list        || style="background:#00dd00" | package list        || style="background:#00dd00" | package list        || style="background:#00dd00" | package list        || style="background:#00dd00" | package list        || style="background:#00dd00" | package list       
| [[#Built as PIE|       Built as PIE]]    || style="background:#00dd00" | package list        || style="background:#00dd00" | package list        || style="background:#00dd00" | package list        || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y      || style="background:#00dd00" | Y             
|-
|-
| [[#/proc/$pid/maps protection|/proc/$pid/maps protection]]    || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#00dd00" | kernel & sysctl    || style="background:#00dd00" | kernel & sysctl    || style="background:#00dd00" | kernel & sysctl    || style="background:#00dd00" | kernel & sysctl    || style="background:#00dd00" | kernel & sysctl   
| [[#Pointer Obfuscation| Pointer Obfuscation]]    || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc      || style="background:#00dd00" | glibc       
|-
|-
| [[#Symlink restrictions|Symlink restrictions]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | kernel              || style="background:#98fd98" | kernel              || style="background:#98fd98" | kernel              || style="background:#98fd98" | kernel             
| [[#Heap Protector|     Heap Protector]]    || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc      || style="background:#00dd00" | glibc       
|-
|-
| [[#Hardlink restrictions|Hardlink restrictions]]    || style="background:#ffff00" | N                   || style="background:#ffff00" | N                   || style="background:#ffff00" | N                   || style="background:#ffff00" | N                   || style="background:#98fd98" | Y                  || style="background:#98fd98" | kernel              || style="background:#98fd98" | kernel              || style="background:#98fd98" | kernel              || style="background:#98fd98" | kernel             
| [[#Built with Fortify Source|Built with Fortify Source]]    || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y    || style="background:#00dd00" | Y             
|-
|-
| [[#ptrace scope|       ptrace scope]]    || style="background:#ffff00" | N                   || style="background:#ffff00" | N                   || style="background:#ffff00" | N                   || style="background:#ffff00" | N                   || style="background:#ffff00" | N                   || style="background:#ffff00" | N                   || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                 
| [[#Stack Protector|     Stack Protector]]    || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y    || style="background:#00dd00" | Y             
|-
|-
| [[#0-address protection|0-address protection]]    || style="background:#00dd00" | Y (since 11/2009)  || style="background:#00dd00" | Y (since 9/2009)    || style="background:#00dd00" | Y (since 5/2008)    || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                  
| [[#Strong Stack Protector| Strong Stack Protector]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y   || style="background:#00dd00" | Y              
|-
|-
| [[#Block module loading|Block module loading]]    || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
| [[#Stack Clash Protection|     Stack Clash Protection]]    || style="background:#ffff00" | N                   || style="background:#ffff00" | N                   || style="background:#00dd00" | glibc                   || style="background:#00dd00" | glibc                   || style="background:#00dd00" | package list                   || style="background:#00dd00" | package list                   || style="background:#00dd00" | package list    || style="background:#00dd00" | package list             
|-
|-
| [[#/dev/mem protection| /dev/mem protection]]    || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
| [[#GLIBCXX Assertions|     GLIBCXX Assertions]]    || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                 || style="background:#98fd98" | Y               || style="background:#00dd00" | package list                   || style="background:#00dd00" | package list                   || style="background:#00dd00" | package list  || style="background:#00dd00" | package list               
|-
|-
| [[#/dev/kmem disabled| /dev/kmem disabled]]    || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                  
| [[#Built with Format Security|Built with Format Security]]    || style="background:#00dd00" | Y                 || style="background:#00dd00" | Y                 || style="background:#00dd00" | Y                 || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y     || style="background:#00dd00" | Y              
|-
|-
| [[#Module RO/NX|       Module RO/NX]]    || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel             || style="background:#00dd00" | kernel             || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel             
| [[#Stack ASLR|         Stack ASLR]]    || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y || style="background:#00dd00" | Y             || style="background:#00dd00" | Y             || style="background:#00dd00" | Y    || style="background:#00dd00" | Y         
|-
|-
| [[#Kernel Address Display Restriction|Kernel Address Display Restriction]]    || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel             || style="background:#00dd00" | kernel             || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel             
| [[#Libs/mmap ASLR|     Libs/mmap ASLR]]    || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y || style="background:#00dd00" | Y             || style="background:#00dd00" | Y             || style="background:#00dd00" | || style="background:#00dd00" | Y         
|-
|-
| [[#Blacklist Rare Protocols|Blacklist Rare Protocols]]    || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y                 
| [[#Exec ASLR|           Exec ASLR]]    || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y             || style="background:#00dd00" | Y     || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y   || style="background:#00dd00" | Y              
|-
|-
| [[#Write-protect kernel .rodata sections|Write-protect kernel .rodata sections]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                  
| [[#brk ASLR|           brk ASLR]]    || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y               || style="background:#00dd00" | Y   || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y   || style="background:#00dd00" | Y                
|-
|-
| [[#Kernel Stack Protector|Kernel Stack Protector]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                  
| [[#VDSO ASLR|           VDSO ASLR]]    || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y         || style="background:#00dd00" | Y     || style="background:#00dd00" | Y             || style="background:#00dd00" | Y             || style="background:#00dd00" | Y     || style="background:#00dd00" | Y        
|-
|-
| [[#sVirt labelling|     sVirt labelling]]    || style="background:#ffff00" | N                   || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                  
| [[#Built with RELRO|   Built with RELRO]]    || style="background:#ffff00" | N                 || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y           || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y     || style="background:#00dd00" | Y            
|-
|-
| [[#SYN cookies|         SYN cookies]]    || style="background:#98fd98" | ?                  || style="background:#98fd98" | kernel              || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel              || style="background:#00dd00" | kernel             
| [[#Built with BIND_NOW| Built with BIND_NOW]]    || style="background:#ffff00" | N        || style="background:#98fd98" | Y        || style="background:#00dd00" | Y        || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | || style="background:#00dd00" | Y               
|-
|-
| [[#Syscall Filtering|   Syscall Filtering]]    || style="background:#ffff00" | N                   || style="background:#ffff00" | N                   || style="background:#ffff00" | N                  || style="background:#ffff00" | ?                  || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y                  
| [[#/proc/$pid/maps protection|/proc/$pid/maps protection]]    || style="background:#ffff00" | N                 || style="background:#ffff00" | N                 || style="background:#00dd00" | Y    || style="background:#00dd00" | Y     || style="background:#00dd00" | Y     || style="background:#00dd00" | Y     || style="background:#00dd00" | Y || style="background:#00dd00" | Y  
|-
|-
| [[#Secure Boot Support| Secure Boot Support]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                   || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y                  
| [[#Symlink restrictions|Symlink restrictions]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                  || style="background:#98fd98" | Y             || style="background:#98fd98" | Y             || style="background:#98fd98" | Y   || style="background:#98fd98" | Y          
|-
|-
| [[#Tamper Resistant Logs|Tamper Resistant Logs]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                   || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y                  
| [[#Hardlink restrictions|Hardlink restrictions]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                  || style="background:#98fd98" | Y             || style="background:#98fd98" | Y             || style="background:#98fd98" | Y || style="background:#98fd98" | Y            
|-
|-
| [[#Overflow checking in new operator|Overflow checking in new operator]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                   || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y                  
| [[#ptrace scope|       ptrace scope]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                   || style="background:#98fd98" | Y || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y   || style="background:#98fd98" | Y                
|-
|-
| [[#Built with Format Security|Built with Format Security]]    || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                   
| [[#Overflow checking in new operator|Overflow checking in new operator]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y || style="background:#98fd98" | Y                   
|-
|-
| [[#Crypto Policy|      Crypto Policy]]    || style="background:#ffff00" | --                 || style="background:#ffff00" | --                 || style="background:#ffff00" | --                 || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#00dd00" | Y                   || style="background:#00dd00" | Y                  
| [[#Crypto Policy|      Crypto Policy]]    || style="background:#ffff00" | N                 || style="background:#ffff00" | N                 || style="background:#ffff00" | N                 || style="background:#00dd00" | Y                  || style="background:#00dd00" | || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y   || style="background:#00dd00" | Y              
|-
|-
| [[#Built with Stack Protector Strong|Built with Stack Protector Strong]]    || style="background:#ffff00" | --                  || style="background:#ffff00" | --                 || style="background:#ffff00" | --                  || style="background:#ffff00" | --                 || style="background:#ffff00" | --                 || style="background:#ffff00" | --                 || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                   
| [[#Tamper Resistant Logs|Tamper Resistant Logs]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y           
|-
| [[#Aarch64 Pointer Authentication|Aarch64 Pointer Authentication]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y
|-
| '''Kernel Hardening'''
|-
| [[#0-address protection|0-address protection]]    || style="background:#00dd00" | Y (since 5/2008)    || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y
|-
| [[#Block module loading|Block module loading]]    || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y
|-
| [[#/dev/mem protection| /dev/mem protection]]    || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y
|-
| [[#/dev/kmem disabled|  /dev/kmem disabled]]    || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y
|-
| [[#Module RO/NX|        Module RO/NX]]    || style="background:#ffff00" | N                 || style="background:#ffff00" | N                  || style="background:#00dd00" | Y              || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y  || style="background:#00dd00" | Y           
|-
| [[#Kernel Address Display Restriction|Kernel Address Display Restriction]]    || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y              || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y  || style="background:#00dd00" | Y         
|-
| [[#Blacklist Rare Protocols|Blacklist Rare Protocols]]    || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y
|-
| [[#Write-protect kernel .rodata sections|Write-protect kernel .rodata sections]]    || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y
|-
| [[#Kernel Stack Protector|Kernel Stack Protector]]    || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y
|-
| [[#sVirt labelling|    sVirt labelling]]    || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y
|-
| [[#SYN cookies|        SYN cookies]]    || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y || style="background:#00dd00" | Y             
|-
| [[#Syscall Filtering|  Syscall Filtering]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y
|-
| [[#Secure Boot Support| Secure Boot Support]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y
|-
|-
|}
|}
== Features ==
<div style="float:right;">__TOC__</div>
<div style="float:right;">__TOC__</div>
== Configuration ==
== Configuration ==
Line 136: Line 163:
change required a complete firewall restart. The firewall daemon on the other
change required a complete firewall restart. The firewall daemon on the other
hand manages the firewall dynamically and applies changes without
hand manages the firewall dynamically and applies changes without
restarting the whole firewall. See [https://fedoraproject.org/wiki/FirewallD FirewallD]
restarting the whole firewall. See [[FirewallD|FirewallD]]
and [https://fedoraproject.org/wiki/SystemConfig/firewall system-config-firewall]
and [[SystemConfig/firewall|system-config-firewall]]
for more information.
for more information.


Line 143: Line 170:
=== Signed updates ===
=== Signed updates ===
Each stable RPM package that is published by Fedora Project is
Each stable RPM package that is published by Fedora Project is
signed with a GPG signature. By default, yum and the graphical update
signed with a GPG signature. By default, [[dnf|DNF]], [[yum|YUM]] and the graphical update
tools will verify these signatures and refuse to install any packages that
tools will verify these signatures and refuse to install any packages that
are not signed or have bad signatures. You should always verify the
are not signed or have bad signatures. You should always verify the
Line 155: Line 182:
[https://access.redhat.com/site/security/team/key/#package this page]
[https://access.redhat.com/site/security/team/key/#package this page]
for more information.
for more information.
=== SELinux ===
[[SELinux]] is an inode-based MAC. See [https://fedoraproject.org/wiki/SELinux this page]
and [http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html this page]
for more information.
=== SELinux targeted policy ===
SELinux enabled with targeted policy by default.
See [http://fedoraproject.org/wiki/SELinux/Policies discussion of policies page]
and [http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html this page]
for more information.
=== SELinux Executable Memory Protection ===
SELinux restricts certain memory protection operation if the appropriate boolean values enable these checks.
See [http://www.akkadia.org/drepper/selinux-mem.html this page] for more information.


=== Password hashing ===
=== Password hashing ===
Line 186: Line 194:
to brute-force. See the crypt(3) manpage for additional details.
to brute-force. See the crypt(3) manpage for additional details.


=== Annotated Binaries ===
Annotated Binaries store metadata provided directly by the GCC using a compiler plugin. This metadata includes which security hardening protections the binary was built with, which compiler built the binary, and more. This facilitates scripting to check security hardening features on binaries. Read more about Annobin in [[Changes/Annobin|Fedora]] and [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/developing_c_and_cpp_applications_in_rhel_8/annobin_toolsets RHEL].


== Subsystems ==
=== Grub2 Security Modules ===


grub2 modules "verify", "cryptodisk", and "luks" are now in the EFI build to allow users to optionally guarantee the integrity of boot code either through verification of digital signatures or encryption of the boot partition. [https://docs.fedoraproject.org/en-US/fedora/f31/release-notes/sysadmin/Distribution/#grub-modules Read More].


=== Filesystem Capabilities ===
=== SSH Root Password Disabled ===
The need for setuid applications can be reduced via the
By default, OpenSSH does not allow remote login to the root account via password. A public SSH key may still be used. This feature helps reduce the attack surface, as the password login was a common target of attacks. [https://docs.fedoraproject.org/en-US/fedora/f31/release-notes/sysadmin/Security/#sect-security-no-more-root-ssh-password Read More]. In case of RHEL8, the default setting is "prohibit-password", which allows remote login with public key authentication [https://access.redhat.com/solutions/37712 Read More].
application of [http://www.olafdietsche.de/linux/capability/ filesystem capabilities]
using the xattrs available to most modern filesystems. This
reduces the possible misuse of vulnerable setuid applications. The kernel
provides the support and the user-space tools are available in the
standard repositories.


