Zarhus OS: Base OS – Yocto/ Security (Reduce kernel attack surface)

2450,00  (ex. VAT)

In order to improve security of the system the kernel attack surface can be reduced. To do that, specific configurations need to be applied which do not allow to boot system from unused filesystems or turn off any support for debugging the kernel.

    Features:

  • Secure kernel configuration which don’t have:
    • debugfs
    • unused filesystems
    • /proc/config.gz exposed
    • ftrace support
    • other debug switches like CONFIG_MAGIC_SYSRQ, CONFIG_BUG, CONFIG_*_DEBUG etc.
  • Protective kernel configuration with:
    • CONFIG_CMDLINE_BOOL – enables the kernel command line to be hardcoded directly into the kernel
    • CONFIG_DEBUG_STACKOVERFLOW – enables messages to be printed if free stack space drops below a certain limit
    Inputs

  • What types of filesystems are required at the target image eg.:
    • network filesystems
    • base filesystem eg. ext4
    • support for specific filesystem
    • What kind of kernel modules are required at the target image
    Deliverables

  • Report showing the differences between the base and changed Linux kernel with reduced attack surface (generic, Copyright 3mdeb, MIT license)
x
Category: