Thanks to a comment by Andy, the guide now has information about additional settings: stackprotector, read-only data, restrict access to /dev/mem, disable /proc/kcore and restrict kernel syslog (dmesg). One suggestion he made didn't make it to the guide (about CONFIG_DEBUG_STACKOVERFLOW) since I can't find any resources about the setting on how it would made the system more secure or more resilient against attacks.

Underlyingly, the OVAL now correctly identifies unset variables (it previously searched for "is not set" strings in the kernel configuration, and now it searches for the key entry definition and validates if it doesn't find it - e.g. "CONFIG_PROC_KCORE=" - since that matches both the definition not being there, or "# CONFIG_PROC_KCORE has not been set").


To comment as a guest, use "Or sign up with disqus" and then select the "I'd rather post as guest" option.

comments powered by Disqus