Capabilities are defined in /usr/include/linux/capability.h
=== File Access Policy Daemon ===


Linux Capability Version 1
The File Access Policy Daemon (fapolicyd) software framework introduces a form of application whitelisting and blacklisting based on a user-defined policy. The application whitelisting feature provides one of the most efficient ways to prevent running untrusted and possibly malicious applications on the system. An application is trusted when it is properly installed by the system package manager, and therefore it is registered in the system RPM database. The fapolicyd daemon uses the RPM database as a list of trusted binaries and scripts. The fapolicyd YUM plugin registers any system update that is handled by the YUM package manager. The plugin notifies the fapolicyd daemon about changes in this database. An installation using the rpm utility requires a manual refresh of the database, and other ways of adding applications require the creation of custom rules and restarting the fapolicyd service.
"_LINUX_CAPABILITY_U32S_1" defined as 1 indicates kernel has 32 or less capabilities


Linux Capability Version 2
For more information see [https://www.redhat.com/en/blog/stop-unauthorized-applications-rhel-8s-file-access-policy-daemon this blog post] and [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/configuring-and-managing-application-whitelists_security-hardening Red Hat Product Documentation page].
constant "_LINUX_CAPABILITY_U32S_2" defined as 2 indicated kernel has more than 32 capabilities,


Linux Capability Version 3
=== Network Time Security (NTS) ===


"_LINUX_CAPABILITY_U32S_2" is deprecated by "_LINUX_CAPABILITY_U32S_3"
NTS is a new authentication mechanism specified by the IETF for NTP. NTS has an NTS-KE protocol using Transport Layer Security (TLS) to establish the keys and provide the client with cookies which allow the NTP server to not keep any client-specific state. NTP packets are authenticated using Authenticated Encryption with Associated Data (AEAD). NTS is expected to scale well to a large numbers of clients. There are already some public NTP servers with NTS support. [https://fedoraproject.org/wiki/Changes/NetworkTimeSecurity Read more]


32 bit integer is in /proc/sys/kernel/cap_last_cap which defines the current capability sets
Every linux process has sets of bitmaps


<pre>
== Subsystems ==
  typedef struct __user_cap_data_struct {
        __u32 effective;
        __u32 permitted;
        __u32 inheritable;
  } *cap_user_data_t;
</pre>


each capability is implemented as a bit in each of these bitmaps which is either set or unset.
1. effective (E)
Effective capability set indicates which capabilities are effective. When some privileged operation
is done, operating system checks for the bit in effective set of the processes rather than effective uid.
2. permitted (P)
Indicates which capabilities process can use. Process might have capabilities set in permitted set
but not in the effective set, that would mean that particular capability is disabled for the process
Process can set capability in effective set only if it is available in permitted set.
This combinations of effective and permitted bits allow to enable , disable and drop privileges
3. inheritable (I)
Inheritable capability set indicates which capabilities are inheritable by the process which is going
to be executed by the current process.
If P1 has X capabilities , then the process P1' which is ran or forked by P1 for example using exec(),
how many capabilities out of X can be inherited by P1' is decided by inheritable capabilities set.


=== Filesystem Capabilities ===
The need for setuid applications can be reduced via the
The need for setuid applications can be reduced via the
application of [http://www.olafdietsche.de/linux/capability/ filesystem capabilities]
application of [https://man7.org/linux/man-pages/man7/capabilities.7.html filesystem capabilities]
using the xattrs available to most modern filesystems. This
using the xattrs available to most modern filesystems. This reduces the
reduces the possible misuse of vulnerable setuid applications. The kernel
possible misuse of vulnerable setuid applications. The kernel provides the
provides the support and the user-space tools are available in the
support and the user-space tools are available in the libcap package.
standard repositories.


Programmes have been vulnerable to set-UID, there is no need for having root
privileges every time for a process to run, it is logical to provide to minimum
set of privileges to programme that can enable the programme to run
effectively. With the normal set-UID approach programmes would run more than
the privileges required, increasing the risk of Privilege Escalation. Enabling
Capabilities to programme has been started since kernel 2.6.24 known as file
capability implemented in fs/exec.c in Kernel itself.


Common capabilities are implemented in security/commoncap.c
=== PR_SET_SECCOMP ===
Setting SECCOMP(SECure COMPuting) for a process is meant to confine it to a small subsystem of system calls, used for specialized processing-only programs.
See [http://lwn.net/Articles/507067/ this article] and [http://lwn.net/Articles/332974/ SECCOMP article]
for more information.


Implementation in Red Hat Enterprise Linux


{| class="wikitable"
=== Platform Abstraction For Security (PARSEC) ===
|  RELEASE  ||  KERNEL    || CAPABILITY
|-
| [[RHEL 2]]  || 2.4.9-e.X    ||    N
|-
| [[RHEL 3]]  || 2.4.21-X    ||    N
|-
| [[RHEL 4]]  || 2.6.9-X      ||    Y
|-
| [[RHEL 5]]  || 2.6.18-X    ||    Y
|-
| [[RHEL 6]]  || 2.6.32-X    ||    Y
|}


==== Modifying Filesystem Capabilities ====
PARSEC is the Platform AbstRaction for SECurity, an open-source initiative to provide a common API to hardware security and cryptographic services in a platform-agnostic way. This abstraction layer keeps workloads decoupled from physical platform details, enabling cloud-native delivery flows within the data center and at the edge. The PARSEC daemon can currently use a Trusted Platform Module 2 (TPM2) chip, Hardware Security Module (HSM) device, or systems that have an Arm TrustZone technology enabled.


There is no specific system call provided by the linux to modify filesystem capabilities.
Further reading:
But as its implemented as inode getxattr() , fsetxattr system calls can be used.
[https://github.com/parallaxsecond/parsec PARSEC GitHub]
 
Here "$" means normal user and "#" means root user. Let's take 'ping' as working example
to show how capabilities work.
 
  $ mkdir CapabilityTest
  $ cd CapabilityTest
  $ cp `which ping` .
 
  $ ./ping -q -c 1 127.0.0.1
  ping: icmp open socket: Operation not permitted
 
  # ./ping -q -c 1 127.0.0.1
  PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
  --- 127.0.0.1 ping statistics ---
  1 packets transmitted, 1 received, 0% packet loss, time 0ms
  rtt min/avg/max/mdev = 0.213/0.213/0.213/0.000 ms
 
  # setcap cap_net_raw=ep ./ping
  # getcap ./ping
  ./ping = cap_net_raw+ep
  $ ./ping -q -c 1 127.0.0.1
  PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
  --- 127.0.0.1 ping statistics ---
  1 packets transmitted, 1 received, 0% packet loss, time 0ms
  rtt min/avg/max/mdev = 0.170/0.170/0.170/0.000 ms
 
from administrators perspective effective bit has to be disabled , so logical way of doing this will  be
 
  # setcap cap_net_raw=p ./ping
  # getcap ./ping
  ./ping = cap_net_raw+p
 
  $ ./ping -q -c 1 127.0.0.1
  PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
  --- 127.0.0.1 ping statistics ---
  1 packets transmitted, 1 received, 0% packet loss, time 0ms
  rtt min/avg/max/mdev = 0.170/0.170/0.170/0.000 ms
 
from that it can be concluded that, ping requires more privileges then a normal user for specially
crafted network packets, so while running with 'root' user it works as 'root' has all effective
capabilities. In the Linux Kernel there is a check which sees if application is capable, which means
to run it should have effective capability for CAP_NET_RAW.
 
Using set-UID root makes 'ping' over privileged, if buffer overflow is detected
then attacker could do local privilege escalation giving back shell.


[https://docs.fedoraproject.org/en-US/fedora/f33/release-notes/sysadmin/Security/ Fedora 33 release notes]


== Mandatory Access Control (MAC) ==
== Mandatory Access Control (MAC) ==
Line 335: Line 251:
who is allowed to access, an individual user cannot alter the access. MAC model is mostly used in environment
who is allowed to access, an individual user cannot alter the access. MAC model is mostly used in environment
where confidentiality is important like in Government organizations like military, an example of widely used
where confidentiality is important like in Government organizations like military, an example of widely used
of MAC is SELinux.Security-Enhanced Linux (SELinux) employs MAC rules to facilitate fine-grained security.  
of MAC is SELinux.Security-Enhanced Linux (SELinux) employs MAC rules to facilitate fine-grained security.


see [http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id4228000 MAC]
see [http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id4228000 MAC]


=== SELinux ===
[[SELinux]] is an inode-based MAC. See [https://www.redhat.com/en/topics/linux/what-is-selinux this page] and [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/getting-started-with-selinux_using-selinux this page] for more information.
=== SELinux targeted policy ===
SELinux enabled with targeted policy by default.
See [[SELinux/Policies|discussion of policies page]]
and [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/chap-security-enhanced_linux-targeted_policy this page]
for more information.
=== SELinux Executable Memory Protection ===
SELinux restricts certain memory protection operation if the appropriate boolean values enable these checks.
See [http://www.akkadia.org/drepper/selinux-mem.html this page] for more information.


=== SELinux user confinement ===
=== SELinux user confinement ===
Line 357: Line 288:
</pre>
</pre>
All the linux users are mapped to __default__ which maps to unconfined_u user. SELinux users that are available are
All the linux users are mapped to __default__ which maps to unconfined_u user. SELinux users that are available are
guest_u, xguest_u, user_u, staff_u.  
guest_u, xguest_u, user_u, staff_u.


<pre>
<pre>
Line 370: Line 301:
</pre>
</pre>


As listed http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
Users are defined in /etc/selinux/<targeted or mls>/contexts/users. See [http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html Confined and Unconfined Users article]
for more information.


{| class="wikitable"
{| class="wikitable"
Line 383: Line 315:
|staff_u  ||  staff_t    ||  yes              ||  only sudo    || optional                              ||  yes
|staff_u  ||  staff_t    ||  yes              ||  only sudo    || optional                              ||  yes
|}
|}
Users are defined in /etc/selinux/<target or mls>/contexts/users.
See [http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html Confined and Unconfined Users]
for more information.




=== SELinux XACE ===
=== SELinux XACE ===


Support for SELinux X Access Control Extension (XACE).
SELinux X Access Control Extension (XACE) aims at extending SELinux to X.org system, to provide flexible fine-grained MAC to the desktop. See [https://selinuxproject.org/page/XACE this page] and [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/6.0_release_notes/security this page] for more information.
XACE (X Access Control Extension) provides a wrapper to do security checks at
places where untrusted clients should be restricted. XACE provides control over
X server objects including colormaps, windows, pixmaps, cursors, fonts which are
assigned unique ID numbers stored. ID numbers can store client ID numbers so
that resources can be allocated to the clients. clients access resources by the
their ID numbers when making protocol requests. Developer can place XACE hooks
in the code at the places where clients should be restricted. XACE hooks when
present in the code triggers different types of hooks, for e.g while
authenticating XACE_AUTH_AVAIL hook can be placed there, if code present in the
application tries to access any device like system bell, cdrom etc.
XACE_DEVICE_ACCESS hook can be used similarly there are more hooks present in
XACE, to use #include<Xext/xace.h> is the header to be included which includes
everything with constants and function declarations, if only structure
definitions are needed use #include<Xext/xacestr.h>
 
List of Hook Identifiers:
 
XACE_CORE_DISPATCH
XACE_EXT_DISPATCH
XACE_RESOURCE_ACCESS
XACE_DEVICE_ACCESS
XACE_PROPERTY_ACCESS
XACE_SEND_ACCESS
XACE_RECEIVE_ACCESS
XACE_CLIENT_ACCESS
XACE_EXT_ACCESS
XACE_SERVER_ACCESS
XACE_SELECTION_ACCESS
XACE_SCREEN_ACCESS
XACE_SCREENSAVER_ACCESS
XACE_AUTH_AVAIL
XACE_KEY_AVAIL
XACE_AUDIT_BEGIN
XACE_AUDIT_END
 
with each identifier there is a callback function attached
 
For complete information about XACE and security hooks provided by it : http://www.x.org/releases/X11R7.5/doc/security/XACE-Spec.html
 
XACE security hooks can be used like for e.g in case of DEVICE ACCESS:
 
 
<pre>
#include<Xext/xace.h>
#include<dix-config.h>
static int check_something(DeviceIntPtr dev, ClientPtr client, ....<some_other_args>) {
 
int res;
 
/* DixManageAccess : Global device configuration is being performed.
        * on ChangeKeyboardMapping, XiChangeDeviceControl, XkbSetControls
* http://www.x.org/releases/X11R7.5/doc/security/XACE-Spec.html#device_access_hook
*/
 
        res = XaceHook(XACE_DEVICE_ACCESS, client, dev, DixManageAccess);
if (res != Success) {
client->errorValue = dev->id;
return res;
}
}
</pre>
 




Line 460: Line 325:


Support for SELinux to test untrusted content via a sandbox.
Support for SELinux to test untrusted content via a sandbox.
See [https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/6.0_Release_Notes/index.html#id3184917 this page]
See [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/6.0_release_notes/index#security this page] and [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-securing_programs_using_sandbox this page] for more information.
and [http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/6.0_Release_Notes/index.html#id3184917 this page]
for more information.
 
 
=== PR_SET_SECCOMP ===
SECCOMP(SECure COMPuting) which is meant to condine it to small subsystem of system
calls, is available since Linux 2.6.23. PR_SET_SECCOMP set the secure computing
mode for the the calling thread this limits the system calls for using this in
code #include<linux/seccomp.h> and #include<sys/prctl.h>. The  systemd init daemon
supports the seccomp filter mecahnism in 3.5 kernel. The result is that process can
be easily configured to be run in a sandboxed environment.
 
