Hardening the Linux kernel updates


Sven Vermeulen Sat 21 July 2012

Thanks to a comment by Andy, the guide now has information about additional settings: stackprotector, read-only data, restrict access to /dev/mem, disable /proc/kcore and restrict kernel syslog (dmesg). One suggestion he made didn't make it to the guide (about CONFIG_DEBUG_STACKOVERFLOW) since I can't find any resources about the setting on how it would made the system more secure or more resilient against attacks.

Underlyingly, the OVAL now correctly identifies unset variables (it previously searched for "is not set" strings in the kernel configuration, and now it searches for the key entry definition and validates if it doesn't find it - e.g. "CONFIG_PROC_KCORE=" - since that matches both the definition not being there, or "# CONFIG_PROC_KCORE has not been set").