Commit 36cf9e35 authored by Marius Gläß's avatar Marius Gläß Committed by Valerie Aurora
Browse files

Added list of ubuntu security -> includes some concrete examples

parent b6a9d177

EN-304-626.md

+71 −0
Original line number Diff line number Diff line
@@ -1095,6 +1095,75 @@ From BSI Operating Systems Protection Profile: 
  * User-initiated

* Trusted channel (secure network access)



From Ubuntu Security Features:

* Privilege restriction

  * DAC / MAC

    * AppArmor

    * SELinux

    * SMACK

  * process privilege restrictions

    * PR_SET_SECCOMP

    * seccomp filtering

  * file system capabilities

* Storage and Filesystem

  * Full Disk Encryption

  * LVM Encryption

  * File Encryption

* Network and Firewalls

  * No Open Ports

  * SYN cookies

  * Firewall

* Cryptography

  * Password Hashing

  * Cloud PRNG Seed

  * Disabling Legacy TLS

* Process and memory protection

  * Sym-/Hard-Link restrictions

  * FIFO restrictions

  * (process-internal) memory protection

  * Stack Protector

  * Heap Protector

  * Stack ASLR

  * Libs/mmap ASLR

  * Exec ASLR

  * brk ASLR

  * vDOS ASLR

  * Default compiler and linker flags

    * Built as PIE

    * Built with Fortify Source

    * Built with RELRO

    * Built with BIND_NOW

    * Built with -fstack-clash-protection

    * Built with -fcf-protection

  * Non-Executable Memory

  * /proc/$pid/maps protection

  * ptrace scope

  * 0-address protection

  * /dev/mem protection

* Kernel protections

  * Kernel Lockdown

  * /dev/kmem disabled

  * Block module loading 

  * Read-only data sections

  * Kernel Stack protector

  * Module RO/NX

  * Kernel Address Display Restriction

  * kASLR

  * denylist rare protocols

  * dmesg restriction

  * Block kexec

* Platform protections

  * UEFI Secure Boot

  * usb-related

    * usbguard

    * usbauth

    * bolt

    * thunderbolt-tools

  * TPM

* Security updates

  * Livepatch

  * Automatic security updates



Random ideas



* Disable debugging interfaces in many many places
@@ -1172,6 +1241,8 @@ https://cs.android.com/android/platform/superproject/+/android-latest-release:ct 
* Hardware Watchdog Timers: Detects and recovers from system hangs or malicious loops

* Secure Debug Interface Management: Disabling or restricting access through state-of-the-art security mechanisms debug access







## 5.3 Risk Mitigations



> **TODO**: Connect the technical security requirements in Section 5.2 to specific Risk Factors, and define these as sets of Risk Mitigations that will be referenced in section 6.