<pre>
#include<sys/prctl.h>
#include<linux/seccomp.h>
int main() {
 
  /* int prctl(int option, unsigned long arg2, unsigned long arg3,
  * unsigned long arg4, unsigned long arg5);
  * option is PR_SET_SECCOMP, rest args are set according to option passed into
  * prctl function.
  */
 
  prctl(PR_SET_SECCOMP,SECCOMP_MODE_STRICT,0,0,0);
  _exit(0);
}
</pre>
See [http://lwn.net/Articles/507067/ this article] and [http://lwn.net/Articles/332974/ SECCOMP]
for more information.




Line 495: Line 331:


A boolean variable to allow SELinux to turn off all processes ability to ptrace other process.
A boolean variable to allow SELinux to turn off all processes ability to ptrace other process.
See [https://fedoraproject.org/wiki/Features/SELinuxDenyPtrace this page]
See [[Features/SELinuxDenyPtrace|this page]], [http://lwn.net/Articles/491440/ this page] and [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-working_with_selinux-disable_ptrace this page] for more information.
and [http://lwn.net/Articles/491440/ this] for more information.




Line 512: Line 347:
zero inside the namespace; in other words, the process is unprivileged for
zero inside the namespace; in other words, the process is unprivileged for
operations outside the user namespace but has root privileges inside the
operations outside the user namespace but has root privileges inside the
namespace. See [http://lwn.net/Articles/532593/ this page] and [https://wiki.ubuntu.com/UserNamespace this page]
namespace (see [http://lwn.net/Articles/532593/ this page] and [https://wiki.ubuntu.com/UserNamespace this page]).
for more information. See [https://bugzilla.redhat.com/show_bug.cgi?id=917708 this bug] to track this feature.
 
See [https://bugzilla.redhat.com/show_bug.cgi?id=917708 BZ#917708] to track this feature in Fedora. User namespaces were first included in Red Hat Enterprise Linux 7.2 as a Technology Preview ([https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/7.2_release_notes/index#technology-preview-kernel release note], [https://bugzilla.redhat.com/show_bug.cgi?id=1138782 BZ#1138782]). Full support for User namespaces was added in Red Hat Enterprise Linux 7.4 ([https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/7.4_release_notes/index#new_features_virtualization release note]).  




Line 523: Line 359:
would not have access to the services /tmp directory.
would not have access to the services /tmp directory.


See [http://danwalsh.livejournal.com/51459.html this page] for more information.
See [http://danwalsh.livejournal.com/51459.html this page] and [https://access.redhat.com/blogs/766093/posts/1976243 this page] for more information.




Line 534: Line 370:
To enable this feature :
To enable this feature :


uncomment the respective lines in /etc/security/namespace.conf  
uncomment the respective lines in /etc/security/namespace.conf
<pre>#/tmp    /tmp-inst/            level      root,adm
<pre>#/tmp    /tmp-inst/            level      root,adm
#/var/tmp /var/tmp/tmp-inst/    level      root,adm
#/var/tmp /var/tmp/tmp-inst/    level      root,adm
Line 540: Line 376:
#$HOME    $HOME/$USER.inst/    level</pre>
#$HOME    $HOME/$USER.inst/    level</pre>


add  
add
<pre> session    required    pam_namespace.so </pre>
<pre> session    required    pam_namespace.so </pre>
to /etc/pam.d/login. File /etc/security/namespace.conf specifies which directories will be polyinstantiated. It also specifies
to /etc/pam.d/login. File /etc/security/namespace.conf specifies which directories will be polyinstantiated. It also specifies
Line 547: Line 383:


create the directories and set selinux context and bool value to polyinstantiate
create the directories and set selinux context and bool value to polyinstantiate
<pre>~]# mkdir /tmp-inst /var/tmp-inst
<pre># mkdir /tmp-inst /var/tmp-inst
~]# chmod 000 /tmp-inst
# chmod 000 /tmp-inst
~]# chmod 000 /var/tmp-inst
# chmod 000 /var/tmp-inst
~]# chcon -R -t tmp_t /tmp-inst
# chcon -R -t tmp_t /tmp-inst
~]# chcon -R -t tmp_t /var/tmp-inst
# chcon -R -t tmp_t /var/tmp-inst
~]# setsebool polyinstantiation_enabled 1</pre>
# setsebool polyinstantiation_enabled 1</pre>


* ~$ man 8 pam_namespace
* $ man 8 pam_namespace
* ~$ man 5 namespace.conf
* $ man 5 namespace.conf


As per reference https://www.ibm.com/developerworks/library/l-polyinstantiation/
As per reference https://www.ibm.com/developerworks/library/l-polyinstantiation/
Line 580: Line 416:
Modern Fedora versions include the ability to install Fedora
Modern Fedora versions include the ability to install Fedora
onto an encrypted LVM, which allows all partitions in the logical volume,
onto an encrypted LVM, which allows all partitions in the logical volume,
including swap, to be encrypted. LVM uses LUKS encryption (Linux Unified Key Setup).
including swap, to be encrypted. LVM uses [https://gitlab.com/cryptsetup/cryptsetup LUKS] encryption (Linux Unified Key Setup).
Except the boot partition All Other partitions can be encrypted. As the Linux Kernel
Except the boot partition, all other partitions can be encrypted. As the Linux Kernel
modules reside on root partition so they are also protected if Encryption is applied.
modules reside on root partition, they are also protected if encryption is applied.
With the use of LVM Encryption user can just encrypt Physical Volume where other partitions
With the use of LVM Encryption users can just encrypt the physical volume where other partitions
reside making encryption and decryption much faster. LVM is created under big encrypted
reside making encryption and decryption much faster. LVM is created under an encrypted
blockdevice which hides the LVM until blockdevice is unecrypted. Once the blockdevice is
blockdevice which hides the LVM until the blockdevice is decrypted. Once the blockdevice is
unencrypted it reads the volume structure and mounts all the detected partitions at boot
decrypted, it reads the volume structure and mounts all the detected partitions at boot
time.
time.
https://code.google.com/p/cryptsetup/
 
See the following references for more information about LUKS support in Red Hat Enterprise Linux: [https://access.redhat.com/solutions/100463 solution article], [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/installation_guide/ch29s02 RHEL-5], [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-security_guide-encryption#sect-Security_Guide-LUKS_Disk_Encryption RHEL-6], [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-encryption#sec-Using_LUKS_Disk_Encryption RHEL-7], [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening RHEL 8]. Note that in RHEL-8 the default format for LUKS encryption is LUKS2. The legacy LUKS1 format remains fully supported and it is provided as a format compatible with earlier RHEL releases.




Line 599: Line 436:


See [http://ecryptfs.org/ eCryptfs homepage] and [http://www.linuxjournal.com/article/9400 eCryptfs Article]
See [http://ecryptfs.org/ eCryptfs homepage] and [http://www.linuxjournal.com/article/9400 eCryptfs Article]
for more details.
for more details. eCryptfs is available in bot Red Hat Enterprise Linux 5 and 6 as a [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/storage_administration_guide/ch-efs technology preview]. As of Red Hat Enterprise Linux 7, eCryptfs is [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/storage_administration_guide/part-overvw#rhel7storage-whatsnew not included].




== Userspace Hardening ==
== User Space Hardening ==
Many security features are available through the default
Many security features are available through the default
[[CompilerFlags|compiler flags]] used to build packages and through the
[[CompilerFlags|compiler flags]] used to build packages and through the
Line 627: Line 464:
**  [    0.000000] Using x86 segment limits to approximate NX protection
**  [    0.000000] Using x86 segment limits to approximate NX protection


For more information, see [https://fedoraproject.org/wiki/Security_Features?rd=Security/Features#Exec-Shield Security Features] page.
For more information, see [[Security_Features?rd=Security/Features#Exec-Shield|Security Features]] page.




Line 638: Line 475:
building the entire archive. PIE has a large (5-10%) performance penalty
building the entire archive. PIE has a large (5-10%) performance penalty
on architectures with small numbers of general registers (e.g. x86), so it
on architectures with small numbers of general registers (e.g. x86), so it
should only be used for a [https://fedoraproject.org/wiki/Hardened_Packages select number of security-critical packages].
should only be used for a [[Hardened_Packages|select number of security-critical packages]].
PIE on x86_64 does not have the same penalties, and will eventually be made the
PIE on x86_64 does not have the same penalties, and will eventually be made the
default, but more testing is required. See
default, but more testing is required. See
Line 644: Line 481:
[https://fedorahosted.org/fesco/ticket/1113 FESCo ticket] for more
[https://fedorahosted.org/fesco/ticket/1113 FESCo ticket] for more
information.
information.
In Fedora 23 and later, all packages are built with PIE and Full RELRO. See
[[Changes/Harden_All_Packages|this page]] for details.




Line 649: Line 489:
Some [http://udrepper.livejournal.com/13393.html pointers stored in glibc are obfuscated]
Some [http://udrepper.livejournal.com/13393.html pointers stored in glibc are obfuscated]
via PTR_MANGLE/PTR_UNMANGLE macros internally in glibc, preventing libc function pointers from being
via PTR_MANGLE/PTR_UNMANGLE macros internally in glibc, preventing libc function pointers from being
overwritten during runtime.
overwritten during runtime. This feature was introduced in Red Hat Enterprise Linux 5, for further information see [https://www.redhat.com/en/blog/red-hat-enterprise-linux-5-security this blog post].




Line 660: Line 500:
the ability to perform arbitrary code execution via heap memory overflows
the ability to perform arbitrary code execution via heap memory overflows
that try to corrupt the control structures of the malloc heap memory
that try to corrupt the control structures of the malloc heap memory
areas.This protection has evolved over time, adding more and more protections as
areas. This protection has evolved over time, adding more and more protections as
additional [http://www.phrack.com/issues.html?issue=66&id=10#article corner-cases were researched].
additional [http://www.phrack.com/issues.html?issue=66&id=10#article corner-cases were researched].
As it currently stands, glibc 2.10 and later appears to successfully resist
As it currently stands, glibc 2.10 and later appears to successfully resist
even these hard-to-hit conditions. See [http://www.redhat.com/magazine/009jul05/features/execshield/#overflows this page]
even these hard-to-hit conditions. See [https://web.archive.org/web/20070208094418/http://www.redhat.com/magazine/009jul05/features/execshield/#overflows this page]
for more details.
for more details.




=== Built with Fortify Source ===
=== Built with Fortify Source ===
Programs built with "-D_FORTIFY_SOURCE=2" (and -O1 or higher), enable several compile-time and run-time protections in glibc:
Programs built with "-D_FORTIFY_SOURCE=2" (and -O1 or higher), enable [https://web.archive.org/web/20070208094418/http://www.redhat.com/magazine/009jul05/features/execshield/#checks several] compile-time and run-time [https://access.redhat.com/blogs/766093/posts/1976213 protections] in glibc:
* expand unbounded calls to "sprintf", "strcpy" into their "n" length-limited cousins when the size of a destination buffer is known (protects against memory overflows).
* expand unbounded calls to "sprintf", "strcpy" into their "n" length-limited cousins when the size of a destination buffer is known (protects against memory overflows).
* stop format string "%n" attacks when the format string is in a writable memory segment.
* stop format string "%n" attacks when the format string is in a writable memory segment.
Line 684: Line 524:
Enabled at compile-time. The routines used for stack checking are actually
Enabled at compile-time. The routines used for stack checking are actually
part of glibc, but gcc is patched to enable linking against those routines
part of glibc, but gcc is patched to enable linking against those routines
by default. See [https://fedoraproject.org/wiki/Security_Features?rd=Security/Features#Stack_Smash_Protection.2C_Buffer_Overflow_Detection.2C_and_Variable_Reordering this page]
by default. See [https://fedoraproject.org/wiki/Security_Features#Stack_Smash_Protection.2C_Buffer_Overflow_Detection.2C_and_Variable_Reordering this page] for more information.
for more information.
 
 
=== Strong Stack Protector ===
 
See [http://lwn.net/Articles/584225/ "Strong" stack protection for GCC] and [https://access.redhat.com/blogs/766093/posts/1976503 Security improvements in RHEL-7] articles for more information.
 
 
=== Stack Clash Protection ===
Building binaries with -fstack-clash-protection introduces a [https://developers.redhat.com/blog/2017/09/25/stack-clash-mitigation-gcc-background/ mitigation] which prevents [https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt stack clash attacks], in which an attacker clashes the stack with the heap, or vice versa, for exploitation. [https://developers.redhat.com/blog/2020/05/22/stack-clash-mitigation-in-gcc-part-3/ Red Hat]’s engineers implemented -fstack-clash-protection for all Red Hat Enterprise Linux (RHEL) targets starting with RHEL 7.5. RHEL 7.5 enables -fstack-clash-protection for glibc only. Starting with RHEL 8, the entire distribution is compiled with -fstack-clash-protection and annobin/annocheck are used to verify that the distribution was compiled with the proper flags. Fedora 27 and later enable -fstack-clash-protection by default for all packages using the standard default compilation options.


=== GLIBCXX Assertions===
The g++ compiler flag -D_GLIBCXX_ASSERTIONS turns on cheap range checks for C++ arrays, vectors, and strings, as well as null pointer dereference checks for smart pointers. This feature is implemented in libstdc++ and was introduced in [https://fedoraproject.org/wiki/Changes/HardeningFlags28 Fedora 28]. This hardening flag is [https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/ supported] in Red Hat Enterprise Linux, but only effective with DTS 6 or later.


