CBL-Mariner operating system security features

February 1, 2022 ยท View on GitHub

TypeFeatureStatusAdditional information
Networking
Configurable FirewallBy defaultiptables
SYN cookiesBy defaultCONFIG_SYN_COOKIES=y
Updates
Signed updatesBy defaulttdnf, dnf
Build options
Built as PIEBy default-fPIE, -pie
Built with Stack Protector StrongBy default-fstack-protector, -fstack-protector-strong
Built with Format SecurityBy default-Wformat-security
Built with Fortify SourceBy default_FORTIFY_SOURCE
Built with --enable-bind-nowBy default--enable-bind-now
Built with RELROBy defaultrelro
Address Space Layout
Randomization (ASLR)
Stack ASLRBy defaultAvailable in the mainline kernel since 2.6.15
Libs/mmap ASLRBy defaultAvailable in the mainline kernel since 2.6.15
Exec ASLRBy defaultAvailable in the mainline kernel since 2.6.25
brk ASLRBy defaultAvailable in the mainline kernel since 2.6.22
VDSO ASLRBy defaultAvailable for x86_64 in the mainline kernel since 2.6.22
Kernel hardening
/proc/$pid/maps protectionBy defaultEnabled by default since mainline kernel 2.6.27
Symlink restrictionsBy defaultfs.protected_symlinks
Hardlink restrictionsBy defaultfs.protected_hardlinks
0-address protectionBy defaultvm.mmap_min_addr
Kernel Address Display RestrictionBy defaultkernel.kptr_restrict
Block module loadingAvailablekernel.modules_disabled
/dev/mem protectionBy defaultCONFIG_STRICT_DEVMEM=y
/dev/kmem disabledBy defaultCONFIG_DEVKMEM=n
Kernel Module RO/NXBy defaultCONFIG_STRICT_MODULE_RWX=y
Write-protect kernel .rodata sectionsBy defaultCONFIG_STRICT_KERNEL_RWX=y
Kernel Stack ProtectorBy defaultCONFIG_STACKPROTECTOR=y
gcc/glibc hardening
Overflow checking in new operatorBy defaultgcc
Pointer ObfuscationBy defaultglibc pointer encryption
Heap Consistency CheckingBy defaultglibc Heap Consistency Checking
System call filtering
Syscall Filtering (seccomp)AvailableCONFIG_SECCOMP_FILTER=y
Seccomp sandboxAvailablePR_SET_SECCOMP
Process isolation
Ptrace MitigationAvailableYama
User namespacesAvailableCONFIG_USER_NS=y
Private /tmp for systemd servicesAvailablePrivateTmp
Polyinstantiate /tmp, /var/tmp,
and user home folders
Availablenamespace.conf
Mandatory access controlBy defaultSELinux
Encrypted Storage
Encrypted VolumesAvailableEncrypt during OS installation
Miscellaneous
Password hashingBy defaultSHA-512
Filesystem CapabilitiesAvailableCapabilities and chattr
Tamper Resistant LogsAvailablejournalctl --verify
Kernel LockdownIntegrity mode by defaultkernel lockdown

References

Fedora Project Security Features Matrix

Ubuntu Security Features