=== Address Space Layout Randomization (ASLR) ===
=== Address Space Layout Randomization (ASLR) ===
Line 694: Line 544:
an attacker is attempting a memory-corruption exploit. ASLR is controlled
an attacker is attempting a memory-corruption exploit. ASLR is controlled
system-wide by the value of ''/proc/sys/kernel/randomize_va_space''.
system-wide by the value of ''/proc/sys/kernel/randomize_va_space''.
* 0 - No randomization, everything would get loaded at same address
* 0 - Turn ASLR off.
* 1 - Partial randomization, shared libraries , stack, mmap(), VDSO and heap are randomized
* 1 - Make the addresses of mmap(2) allocations, the stack, loaded shared libraries and the VDSO page randomized.
* 2 - Full Randomization, in addition to Partial Randomization it randomizes Memory managed through brk().
* 2 - Also support heap randomization in additon.
 
ASLR on 32 bit systems is less effective as compared to 64 bit systems. It depends upon the amount of entropy
available.
 
<pre>
#include<stdlib.h>
#include<stdio.h>
 
void* __get_eip() {
 
/* http://gcc.gnu.org/onlinedocs/gcc/Return-Address.html
* This function returns the return address of the currentfunction,or of
* one of its callers. The level argument is number of frames to scan up
* the call stack. A value of 0 yields the return address of the current
* function, a value of 1 yields the return address of the caller of the
* current function, and so forth. When inlining the expected behavior is
* that the function returns the address of the function that is returned
* to. To work around this behavior use the noinline function attribute.  
*/
 
  return __builtin_return_address(0)-0x5;
};
 
int main(int argc, char **argv) {
  printf("EBP located at: %p
",__get_eip());
  return 0;
}
</pre>
 
<pre>
~]$ cat /proc/sys/kernel/randomize_va_space
2
 
~]$ gcc get_eip.c -o get_eip
 
~]$ ldd ./get_eip
        linux-vdso.so.1 =>  (0x00007fff9a330000)
        libc.so.6 => /lib64/libc.so.6 (0x0000003e9da00000)
        /lib64/ld-linux-x86-64.so.2 (0x0000003e9d600000)
~]$ ldd ./get_eip
        linux-vdso.so.1 =>  (0x00007fffe77b1000)
        libc.so.6 => /lib64/libc.so.6 (0x0000003e9da00000)
        /lib64/ld-linux-x86-64.so.2 (0x0000003e9d600000)
 
~]$ ./get_eip
EBP located at: 0x400552
 
~]$ ./get_eip
EBP located at: 0x400552
</pre>


As from the test it can be seen that even if FULL Randomization is enabled, .text section remains static,
Even when randomize_va_space is set to 2, the text segment of binaries is
to  make ASLR effective all segments must be randomized, leaving some segment non randomized neutralizes
loaded at a static address. To make ASLR effective all segments must be
protection provided by the ASLR, attacker can use this non randomized area to identify gadgets and can
randomized. Leaving the text segment loading address non-randomized reduces the
build exploit. So even if ASLR is forced not all the segments are randomized for all executable. Code
protection provided by the ASLR since the attackers can use ret2text attacks.
segement and Text segment dont get randomized until compiled with PIE (Position Independent Executable).
The loading address of the text segement in a binary can be randomized by
building the binary as PIE (Position Independent Executable).


See [http://www.redhat.com/magazine/009jul05/features/execshield/#preventing-abuse this article] and
See [http://lwn.net/Articles/190139/ this article] for more information.
[http://lwn.net/Articles/190139/ this article] for more information. ASLR is now enabled for all packages
by default in Rawhide.




Line 776: Line 573:




=== Exec ASLR ===
==== Exec ASLR ====
Each execution of a program that has been built with "-fPIE
Each execution of a program that has been built with "-fPIE
-pie" will get loaded into a different memory location. This makes it
-pie" will get loaded into a different memory location. This makes it
Line 801: Line 598:
RELRO stands for RELocation Read-Only, it is a mitigation technique to harden
RELRO stands for RELocation Read-Only, it is a mitigation technique to harden
data sections of an ELF/process. It is used to move commonly exploited structures
data sections of an ELF/process. It is used to move commonly exploited structures
in ELF binary to a read-only location.It Hardens ELF programs against loader memory
in ELF binary to a read-only location. It Hardens ELF programs against loader memory
area overwrites by having the loader mark any areas of the relocation table as read-only
area overwrites by having the loader mark any areas of the relocation table as read-only
for any symbols resolved at load-time ("read-only relocations"). This reduces the area of
for any symbols resolved at load-time ("read-only relocations"). This reduces the area of
Line 822: Line 619:
* In addition , GOT is also remapped  as read-only
* In addition , GOT is also remapped  as read-only


Only Full RELRO can protect from exploiting technique of overwriting GOT entry to get
In case of a bss or data overflow bug both partial and full RELRO can protect
control over program execution flow.
the ELF internal data sections from being overwritten. With full RELRO a
 
working mitigation technique to successfully prevent the modification of GOT
So the question is what are GOT and PLT?
entries is available. Full RELRO has been enabled for all packages in Fedora 23
 
and later.
GOT (Global Offset Table) redirects position independent address calculations to an absolute
location and is located in .got section of an ELF executable or shared object. It has the final
location of a function calls symbol, used with dynamically linked code. By default GOT is created
dynamically while program is running. The first time function is called GOT contains pointer back
to PLT (Procedure Linkage Table), where linker is called to find actual location of the function.
The location found is written to GOT, Second time whenever the function is called GOT already
knows location of the function known as lazy binding.
 
PLT (Procedure Linker Table) works with GOT to reference and relocate functions. PLT reference will
cause a jmp into the GOT and find the location of the called function. On the first call there wont
be no entry in GOT, so PLT will hand over the request to the rtld for resolving the function's
absolute location, after this GOT will be updated for future references.
 
Few Constraints about PLT and GOT
 
1. PLT will always contain code that is called by program directly,so it will be allocated at a
known offset from the .text segment.
 
2. GOT contains data used by different parts of the program directly,so it will be at a static
address in the memory.
 
3. As GOT is "lazy binded",so it needs to be writable
 
In case of a bss or data overflow bug both partial and full RELRO can protect the ELF internal data sections from being overwritten.
With full RELRO a working mitigation technique to successfully prevent the modification of GOT entries is available.Only one reason
why full RELRO is not widely used is that the startup of processes is slowed down as the linker has to perform all relocations at startup time.


In short, RELRO hardens ELF programs against loader memory area overwrites by
In short, RELRO hardens ELF programs against loader memory area overwrites by
having the loader mark any areas of the relocation table as read-only for
having the loader mark any areas of the relocation table as read-only for
any symbols resolved at load-time ("read-only relocations"). This reduces
any symbols resolved at load-time ("read-only relocations"). This reduces
the area of possible GOT-overwrite-style memory corruption attacks.
the area of possible GOT-overwrite-style memory corruption attacks. RELRO has been [https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/ enabled] for all packages in Red Hat Enterprise Linux 6 and later versions.
 
This information has been borrowed from [http://tk-blog.blogspot.com/2009/02/relro-not-so-well-known-memory.html this article].
 


=== Built with BIND_NOW ===
=== Built with BIND_NOW ===
Marks ELF programs to resolve all dynamic symbols at start-up (instead of
Marks ELF programs to resolve all dynamic symbols at start-up (instead of
on-demand, also known as "immediate binding") so that the GOT can be made
on-demand, also known as "immediate binding") so that the GOT can be made
entirely read-only (when combined with RELRO above).
entirely read-only (when combined with RELRO above). Note that BIND_NOW is enabled in Red Hat Enterprise Linux 7 and later versions and [https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/ not recommended] for use on Red Hat Enterprise Linux 6.




Line 886: Line 660:
''/tmp'') cannot be followed if the follower and directory owner do not match the
''/tmp'') cannot be followed if the follower and directory owner do not match the
symlink owner. The behavior is controllable through the
symlink owner. The behavior is controllable through the
''/proc/sys/kernel/yama/protected_sticky_symlinks'' sysctl.
''/proc/sys/kernel/yama/protected_sticky_symlinks'' sysctl. Red Hat Enterprise Linux 7 and later versions provide a [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/index#sec-Protecting_Hard_and_Symbolic_Links feature] to protect against hard and symbolic link attacks.




Line 902: Line 676:


In modern Fedora versions, hardlinks cannot be created to files that the user
In modern Fedora versions, hardlinks cannot be created to files that the user
would be unable to read and write originally, or are otherwise sensitive.
would be unable to read and write originally, or are otherwise sensitive. Red Hat Enterprise Linux 7 and later versions provide a [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/index#sec-Protecting_Hard_and_Symbolic_Links feature] to protect against hard and symbolic link attacks.




Line 915: Line 689:
It is provided by YAMA , can be enabled by CONFIG_SECURITY_YAMA in the kernel.
It is provided by YAMA , can be enabled by CONFIG_SECURITY_YAMA in the kernel.


Independent of this configuration, processes that know they store secrets in
memory may already use <code>prctl(PR_SET_DUMPABLE,0);</code> to prevent ptrace ''and other''
memory-snooping attacks. See [https://www.kernel.org/doc/Documentation/security/Yama.txt this] and [https://access.redhat.com/solutions/4452621 this].
=== Overflow checking in new operator ===
GCC performs overflow checking in operator new[]. new operator is used to dynamically
allocate memory.It throws bad_alloc exception, header to include for using it is <new>
new() or new[]() without declaration of exception cannot signal memory exhaustion.If
there is an option to choose between calloc/malloc/new for allocation of the memory,
new should be used. If new[] is used to allocate memory then delete[] should be used to
free the allocated memory. Using delete without [] will cause memory leak. Use try-catch
block with new, as it throws exception and does not return value, though it can be forced
to return a value by using nothrow.
<pre>
using namespace std;
/* this should return a value */
alpha* pt = new (nothrow) alpha[200];
or it will throw bad_alloc exception which can be handled by the following code
class bad_alloc : public exception {
/* error to be thrown to be implemented here */
};
struct alpha_t{};
extern const alpha_t alpha;  // indicator for allocation to prevent exceptions
/* should throw exception */
int* ptr = new int[100000];
/* to avoid exception correct usage would be */
int* ptr = new(alpha) int[100000];
</pre>
See [https://securityblog.redhat.com/2012/10/31/array-allocation-in-cxx/ Array allocation in C++ article] for
more information.
=== Built with Format Security ===
Enable "-Werror=format-security" compilation flag for all packages in Fedora. Once this flag is enabled,
GCC will refuse to compile code that could be vulnerable to a string format security flaw.
see [[Changes/FormatSecurity|Format Security]] for more information. This flag is [https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/ supported] in all versions of Red Hat Enterprise Linux.
=== Crypto Policy ===
Unify the crypto policies used by different applications and libraries. That is allow setting a consistent
security level for crypto on all applications in a Fedora system. The implementation approach will be to
initially modify SSL libraries to respect the policy and gradually adding more libraries and applications. As of Fedora 31, users can customize existing system-wide crypto policies by removing or adding enabled algorithms and protocols.
Fedora 33 disables:
* TLS Protocols versions older than 1.2 version, so TLS versions 1.0 and 1.1 are now disabled by default.
* SHA hash signatures in TLS, SSH and IKE protocols.
* Diffie Hellman key exchange with parameter size less that 2048 bits.
See [[Changes/CryptoPolicy|Crypto Policy]] and [[Changes/CustomCryptoPolicies|Custom Crypto Policies]] for more information.
Red Hat Enterprise Linux 8 provides a consistent [https://access.redhat.com/articles/3666211 crypto policy] which is applied consistently to running services and is kept up-to-date as part of the software updates, to stay in par with cryptographic advances. It configures the core cryptographic subsystems, covering TLS, IPSec, DNSSec and Kerberos protocols and provides a small set of policies which the administrator can select, with the default being a conservative policy offering secure settings for today’s threat models. The policy [https://www.redhat.com/en/blog/how-customize-crypto-policies-rhel-82 has been extended] in RHEL 8.2 to enable users to specify their own crypto policies if the built-in policies do not meet their requirements. Refer to the [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening Security Hardening Guide] for a more detailed description.
=== Tamper Resistant Logs ===
When a system is compromised, attackers might tamper the system logs. This can
be prevented by using FSS (Forward Secure Sealing) which is implemented in
the systemd journal. Binary logs maintained by systemd are sealed at certain time
intervals. Sealing is an cryptographic operation on the logs so that any
tempering on the logs can be detected, though an attacker can completely remove
entire logs but this is likely to get noticed by the system administrator.
See [http://danwalsh.livejournal.com/58647.html Forward Secure Sealing (FSS)] and [https://lwn.net/Articles/512895/ LWN] articles for more information.
=== Aarch64 Pointer Authentication ===
Arm Pointer Authentication (PAC) is a method of hardening code from Return Oriented Programming (ROP) attacks. It uses a tag in a pointer to sign and verify pointers. Branch Target Identification (BTI) is another code hardening method, where the branch/jump target is identified with a special landing pad instruction. Outside of some system support in glibc+kernel, packages gain the additional hardening by compiling with the -mbranch-protection= flag available in recent versions of GCC. In particular -mbranch-protection=standard enables both BTI and PAC, with backwards compatible to armv8.0 code sequences that activate on v8.3 (PAC) & v8.5 (BTI) enabled Arm machines. [https://fedoraproject.org/wiki/Changes/Aarch64_PointerAuthentication Read more]


== Kernel Hardening ==
== Kernel Hardening ==
Line 931: Line 786:
=== Block module loading ===
=== Block module loading ===
It is possible to
It is possible to
[http://www.debian.org/doc/manuals/securing-debian-howto/ch10.en.html#s-proactive remove CAP_SYS_MODULES from the system-wide capability bounding set]
[https://www.debian.org/doc/manuals/securing-debian-manual/ch10s04.en.html#LKM remove CAP_SYS_MODULES from the system-wide capability bounding set], which would stop any new kernel modules from being loaded. This was another
, which would stop any new kernel modules from being loaded. This was another
layer of protection to stop kernel rootkits from being installed.
layer of protection to stop kernel rootkits from being installed.
This feature to block module loading can be enabled setting ''1'' in
This feature to block module loading can be enabled setting ''1'' in
Line 943: Line 797:
access. In the past, it was possible to view and change kernel memory from
access. In the past, it was possible to view and change kernel memory from
this file if an attacker had root access. See [http://lwn.net/Articles/267427/ this page]
this file if an attacker had root access. See [http://lwn.net/Articles/267427/ this page]
and [http://lwn.net/Articles/144107/ this page] for details.
and [http://lwn.net/Articles/144107/ this page] for details. Note that this option is called [https://cateee.net/lkddb/web-lkddb/STRICT_DEVMEM.html STRICT_DEVMEM] in current kernels.




Line 956: Line 810:
restrictions for loaded modules in the kernel. This can help resist future
restrictions for loaded modules in the kernel. This can help resist future
kernel exploits that depend on various memory regions in loaded modules.
kernel exploits that depend on various memory regions in loaded modules.
Enabled via the CONFIG_DEBUG_SET_MODULE_RONX option.
Enabled via the CONFIG_DEBUG_SET_MODULE_RONX option. Note that the name of this option was changed to [https://patchwork.kernel.org/patch/9525059/ CONFIG_HARDENED_MODULE_MAPPINGS] first, then renamed to [https://patchwork.kernel.org/patch/9558953/ CONFIG_STRICT_MODULE_RWX].




Line 968: Line 822:
made readable only by the root user: ''/boot/vmlinuz'', ''/boot/System.map'',
made readable only by the root user: ''/boot/vmlinuz'', ''/boot/System.map'',
''/sys/kernel/debug/'', ''/proc/slabinfo''.
''/sys/kernel/debug/'', ''/proc/slabinfo''.
This feature was introduced in Red Hat Enterprise Linux 6. See RHEL-6 [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/6.2_release_notes/kernel release notes] and [https://www.kernel.org/doc/Documentation/sysctl/kernel.txt kernel sysctl documentation].




Line 986: Line 842:
for details. This makes sure that certain kernel data sections are marked
for details. This makes sure that certain kernel data sections are marked
to block modification. This helps protect against some classes of kernel
to block modification. This helps protect against some classes of kernel
rootkits. Enabled via the CONFIG_DEBUG_RODATA option.
rootkits. Enabled via the CONFIG_DEBUG_RODATA option. Note that the name of this option was [https://patchwork.kernel.org/patch/9558953/ renamed] to CONFIG_STRICT_KERNEL_RWX.




Line 1,004: Line 860:


Support for sVirt labelling to provide security over guest instances.
Support for sVirt labelling to provide security over guest instances.
See [https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Security-Enhanced_Linux/index.html#id4232619 this page]
See [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/security-enhanced_linux/index#chap-Security-Enhanced_Linux-sVirt this page]
for more information.
for more information.


Line 1,025: Line 881:
"Secure Boot" describes a UEFI feature by which malware is prevented from
"Secure Boot" describes a UEFI feature by which malware is prevented from
inserting itself into the boot process before the operating system loads.
inserting itself into the boot process before the operating system loads.
Secure Boot is an optional feature which can be enabled and disabled on will
of user.
For more indepth information about Secure boot see
[http://fedoraproject.org/wiki/Features/SecureBoot]
[http://docs.fedoraproject.org/en-US/Fedora/18/html/UEFI_Secure_Boot_Guide/chap-UEFI_Secure_Boot_Guide-What_is_Secure_Boot.html chap-UEFI_Secure_Boot_Guide-What_is_Secure_Boot]
[http://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf]
article for more details.
=== Tamper Resistant Logs ===
When system get attacked attackers might tamper logs on the system being attacked, this can
be prevented by using FSS ( Forward Secure Sealing ) which is implemented in systemd journal.
Binary logs maintained by systemd are sealed at certain time intervals. Sealing is an cryptographic
operation on the logs so that any tempering on the logs can be detected, though an attacker can
completely remove entire logs but this will get noticed by administrator too. FSS is based on
"Forward Secure Pseudo Random Generators" (FSPRG)
<pre>
# journalctl --setup-keys
</pre>
there are two keys generated with this
1. Sealing key : It is stored on the system and after certain time intervals new sealing key is generated
with the use of FSPRG and its a non-reversible process old key is deleted after this.
2. Verification Key : Verification key should be stored at safe place, could be phone device or any place
else which can be trusted. This key can be used to generate sealing key at any point of given time. Attacker
can only access current sealing key ,so changing the log files using current sealing key would result in
verification failure as it wont verify by the sealing key generated from Verification key.
FSS will seal logs after every 15 min by default, which can be changed by using "--interval=60s" to seal logs
after every minute. Default time 15min  is too much of time for attacker to work, so it should be changed accordingly
by system administrators to harden such tasks for attackers.
<pre>
# journalctl --setup-keys --interval=60s
</pre>
Deleting of Old Sealing keys is handled by two file attributes FS_SECRM_FL and FS_NOCOW_FL, which may or may not be
supported by filesystem in use.
See [http://danwalsh.livejournal.com/58647.html Forward Secure Sealing (FSS) article] for
more information.
=== Overflow checking in new operator ===
GCC performs overflow checking in operator new[]. new operator is used to dynamically
allocate memory.It throws bad_alloc exception, header to include for using it is <new>
new() or new[]() without declaration of exception cannot signal memory exhaustion.If
there is an option to choose between calloc/malloc/new for allocation of the memory,
new should be used. If new[] is used to allocate memory then delete[] should be used to
free the allocated memory. Using delete without [] will cause memory leak. Use try-catch
block with new, as it throws exception and does not return value, though it can be forced
to return a value by using nothrow.
<pre>
using namespace std;
/* this should return a value */
alpha* pt = new (nothrow) alpha[200];
or it will throw bad_alloc exception which can be handled by the following code
class bad_alloc : public exception {
/* error to be thrown to be implemented here */
};
struct alpha_t{};
extern const alpha_t alpha;  // indicator for allocation to prevent exceptions
/* should throw exception */
int* ptr = new int[100000];
/* to avoid exception correct usage would be */
int* ptr = new(alpha) int[100000];
</pre>
See [https://securityblog.redhat.com/2012/10/31/array-allocation-in-cxx/ Array allocation in C++ article] for
more information.


The Secure Boot technology is [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/installation_guide/sect-uefi-support-x86 not supported] in Red Hat Enterprise Linux 6. Systems using UEFI Specification 2.2 or later must have Secure Boot disabled in order to install and run Red Hat Enterprise Linux 6. Red Hat Enterprise Linux 7 offers UEFI Secure Boot [https://access.redhat.com/articles/1180943 support] by including a kernel and associated drivers that are signed by a UEFI CA certificate. See also [https://access.redhat.com/articles/1119763 UEFI Secure Boot Documentation in Red Hat Enterprise Linux 7].


 
For more in-depth information about Secure Boot see [http://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf UEFI Secure Boot in Modern Computer Security Solutions], [http://docs.fedoraproject.org/en-US/Fedora/18/html/UEFI_Secure_Boot_Guide/chap-UEFI_Secure_Boot_Guide-What_is_Secure_Boot.html this], [[Features/SecureBoot|this]] and [https://access.redhat.com/articles/5254641 this].
=== Built with Format Security ===
 
Enable "-Werror=format-security" compilation flag for all packages in Fedora. Once this flag is enabled,
GCC will refuse to compile code that could be vulnerable to a string format security flaw.
see [http://fedoraproject.org/wiki/Changes/FormatSecurity Format Security] for more information
 
 
=== Crypto Policy ===
 
Unify the crypto policies used by different applications and libraries. That is allow setting a consistent
security level for crypto on all applications in a Fedora system. The implementation approach will be to
initially modify SSL libraries to respect the policy and gradually adding more libraries and applications.
see [http://fedoraproject.org/wiki/Changes/CryptoPolicy Crypto Policy] for more information
 
 
=== Built with Stack Protector Strong ===
 
see [http://lwn.net/Articles/584225/ Stack Protector Strong] for more information




Line 1,136: Line 892:
* Coordination with Debian: http://wiki.debian.org/Hardening
* Coordination with Debian: http://wiki.debian.org/Hardening
* Gentoo's Hardening project: http://www.gentoo.org/proj/en/hardened/hardened-toolchain.xml
* Gentoo's Hardening project: http://www.gentoo.org/proj/en/hardened/hardened-toolchain.xml
= Legacy Matrix =
{| class="wikitable"
|- style="background: #00dd00;"
| By Default
|- style="background: #98fd98;"
| Available
|- style="background: #ffff00;"
| Unimplemented
|}
{| class="wikitable"
| Security Features  || RHEL 3              || RHEL 4              || RHEL 5              || RHEL 6              || RHEL 7              || Fedora 24            || Fedora 27            || Rawhide           
|-
| '''Configuration'''
|-
| [[#Configurable Firewall|Configurable Firewall]]    || style="background:#00dd00" | iptables            || style="background:#00dd00" | iptables            || style="background:#00dd00" | iptables            || style="background:#00dd00" | iptables            || style="background:#00dd00" | iptables            || style="background:#00dd00" | firewalld          || style="background:#00dd00" | firewalld          || style="background:#00dd00" | firewalld         
|-
| [[#Signed updates|      Signed updates]]    || style="background:#00dd00" | yum                || style="background:#00dd00" | yum                || style="background:#00dd00" | yum                || style="background:#00dd00" | yum                || style="background:#00dd00" | yum                || style="background:#00dd00" | yum / dnf          || style="background:#00dd00" | yum / dnf          || style="background:#00dd00" | yum / dnf         
|-
| [[#Password hashing|    Password hashing]]    || style="background:#00dd00" | md5crypt            || style="background:#00dd00" | md5crypt            || style="background:#00dd00" | md5crypt            || style="background:#00dd00" | sha512crypt        || style="background:#00dd00" | sha512crypt        || style="background:#00dd00" | sha512crypt        || style="background:#00dd00" | sha512crypt        || style="background:#00dd00" | sha512crypt       
|-
| '''Subsystems'''
|-
| [[#Filesystem Capabilities|Filesystem Capabilities]]    || style="background:#ffff00" | --                  || style="background:#98fd98" | Y              || style="background:#98fd98" | Y              || style="background:#98fd98" | Y              || style="background:#98fd98" | Y              || style="background:#98fd98" | Y              || style="background:#98fd98" | Y              || style="background:#98fd98" | Y             
|-
| [[#PR_SET_SECCOMP|      PR_SET_SECCOMP]]    || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#98fd98" | Y              || style="background:#98fd98" | Y              || style="background:#98fd98" | Y              || style="background:#98fd98" | Y             
|-
| '''Mandatory Access Control'''
|-
| [[#SELinux|            SELinux]]    || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
|-
| [[#SELinux targeted policy|SELinux targeted policy]]    || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
|-
| [[#SELinux Executable Memory Protection|SELinux Executable Memory Protection]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
|-
| [[#SELinux user confinement|SELinux user confinement]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
|-
| [[#SELinux XACE|        SELinux XACE]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                 
|-
| [[#SELinux sandbox|    SELinux sandbox]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
|-
| [[#SELinux Deny Ptrace| SELinux Deny Ptrace]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                 
|-
| [[#SELinux restricted module loading|SELinux restricted module loading]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | ?                  || style="background:#ffff00" | ?                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                 
|-
| [[#User namespaces|    User namespaces]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                 
|-
| [[#/tmp namespace for systemd|/tmp namespace for systemd]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                 
|-
| [[#Polyinstantiate /tmp, /var/tmp and user home folders|Polyinstantiate /tmp, /var/tmp and user home folders]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                 
|-
| '''Filesystem Encryption'''
|-
| [[#Encrypted LVM|      Encrypted LVM]]    || style="background:#ffff00" | ?                  || style="background:#ffff00" | ?                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Standard Installer  || style="background:#98fd98" | Standard Installer  || style="background:#98fd98" | Standard Installer  || style="background:#98fd98" | Standard Installer  || style="background:#98fd98" | Standard Installer 
|-
| [[#eCryptfs|            eCryptfs]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Optional Package    || style="background:#98fd98" | Optional Package    || style="background:#98fd98" | Optional Package   
|-
| '''User Space Hardening'''
|-
| [[#Non-Executable Memory (NX)|Non-Executable Memory (NX)]]    || style="background:#00dd00" | Y (since 9/2004)    || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
|-
| [[#Built as PIE|        Built as PIE]]    || style="background:#00dd00" | package list (since 9/2004)|| style="background:#00dd00" | package list        || style="background:#00dd00" | package list        || style="background:#00dd00" | package list        || style="background:#00dd00" | package list        || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
|-
| [[#Pointer Obfuscation| Pointer Obfuscation]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc             
|-
| [[#Heap Protector|      Heap Protector]]    || style="background:#ffff00" | N                  || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc              || style="background:#00dd00" | glibc             
|-
| [[#Built with Fortify Source|Built with Fortify Source]]    || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
|-
| [[#Stack Protector|    Stack Protector]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
|-
| [[#Strong Stack Protector| Strong Stack Protector]]    || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
|-
| [[#Built with Format Security|Built with Format Security]]    || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
|-
| [[#Stack ASLR|          Stack ASLR]]    || style="background:#00dd00" | Y (since 9/2004)    || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y             
|-
| [[#Libs/mmap ASLR|      Libs/mmap ASLR]]    || style="background:#00dd00" | Y (since 9/2004)|| style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y             
|-
| [[#Exec ASLR|          Exec ASLR]]    || style="background:#00dd00" | (since 9/2004)      || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
|-
| [[#brk ASLR|            brk ASLR]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | ?                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
|-
| [[#VDSO ASLR|          VDSO ASLR]]    || style="background:#00dd00" | no vDSO            || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y             
|-
| [[#Built with RELRO|    Built with RELRO]]    || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#00dd00" | gcc patch          || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
|-
| [[#Built with BIND_NOW| Built with BIND_NOW]]    || style="background:#ffff00" | N                  || style="background:#98fd98" | ?                  || style="background:#00dd00" | package list        || style="background:#00dd00" | package list        || style="background:#00dd00" | package list        || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
|-
| [[#/proc/$pid/maps protection|/proc/$pid/maps protection]]    || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#00dd00" | Y    || style="background:#00dd00" | Y    || style="background:#00dd00" | Y    || style="background:#00dd00" | Y   
|-
| [[#Symlink restrictions|Symlink restrictions]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y              || style="background:#98fd98" | Y              || style="background:#98fd98" | Y             
|-
| [[#Hardlink restrictions|Hardlink restrictions]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y              || style="background:#98fd98" | Y              || style="background:#98fd98" | Y             
|-
| [[#ptrace scope|        ptrace scope]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                 
|-
| [[#Overflow checking in new operator|Overflow checking in new operator]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                 
|-
| [[#Crypto Policy|      Crypto Policy]]    || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
|-
| [[#Tamper Resistant Logs|Tamper Resistant Logs]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                 
|-
| '''Kernel Hardening'''
|-
| [[#0-address protection|0-address protection]]    || style="background:#00dd00" | Y (since 11/2009)  || style="background:#00dd00" | Y (since 9/2009)    || style="background:#00dd00" | Y (since 5/2008)    || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
|-
| [[#Block module loading|Block module loading]]    || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
|-
| [[#/dev/mem protection| /dev/mem protection]]    || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
|-
| [[#/dev/kmem disabled|  /dev/kmem disabled]]    || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
|-
| [[#Module RO/NX|        Module RO/NX]]    || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y             
|-
| [[#Kernel Address Display Restriction|Kernel Address Display Restriction]]    || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#ffff00" | --                  || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y             
|-
| [[#Blacklist Rare Protocols|Blacklist Rare Protocols]]    || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                 
|-
| [[#Write-protect kernel .rodata sections|Write-protect kernel .rodata sections]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
|-
| [[#Kernel Stack Protector|Kernel Stack Protector]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
|-
| [[#sVirt labelling|    sVirt labelling]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                  || style="background:#00dd00" | Y                 
|-
| [[#SYN cookies|        SYN cookies]]    || style="background:#98fd98" | ?                  || style="background:#98fd98" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y              || style="background:#00dd00" | Y             
|-
| [[#Syscall Filtering|  Syscall Filtering]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | ?                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                 
|-
| [[#Secure Boot Support| Secure Boot Support]]    || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#ffff00" | N                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                  || style="background:#98fd98" | Y                 
|-
|}
<div style="float:right;">__TOC__</div>

Latest revision as of 16:57, 4 October 2021



By Default
Available
Unimplemented
Security Features RHEL 5 RHEL 6 RHEL 7 RHEL 8 Fedora 31 Fedora 32 Fedora 33 Fedora 34
Configuration
Configurable Firewall iptables iptables iptables firewalld firewalld firewalld firewalld firewalld
Signed updates yum yum yum yum / dnf yum / dnf yum / dnf yum / dnf yum / dnf
Password hashing md5crypt sha512crypt sha512crypt sha512crypt sha512crypt sha512crypt sha512crypt sha512crypt
Annotated Binaries N N N package list package list package list package list package list
Grub2 Security Modules N N N Y Y Y Y Y
SSH Root Password Disabled N N N Y Y Y Y Y
File Access Policy Daemon N N N Y Y Y Y Y
Network Time Security N N N N N N Y Y
Subsystems
Filesystem Capabilities Y Y Y Y Y Y Y Y
PR_SET_SECCOMP N N Y Y Y Y Y Y
PARSEC N N N N N N Y Y
Mandatory Access Control
SELinux Y Y Y Y Y Y Y Y
SELinux targeted policy Y Y Y Y Y Y Y Y
SELinux Executable Memory Protection Y Y Y Y Y Y Y Y
SELinux user confinement Y Y Y Y Y Y Y Y
SELinux XACE N Y Y Y Y Y Y Y
SELinux sandbox N Y Y Y Y Y Y Y
SELinux Deny Ptrace N N Y Y Y Y Y Y
SELinux restricted module loading N Y Y Y Y Y Y Y
User namespaces N N Y Y Y Y Y Y
/tmp namespace for systemd N N Y Y Y Y Y Y
Polyinstantiate /tmp, /var/tmp and user home folders N Y Y Y Y Y Y Y
Filesystem Encryption
Encrypted LVM Y Y Y Y Standard Installer Standard Installer Standard Installer Standard Installer
eCryptfs Y Y N N Optional Package Optional Package Optional Package Optional Package
User Space Hardening
Non-Executable Memory (NX) Y Y Y Y Y Y Y Y
Built as PIE package list package list package list Y Y Y Y Y
Pointer Obfuscation Y Y Y Y glibc glibc glibc glibc
Heap Protector glibc glibc glibc glibc glibc glibc glibc glibc
Built with Fortify Source Y Y Y Y Y Y Y Y
Stack Protector Y Y Y Y Y Y Y Y
Strong Stack Protector N N Y Y Y Y Y Y
Stack Clash Protection N N glibc glibc package list package list package list package list
GLIBCXX Assertions N Y Y Y package list package list package list package list
Built with Format Security Y Y Y Y Y Y Y Y
Stack ASLR Y Y Y Y Y Y Y Y
Libs/mmap ASLR Y Y Y Y Y Y Y Y
Exec ASLR Y Y Y Y Y Y Y Y
brk ASLR N Y Y Y Y Y Y Y
VDSO ASLR Y Y Y Y Y Y Y Y
Built with RELRO N Y Y Y Y Y Y Y
Built with BIND_NOW N Y Y Y Y Y Y Y
/proc/$pid/maps protection N N Y Y Y Y Y Y
Symlink restrictions N N Y Y Y Y Y Y
Hardlink restrictions N N Y Y Y Y Y Y
ptrace scope N N Y Y Y Y Y Y
Overflow checking in new operator N N Y Y Y Y Y Y
Crypto Policy N N N Y Y Y Y Y
Tamper Resistant Logs N N Y Y Y Y Y Y
Aarch64 Pointer Authentication N N N N N N Y Y
Kernel Hardening
0-address protection Y (since 5/2008) Y Y Y Y Y Y Y
Block module loading Y Y Y Y Y Y Y Y
/dev/mem protection Y Y Y Y Y Y Y Y
/dev/kmem disabled Y Y Y Y Y Y Y Y
Module RO/NX N N Y Y Y Y Y Y
Kernel Address Display Restriction N Y Y Y Y Y Y Y
Blacklist Rare Protocols Y Y Y Y Y Y Y Y
Write-protect kernel .rodata sections N Y Y Y Y Y Y Y
Kernel Stack Protector N Y Y Y Y Y Y Y
sVirt labelling N Y Y Y Y Y Y Y
SYN cookies Y Y Y Y Y Y Y Y
Syscall Filtering N N Y Y Y Y Y Y
Secure Boot Support N N Y Y Y Y Y Y

Configuration

Configurable Firewall

firewalld provides a dynamically managed firewall with support for network/firewall zones to define the trust level of network. The former firewall model with system-config-firewall/lokkit was static and every change required a complete firewall restart. The firewall daemon on the other hand manages the firewall dynamically and applies changes without restarting the whole firewall. See FirewallD and system-config-firewall for more information.


Signed updates

Each stable RPM package that is published by Fedora Project is signed with a GPG signature. By default, DNF, YUM and the graphical update tools will verify these signatures and refuse to install any packages that are not signed or have bad signatures. You should always verify the signature of a package before you install it. These signatures ensure that the packages you install are what was produced by the Fedora Project and have not been altered (accidentally or maliciously) by any mirror or website that is providing the packages. See this page for more information. [MOVE] We use a number of GPG keys to sign our software packages. The necessary public keys are included in the relevant products and are used to automatically verify software updates. See this page for more information.

Password hashing

The system password used for logging into Fedora is stored in /etc/shadow. Very old style password hashes were based on DES and visible in /etc/passwd. Modern Linux has long since moved to /etc/shadow, and for some time now has used salted MD5-based hashes for password verification (crypt id 1). Since MD5 is considered "broken" for some uses and as computational power available to perform brute-forcing of MD5 increases, modern Fedora versions have proactively moved to using salted SHA-512 based password hashes (crypt id 6), which are orders of magnitude more difficult to brute-force. See the crypt(3) manpage for additional details.

Annotated Binaries

Annotated Binaries store metadata provided directly by the GCC using a compiler plugin. This metadata includes which security hardening protections the binary was built with, which compiler built the binary, and more. This facilitates scripting to check security hardening features on binaries. Read more about Annobin in Fedora and RHEL.

Grub2 Security Modules

grub2 modules "verify", "cryptodisk", and "luks" are now in the EFI build to allow users to optionally guarantee the integrity of boot code either through verification of digital signatures or encryption of the boot partition. Read More.

SSH Root Password Disabled

By default, OpenSSH does not allow remote login to the root account via password. A public SSH key may still be used. This feature helps reduce the attack surface, as the password login was a common target of attacks. Read More. In case of RHEL8, the default setting is "prohibit-password", which allows remote login with public key authentication Read More.

File Access Policy Daemon

The File Access Policy Daemon (fapolicyd) software framework introduces a form of application whitelisting and blacklisting based on a user-defined policy. The application whitelisting feature provides one of the most efficient ways to prevent running untrusted and possibly malicious applications on the system. An application is trusted when it is properly installed by the system package manager, and therefore it is registered in the system RPM database. The fapolicyd daemon uses the RPM database as a list of trusted binaries and scripts. The fapolicyd YUM plugin registers any system update that is handled by the YUM package manager. The plugin notifies the fapolicyd daemon about changes in this database. An installation using the rpm utility requires a manual refresh of the database, and other ways of adding applications require the creation of custom rules and restarting the fapolicyd service.

For more information see this blog post and Red Hat Product Documentation page.

Network Time Security (NTS)

NTS is a new authentication mechanism specified by the IETF for NTP. NTS has an NTS-KE protocol using Transport Layer Security (TLS) to establish the keys and provide the client with cookies which allow the NTP server to not keep any client-specific state. NTP packets are authenticated using Authenticated Encryption with Associated Data (AEAD). NTS is expected to scale well to a large numbers of clients. There are already some public NTP servers with NTS support. Read more


Subsystems

Filesystem Capabilities

The need for setuid applications can be reduced via the application of filesystem capabilities using the xattrs available to most modern filesystems. This reduces the possible misuse of vulnerable setuid applications. The kernel provides the support and the user-space tools are available in the libcap package.


PR_SET_SECCOMP

Setting SECCOMP(SECure COMPuting) for a process is meant to confine it to a small subsystem of system calls, used for specialized processing-only programs. See this article and SECCOMP article for more information.


Platform Abstraction For Security (PARSEC)

PARSEC is the Platform AbstRaction for SECurity, an open-source initiative to provide a common API to hardware security and cryptographic services in a platform-agnostic way. This abstraction layer keeps workloads decoupled from physical platform details, enabling cloud-native delivery flows within the data center and at the edge. The PARSEC daemon can currently use a Trusted Platform Module 2 (TPM2) chip, Hardware Security Module (HSM) device, or systems that have an Arm TrustZone technology enabled.

Further reading: PARSEC GitHub

Fedora 33 release notes

Mandatory Access Control (MAC)

Mandatory Access Controls specifies which subject can access specific data. Mandatory Access Controls are handled via the kernel LSM(Linux Security Modules) hooks. MAC is based on the security labels. Data on the system has clearance and classification data stored with security labels, which can be accessed by specific subjects or objects.When some subject tries to access the data on the system then the rules defined by the policy are checked to take access control decision.Security Levels are classified like Unclassified -> Confidential -> Secret -> Top Secret.If user has clearance to access the requested object then user will be allowed otherwise user will be denied access. It is a system wide policy which states that who is allowed to access, an individual user cannot alter the access. MAC model is mostly used in environment where confidentiality is important like in Government organizations like military, an example of widely used of MAC is SELinux.Security-Enhanced Linux (SELinux) employs MAC rules to facilitate fine-grained security.

see MAC


SELinux

SELinux is an inode-based MAC. See this page and this page for more information.


SELinux targeted policy

SELinux enabled with targeted policy by default. See discussion of policies page and this page for more information.


SELinux Executable Memory Protection

SELinux restricts certain memory protection operation if the appropriate boolean values enable these checks. See this page for more information.

SELinux user confinement

Support for SELinux to confine users access on a system. Each Linux user is mapped to an SELinux user via SELinux policy, allowing Linux users to inherit the restrictions placed on SELinux users, for example (depending on the user), not being able to: run the X Window System; use networking; run setuid applications (unless SELinux policy permits it); or run the su and sudo commands

# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *

All the linux users are mapped to __default__ which maps to unconfined_u user. SELinux users that are available are guest_u, xguest_u, user_u, staff_u.

# ls /etc/selinux/targeted/contexts/users
guest_u  root  staff_u  sysadm_u  unconfined_u  user_u  xguest_u

# ls /etc/selinux/mls/contexts/users
guest_u  root  staff_u  unconfined_u  user_u  xguest_u

* sysadm_u is not present in MLS Policy

Users are defined in /etc/selinux/<targeted or mls>/contexts/users. See Confined and Unconfined Users article for more information.

User Domain X Window System su and sudo Execute in home directory and /tmp/ Networking
guest_u guest_t no no no optional no
xguest_u xguest_t yes no optional only Firefox
user_u user_t yes no optional yes
staff_u staff_t yes only sudo optional yes


SELinux XACE

SELinux X Access Control Extension (XACE) aims at extending SELinux to X.org system, to provide flexible fine-grained MAC to the desktop. See this page and this page for more information.


SELinux sandbox

Support for SELinux to test untrusted content via a sandbox. See this page and this page for more information.


SELinux Deny Ptrace

A boolean variable to allow SELinux to turn off all processes ability to ptrace other process. See this page, this page and this page for more information.


SELinux restricted module loading

Support for SELinux to restrict the loading of kernel modules by unprivileged processes in confined domains was implemented in this commit.


User namespaces

User namespaces allow per-namespace mappings of user and group IDs. This means that a process' user and group IDs inside a user namespace can be different from its IDs outside of the namespace. Most notably, a process can have a nonzero user ID outside a namespace while at the same time having a user ID of zero inside the namespace; in other words, the process is unprivileged for operations outside the user namespace but has root privileges inside the namespace (see this page and this page).

See BZ#917708 to track this feature in Fedora. User namespaces were first included in Red Hat Enterprise Linux 7.2 as a Technology Preview (release note, BZ#1138782). Full support for User namespaces was added in Red Hat Enterprise Linux 7.4 (release note).


/tmp namespace for systemd

Run some services started by systemd with a private /tmp directory. This would mitigate the chance of a service making a mistake with how it handles its /tmp data allowing a user on the system to get a privilege escalation, since users would not have access to the services /tmp directory.

See this page and this page for more information.


Polyinstantiate /tmp, /var/tmp and user home folders

To protect the world writable shared folders like /tmp and /var/tmp PAM (Pluggable Authentication Modules) can help by creating namespace for users on the system. Security of a system works at different layers, Polyinstantiating these world writable folders add an extra layer to protect from further intrusion into the system. Polyinstanting means that a new instance of /tmp or /var/tmp directory is created for each user. This feature is implemented using pam_namespace.so. To enable this feature :

uncomment the respective lines in /etc/security/namespace.conf

#/tmp     /tmp-inst/            level      root,adm
#/var/tmp /var/tmp/tmp-inst/    level      root,adm
# Remove the line below if required to polyinstantiate HOME directory of the user
#$HOME    $HOME/$USER.inst/     level

add

 session    required     pam_namespace.so 

to /etc/pam.d/login. File /etc/security/namespace.conf specifies which directories will be polyinstantiated. It also specifies how they will be polyinstantiated , what will the names of the directories which will be polyinstantiated and also for users where Polyinstantiation would not be performed.

create the directories and set selinux context and bool value to polyinstantiate

# mkdir /tmp-inst /var/tmp-inst
# chmod 000 /tmp-inst
# chmod 000 /var/tmp-inst
# chcon -R -t tmp_t /tmp-inst
# chcon -R -t tmp_t /var/tmp-inst
# setsebool polyinstantiation_enabled 1
  • $ man 8 pam_namespace
  • $ man 5 namespace.conf

As per reference https://www.ibm.com/developerworks/library/l-polyinstantiation/

Polyinstantiation of world-writeable directories prevents the following types of attacks:

  • Race-condition attacks with symbolic links
  • Exposing a file name considered secret information or useful to an attacker
  • Attacks by one user on another user
  • Attacks by a user on a daemon
  • Attacks by a non-root daemon on a user

However, polyinstantiation does NOT prevent these types of attacks:

  • Attacks by a root daemon on a user
  • Attacks by root (account or escalated privilege) on any user

see Polyinstantiation of directories in an SE Linux system Improve security with polyinstantiation


Filesystem encryption

Encrypted LVM

Modern Fedora versions include the ability to install Fedora onto an encrypted LVM, which allows all partitions in the logical volume, including swap, to be encrypted. LVM uses LUKS encryption (Linux Unified Key Setup). Except the boot partition, all other partitions can be encrypted. As the Linux Kernel modules reside on root partition, they are also protected if encryption is applied. With the use of LVM Encryption users can just encrypt the physical volume where other partitions reside making encryption and decryption much faster. LVM is created under an encrypted blockdevice which hides the LVM until the blockdevice is decrypted. Once the blockdevice is decrypted, it reads the volume structure and mounts all the detected partitions at boot time.

See the following references for more information about LUKS support in Red Hat Enterprise Linux: solution article, RHEL-5, RHEL-6, RHEL-7, RHEL 8. Note that in RHEL-8 the default format for LUKS encryption is LUKS2. The legacy LUKS1 format remains fully supported and it is provided as a format compatible with earlier RHEL releases.


eCryptfs

eCryptfs (Enterprise cryptographic Filesystem) is a cryptographic stacked Linux filesystem. eCryptfs stores cryptographic metadata in the header of each file written, so that encrypted files can be copied between hosts; the file will be decrypted with the proper key in the Linux kernel keyring. It has been there since Kernel 2.6.19. It works at filesystem-level, so this type of encryption can be applied to specific folders/directories as needed after creation of Filesystem.

See eCryptfs homepage and eCryptfs Article for more details. eCryptfs is available in bot Red Hat Enterprise Linux 5 and 6 as a technology preview. As of Red Hat Enterprise Linux 7, eCryptfs is not included.


User Space Hardening

Many security features are available through the default compiler flags used to build packages and through the kernel in Fedora.


Non-Executable Memory (NX)

Modern processors support a feature called NX which allows a system to control the execution of various portions of memory. Data memory is flagged as non-executable and program memory is flagged as non-writeable. This helps prevent certain types of buffer overflow exploits from working as expected. Most modern CPUs protect against executing non-executable memory regions (heap, stack, etc). Since not all processors support the NX feature, attempts have been made to support this feature via segment limits. A segment limit will prevent certain portions of memory from being executed. This provides very similar functionality to NX technology. After booting, you can see what NX protection is in effect:

  • Hardware-based (via PAE mode):
    • [ 0.000000] NX (Execute Disable) protection: active
  • Partial Emulation (via segment limits):
    • [ 0.000000] Using x86 segment limits to approximate NX protection

For more information, see Security Features page.


Built as PIE

All programs built as Position Independent Executables (PIE) with "-fPIE -pie" can take advantage of the exec ASLR. This protects against "return-to-text" and generally frustrates memory corruption attacks. This requires centralized changes to the compiler options when building the entire archive. PIE has a large (5-10%) performance penalty on architectures with small numbers of general registers (e.g. x86), so it should only be used for a select number of security-critical packages. PIE on x86_64 does not have the same penalties, and will eventually be made the default, but more testing is required. See this paper and this FESCo ticket for more information.

In Fedora 23 and later, all packages are built with PIE and Full RELRO. See this page for details.


Pointer Obfuscation

Some pointers stored in glibc are obfuscated via PTR_MANGLE/PTR_UNMANGLE macros internally in glibc, preventing libc function pointers from being overwritten during runtime. This feature was introduced in Red Hat Enterprise Linux 5, for further information see this blog post.


Heap Protector

The GNU C Library heap protector (both automatic via ptmalloc and manual) provides corrupted-list/unlink/double-free/overflow protections to the glibc heap memory manager (first introduced in glibc 2.3.4). This stops the ability to perform arbitrary code execution via heap memory overflows that try to corrupt the control structures of the malloc heap memory areas. This protection has evolved over time, adding more and more protections as additional corner-cases were researched. As it currently stands, glibc 2.10 and later appears to successfully resist even these hard-to-hit conditions. See this page for more details.


Built with Fortify Source

Programs built with "-D_FORTIFY_SOURCE=2" (and -O1 or higher), enable several compile-time and run-time protections in glibc:

  • expand unbounded calls to "sprintf", "strcpy" into their "n" length-limited cousins when the size of a destination buffer is known (protects against memory overflows).
  • stop format string "%n" attacks when the format string is in a writable memory segment.
  • require checking various important function return codes and arguments (e.g. system, write, open).
  • require explicit file mask when creating new files.

-D_FORTIFY_SOURCE=2 also protects C++ code. See this page for more information.


Stack Protector

gcc's -fstack-protector provides a randomized stack canary that protects against stack overflows, and reduces the chances of arbitrary code execution via controlling return address destinations. Enabled at compile-time. The routines used for stack checking are actually part of glibc, but gcc is patched to enable linking against those routines by default. See this page for more information.


Strong Stack Protector

See "Strong" stack protection for GCC and Security improvements in RHEL-7 articles for more information.


Stack Clash Protection

Building binaries with -fstack-clash-protection introduces a mitigation which prevents stack clash attacks, in which an attacker clashes the stack with the heap, or vice versa, for exploitation. Red Hat’s engineers implemented -fstack-clash-protection for all Red Hat Enterprise Linux (RHEL) targets starting with RHEL 7.5. RHEL 7.5 enables -fstack-clash-protection for glibc only. Starting with RHEL 8, the entire distribution is compiled with -fstack-clash-protection and annobin/annocheck are used to verify that the distribution was compiled with the proper flags. Fedora 27 and later enable -fstack-clash-protection by default for all packages using the standard default compilation options.

GLIBCXX Assertions

The g++ compiler flag -D_GLIBCXX_ASSERTIONS turns on cheap range checks for C++ arrays, vectors, and strings, as well as null pointer dereference checks for smart pointers. This feature is implemented in libstdc++ and was introduced in Fedora 28. This hardening flag is supported in Red Hat Enterprise Linux, but only effective with DTS 6 or later.

Address Space Layout Randomization (ASLR)

ASLR is implemented by the kernel and the ELF loader by randomizing the location of memory allocations (stack, heap, shared libraries, etc). This makes memory addresses harder to predict when an attacker is attempting a memory-corruption exploit. ASLR is controlled system-wide by the value of /proc/sys/kernel/randomize_va_space.

  • 0 - Turn ASLR off.
  • 1 - Make the addresses of mmap(2) allocations, the stack, loaded shared libraries and the VDSO page randomized.
  • 2 - Also support heap randomization in additon.

Even when randomize_va_space is set to 2, the text segment of binaries is loaded at a static address. To make ASLR effective all segments must be randomized. Leaving the text segment loading address non-randomized reduces the protection provided by the ASLR since the attackers can use ret2text attacks. The loading address of the text segement in a binary can be randomized by building the binary as PIE (Position Independent Executable).

See this article for more information.


Stack ASLR

Each execution of a program results in a different stack memory space layout. This makes it harder to locate in memory where to attack or deliver an executable attack payload. This feature has been available in the mainline kernel since 2.6.15.


Libs/mmap ASLR

Each execution of a program results in a different mmap memory space layout. This causes the dynamically loaded libraries to get loaded into different locations each time. This makes it harder to locate in memory where to jump to for "return to libc" to similar attacks. This was available in the mainline kernel since 2.6.15.


Exec ASLR

Each execution of a program that has been built with "-fPIE -pie" will get loaded into a different memory location. This makes it harder to locate in memory where to attack or jump to when performing memory-corruption-based attacks. This was available in the mainline kernel since 2.6.25.


brk ASLR

Similar to exec ASLR, brk ASLR adjusts the memory locations relative between the exec memory area and the brk memory area (for small mallocs). The randomization of brk offset from exec memory was added in 2.6.22.


VDSO ASLR

Each execution of a program results in a random vdso location. This has existed in the mainline kernel since 2.6.18 (x86, PPC) and 2.6.22 (x86_64). People needing ancient pre-libc6 static high vdso mappings can use "vdso=2" on the kernel boot command line to gain COMPAT_VDSO again. See this article for more information.


Built with RELRO

RELRO stands for RELocation Read-Only, it is a mitigation technique to harden data sections of an ELF/process. It is used to move commonly exploited structures in ELF binary to a read-only location. It Hardens ELF programs against loader memory area overwrites by having the loader mark any areas of the relocation table as read-only for any symbols resolved at load-time ("read-only relocations"). This reduces the area of possible GOT-overwrite-style memory corruption attacks, specially the GOT is made read-only after relocation by the dynamic linker.

RELRO can be classified into:

Partial RELRO

  • Compilation: gcc -Wl,-z,relro
  • ELF sections are reordered, so that ELF internal data sections (.got, .dtors, etc) precede the program's data sections (.data and .bss)
  • non-PLT GOT is read-only
  • GOT is writable

Full RELRO

  • compilation: gcc -Wl,-z,relro,-z,now
  • Supports all the features of partial RELRO
  • In addition , GOT is also remapped as read-only

In case of a bss or data overflow bug both partial and full RELRO can protect the ELF internal data sections from being overwritten. With full RELRO a working mitigation technique to successfully prevent the modification of GOT entries is available. Full RELRO has been enabled for all packages in Fedora 23 and later.

In short, RELRO hardens ELF programs against loader memory area overwrites by having the loader mark any areas of the relocation table as read-only for any symbols resolved at load-time ("read-only relocations"). This reduces the area of possible GOT-overwrite-style memory corruption attacks. RELRO has been enabled for all packages in Red Hat Enterprise Linux 6 and later versions.

This information has been borrowed from this article.


Built with BIND_NOW

Marks ELF programs to resolve all dynamic symbols at start-up (instead of on-demand, also known as "immediate binding") so that the GOT can be made entirely read-only (when combined with RELRO above). Note that BIND_NOW is enabled in Red Hat Enterprise Linux 7 and later versions and not recommended for use on Red Hat Enterprise Linux 6.


/proc/$pid/maps protection

With ASLR, a process's memory space layout suddenly becomes valuable to attackers. The "maps" file is made read-only except to the process itself or the owner of the process. Went into mainline kernel with sysctl toggle in 2.6.22. The toggle was made non-optional in 2.6.27, forcing the privacy to be enabled regardless of sysctl settings (this is a good thing).

Symlink restrictions

A long-standing class of security issues is the symlink-based ToCToU race, most commonly seen in world-writable directories like /tmp/. The common method of exploitation of this flaw is crossing privilege boundaries when following a given symlink (i.e. a root user follows a symlink belonging to another user).

In modern Fedora version, symlinks in world-writable sticky directories (e.g. /tmp) cannot be followed if the follower and directory owner do not match the symlink owner. The behavior is controllable through the /proc/sys/kernel/yama/protected_sticky_symlinks sysctl. Red Hat Enterprise Linux 7 and later versions provide a feature to protect against hard and symbolic link attacks.


Hardlink restrictions

Hardlinks can be abused in a similar fashion to symlinks above, but they are not limited to world-writable directories. If /etc/ and /home/ are on the same partition, a regular user can create a hardlink to /etc/shadow in their home directory. While it retains the original owner and permissions, it is possible for privileged programs that are otherwise symlink-safe to mistakenly access the file through its hardlink. Additionally, a very minor untraceable quota-bypassing local denial of service is possible by an attacker exhausting disk space by filling a world-writable directory with hardlinks.

In modern Fedora versions, hardlinks cannot be created to files that the user would be unable to read and write originally, or are otherwise sensitive. Red Hat Enterprise Linux 7 and later versions provide a feature to protect against hard and symbolic link attacks.


ptrace scope

A troubling weakness of the Linux process interfaces is that a single user is able to examine the memory and running state of any of their processes. For example, if one application was compromised, it would be possible for an attacker to attach to other running processes (e.g. SSH sessions, GPG agent, etc) to extract additional credentials and continue to immediately expand the scope of their attack without resorting to user-assisted phishing or trojans. It is provided by YAMA , can be enabled by CONFIG_SECURITY_YAMA in the kernel.

Independent of this configuration, processes that know they store secrets in memory may already use prctl(PR_SET_DUMPABLE,0); to prevent ptrace and other memory-snooping attacks. See this and this.


Overflow checking in new operator

GCC performs overflow checking in operator new[]. new operator is used to dynamically allocate memory.It throws bad_alloc exception, header to include for using it is <new> new() or new[]() without declaration of exception cannot signal memory exhaustion.If there is an option to choose between calloc/malloc/new for allocation of the memory, new should be used. If new[] is used to allocate memory then delete[] should be used to free the allocated memory. Using delete without [] will cause memory leak. Use try-catch block with new, as it throws exception and does not return value, though it can be forced to return a value by using nothrow.

 using namespace std;
 /* this should return a value */
 alpha* pt = new (nothrow) alpha[200];

 or it will throw bad_alloc exception which can be handled by the following code
 class bad_alloc : public exception {
 /* error to be thrown to be implemented here */
 };
 struct alpha_t{};

 extern const alpha_t alpha;  // indicator for allocation to prevent exceptions

 /* should throw exception */
 int* ptr = new int[100000];

 /* to avoid exception correct usage would be */
 int* ptr = new(alpha) int[100000];

See Array allocation in C++ article for more information.


Built with Format Security

Enable "-Werror=format-security" compilation flag for all packages in Fedora. Once this flag is enabled, GCC will refuse to compile code that could be vulnerable to a string format security flaw. see Format Security for more information. This flag is supported in all versions of Red Hat Enterprise Linux.


Crypto Policy

Unify the crypto policies used by different applications and libraries. That is allow setting a consistent security level for crypto on all applications in a Fedora system. The implementation approach will be to initially modify SSL libraries to respect the policy and gradually adding more libraries and applications. As of Fedora 31, users can customize existing system-wide crypto policies by removing or adding enabled algorithms and protocols.

Fedora 33 disables:

  • TLS Protocols versions older than 1.2 version, so TLS versions 1.0 and 1.1 are now disabled by default.
  • SHA hash signatures in TLS, SSH and IKE protocols.
  • Diffie Hellman key exchange with parameter size less that 2048 bits.

See Crypto Policy and Custom Crypto Policies for more information.

Red Hat Enterprise Linux 8 provides a consistent crypto policy which is applied consistently to running services and is kept up-to-date as part of the software updates, to stay in par with cryptographic advances. It configures the core cryptographic subsystems, covering TLS, IPSec, DNSSec and Kerberos protocols and provides a small set of policies which the administrator can select, with the default being a conservative policy offering secure settings for today’s threat models. The policy has been extended in RHEL 8.2 to enable users to specify their own crypto policies if the built-in policies do not meet their requirements. Refer to the Security Hardening Guide for a more detailed description.


Tamper Resistant Logs

When a system is compromised, attackers might tamper the system logs. This can be prevented by using FSS (Forward Secure Sealing) which is implemented in the systemd journal. Binary logs maintained by systemd are sealed at certain time intervals. Sealing is an cryptographic operation on the logs so that any tempering on the logs can be detected, though an attacker can completely remove entire logs but this is likely to get noticed by the system administrator.

See Forward Secure Sealing (FSS) and LWN articles for more information.

Aarch64 Pointer Authentication

Arm Pointer Authentication (PAC) is a method of hardening code from Return Oriented Programming (ROP) attacks. It uses a tag in a pointer to sign and verify pointers. Branch Target Identification (BTI) is another code hardening method, where the branch/jump target is identified with a special landing pad instruction. Outside of some system support in glibc+kernel, packages gain the additional hardening by compiling with the -mbranch-protection= flag available in recent versions of GCC. In particular -mbranch-protection=standard enables both BTI and PAC, with backwards compatible to armv8.0 code sequences that activate on v8.3 (PAC) & v8.5 (BTI) enabled Arm machines. Read more

Kernel Hardening

The kernel itself has protections enabled to make it more difficult to become compromised.

0-address protection

Since the kernel and userspace share virtual memory addresses, the "NULL" memory space needs to be protected so that userspace mmap'd memory cannot start at address 0, stopping "NULL dereference" kernel attacks. This is possible with 2.6.22 kernels, and was implemented with the "mmap_min_addr" sysctl setting. See this article for more information.


Block module loading

It is possible to remove CAP_SYS_MODULES from the system-wide capability bounding set, which would stop any new kernel modules from being loaded. This was another layer of protection to stop kernel rootkits from being installed. This feature to block module loading can be enabled setting 1 in /proc/sys/kernel/modules_disabled.


/dev/mem protection

Some applications (Xorg) need direct access to the physical memory from user-space. The special file /dev/mem exists to provide this access. In the past, it was possible to view and change kernel memory from this file if an attacker had root access. See this page and this page for details. Note that this option is called STRICT_DEVMEM in current kernels.


/dev/kmem disabled

There is no modern user of /dev/kmem any more beyond attackers using it to load kernel rootkits. CONFIG_DEVKMEM is set to n.


Module RO/NX

This feature extends CONFIG_DEBUG_RODATA to include similar restrictions for loaded modules in the kernel. This can help resist future kernel exploits that depend on various memory regions in loaded modules. Enabled via the CONFIG_DEBUG_SET_MODULE_RONX option. Note that the name of this option was changed to CONFIG_HARDENED_MODULE_MAPPINGS first, then renamed to CONFIG_STRICT_MODULE_RWX.


Kernel Address Display Restriction

When attackers try to develop run anywhere exploits for kernel vulnerabilities, they frequently need to know the location of internal kernel structures. By treating kernel addresses as sensitive information, those locations are not visible to regular local users. /proc/sys/kernel/kptr_restrict is set to 1 to block the reporting of known kernel address leaks. Additionally, various files and directories were made readable only by the root user: /boot/vmlinuz, /boot/System.map, /sys/kernel/debug/, /proc/slabinfo.

This feature was introduced in Red Hat Enterprise Linux 6. See RHEL-6 release notes and kernel sysctl documentation.


Blacklist Rare Protocols

Normally the kernel allows all network protocols to be autoloaded on demand. Many of these protocols are old, rare, or generally of little use to the average Fedora user and may contain undiscovered exploitable vulnerabilities. These include: ax25, netrom, x25, rose, decnet, econet, rds, and af_802154. If any of the protocols are needed, they can speficially loaded via modprobe, or the /etc/modprobe.d/blacklist-rare-network.conf file can be updated to remove the blacklist entry. A FESCo proposal to do this for Fedora is in progress.


Write-protect kernel .rodata sections

Enabled write-protection for kernel read-only data structures by default. See this commit for details. This makes sure that certain kernel data sections are marked to block modification. This helps protect against some classes of kernel rootkits. Enabled via the CONFIG_DEBUG_RODATA option. Note that the name of this option was renamed to CONFIG_STRICT_KERNEL_RWX.


Kernel Stack Protector

Similar to the stack protector used for ELF programs in userspace, the kernel can protect its internal stacks as well. This feature is enabled via the CONFIG_CC_STACKPROTECTOR option.

See commits 1, 2 and 3 for more details.


sVirt labelling

Support for sVirt labelling to provide security over guest instances. See this page for more information.


SYN cookies

When a system is overwhelmed by new network connections, SYN cookie use is activated, which helps mitigate a SYN-flood attack. This feature can be controlled by /proc/sys/net/ipv4/tcp_syncookies file.


Syscall Filtering

Programs can filter out the availability of kernel syscalls by using the seccomp_filter interface. This is done in containers or sandboxes that want to further limit the exposure to kernel interfaces when potentially running untrusted software.


Secure Boot Support

"Secure Boot" describes a UEFI feature by which malware is prevented from inserting itself into the boot process before the operating system loads.

The Secure Boot technology is not supported in Red Hat Enterprise Linux 6. Systems using UEFI Specification 2.2 or later must have Secure Boot disabled in order to install and run Red Hat Enterprise Linux 6. Red Hat Enterprise Linux 7 offers UEFI Secure Boot support by including a kernel and associated drivers that are signed by a UEFI CA certificate. See also UEFI Secure Boot Documentation in Red Hat Enterprise Linux 7.

For more in-depth information about Secure Boot see UEFI Secure Boot in Modern Computer Security Solutions, this, this and this.


Additional Documentation

Legacy Matrix

By Default
Available
Unimplemented
Security Features RHEL 3 RHEL 4 RHEL 5 RHEL 6 RHEL 7 Fedora 24 Fedora 27 Rawhide
Configuration
Configurable Firewall iptables iptables iptables iptables iptables firewalld firewalld firewalld
Signed updates yum yum yum yum yum yum / dnf yum / dnf yum / dnf
Password hashing md5crypt md5crypt md5crypt sha512crypt sha512crypt sha512crypt sha512crypt sha512crypt
Subsystems
Filesystem Capabilities -- Y Y Y Y Y Y Y
PR_SET_SECCOMP -- -- -- -- Y Y Y Y
Mandatory Access Control
SELinux N Y Y Y Y Y Y Y
SELinux targeted policy N Y Y Y Y Y Y Y
SELinux Executable Memory Protection N N Y Y Y Y Y Y
SELinux user confinement N N Y Y Y Y Y Y
SELinux XACE N N N Y Y Y Y Y
SELinux sandbox N N N Y Y Y Y Y
SELinux Deny Ptrace N N N N Y Y Y Y
SELinux restricted module loading N N ? ? Y Y Y Y
User namespaces N N N N N N Y Y
/tmp namespace for systemd N N N N Y Y Y Y
Polyinstantiate /tmp, /var/tmp and user home folders N N N Y Y Y Y Y
Filesystem Encryption
Encrypted LVM ? ? Y Standard Installer Standard Installer Standard Installer Standard Installer Standard Installer
eCryptfs N N Y Y Y Optional Package Optional Package Optional Package
User Space Hardening
Non-Executable Memory (NX) Y (since 9/2004) Y Y Y Y Y Y Y
Built as PIE package list (since 9/2004) package list package list package list package list Y Y Y
Pointer Obfuscation N N Y Y Y glibc glibc glibc
Heap Protector N glibc glibc glibc glibc glibc glibc glibc
Built with Fortify Source N Y Y Y Y Y Y Y
Stack Protector N N Y Y Y Y Y Y
Strong Stack Protector -- -- -- -- -- Y Y Y
Built with Format Security -- -- -- -- -- Y Y Y
Stack ASLR Y (since 9/2004) Y Y Y Y Y Y Y
Libs/mmap ASLR Y (since 9/2004) Y Y Y Y Y Y Y
Exec ASLR (since 9/2004) Y Y Y Y Y Y Y
brk ASLR N N ? Y Y Y Y Y
VDSO ASLR no vDSO Y Y Y Y Y Y Y
Built with RELRO -- -- -- -- gcc patch Y Y Y
Built with BIND_NOW N ? package list package list package list Y Y Y
/proc/$pid/maps protection -- -- -- -- Y Y Y Y
Symlink restrictions N N N N Y Y Y Y
Hardlink restrictions N N N N Y Y Y Y
ptrace scope N N N N N N Y Y
Overflow checking in new operator N N N N Y Y Y Y
Crypto Policy -- -- -- -- -- Y Y Y
Tamper Resistant Logs N N N N Y Y Y Y
Kernel Hardening
0-address protection Y (since 11/2009) Y (since 9/2009) Y (since 5/2008) Y Y Y Y Y
Block module loading Y Y Y Y Y Y Y Y
/dev/mem protection N Y Y Y Y Y Y Y
/dev/kmem disabled N Y Y Y Y Y Y Y
Module RO/NX -- -- -- -- Y Y Y Y
Kernel Address Display Restriction -- -- -- -- Y Y Y Y
Blacklist Rare Protocols Y Y Y Y Y Y Y Y
Write-protect kernel .rodata sections N N N Y Y Y Y Y
Kernel Stack Protector N N N Y Y Y Y Y
sVirt labelling N N N Y Y Y Y Y
SYN cookies ? Y Y Y Y Y Y Y
Syscall Filtering N N N ? Y Y Y Y
Secure Boot Support N N N N Y Y Y Y