Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Security Configuration Baseline

TEE_SECURITY_CONFIG_01: Enabling Kernel ASLR

Address Space Layout Randomization (ASLR) is used to protect against buffer overflow attacks by putting the address space of the starting position of the stack, function library, and the main program to unpredictable locations.

Check method:

Run the following commands and check whether the command output is 2.

cat /proc/sys/kernel/randomize_va_space

If the command output is not 2, run the following command to rectify the fault:

echo 2 > /proc/sys/kernel/randomize_va_space

TEE_SECURITY_CONFIG_02: Configuring Core Dumps Properly

A core dump records the memory status when a program stops unexpectedly or breaks down. It helps locate faults but may contain sensitive information in the process memory. Therefore, it is advised to disable this function.

Check method:

Run the following commands and check whether the command output is 0.

# ulimit -c

If the command output is not 0, run the following command to rectify the fault:

# ulimit -c 0

TEE_SECURITY_CONFIG_03: Disabling SysRq

SysRq enables users with physical access to access dangerous system-level commands in a computer. Therefore, it is advised to restrict the usage of the SysRq function. If the SysRq key is not disabled, you can use the keyboard to trigger a SysRq call. However, this operation may directly send commands to the kernel, which affects the system security. Therefore, exercise caution when performing this operation.

Check method:

Run the following commands and check whether the command output is 0.

# cat /proc/sys/kernel/sysrq
# grep "^kernel.sysrq" /etc/sysctl.conf /etc/sysctl.d/*

If the command output is greater than 0, run the following command to rectify the fault:

# echo 0 > /proc/sys/kernel/sysrq

TEE_SECURITY_CONFIG_04: Ensuring Proper dmesg Access Permission

Restrict the permission to access dmesg. This can prevent unprivileged users from obtaining system information and attacking the system. Allow only processes with the CAP_SYSLOG capability to view kernel logs. This can minimize the permission to obtain critical information and ensure system security.

Check method:

Run the following commands to check whether kernel.dmesg_restrict is 1.

# sysctl kernel.dmesg_restrict
# grep "^kernel.dmesg_restrict" /etc/sysctl.conf /etc/sysctl.d/*

If a different command output is displayed, run the following command to rectify the fault:

# echo 1 > /proc/sys/kernel/dmesg_restrict

TEE_SECURITY_CONFIG_05: Ensuring the Correct Configuration of the Kernel Parameter ptrace_scope

ptrace is a system call used for process tracing. It provides the capability for a parent process to observe and control child processes. When the parameter is set to 2, only CAP_SYS_PTRACE processes can use ptrace, which prevents malicious privilege escalation.

Check method:

Run the following command to check whether kernel.yama.ptrace_scope is 2.

# sysctl kernel.yama.ptrace_scope

If the command output is not 2, run the following command to rectify the fault:

# echo 2 > /proc/sys/kernel/yama/ptrace_scope

TEE_SECURITY_CONFIG_06: Ensuring the Correct Configuration of the Kernel Parameter kptr_restrict

kptr_restrict is used to protect kernel symbol addresses. When the protection level is low, common users can obtain kernel symbol addresses, which are easy to be exploited by attackers. This increases the attack surface and reduces system security.

Check method:

Run the following command to check whether kernel.kptr_restrict is 1.

# sysctl kernel.kptr_restrict

If the command output is not 1, run the following command to rectify the fault:

# echo 1 > /proc/sys/kernel/kptr_restrict

TEE_SECURITY_CONFIG_07: Ensuring That SMAP Is Enabled in the Kernel

Supervisor Mode Access Prevention (SMAP) can be enabled to prevent the kernel from accessing data in user space. If SMAP is not enabled, attackers can access data in user space through kernel-mode code redirection, which increases the attack surface and reduces system security.

  • Check method:

    Run the following commands. If the command output contains the nosmap field, SMAP is disabled. Otherwise, SMAP is enabled. If the CPU does not support SMAP, skip this check item.

    # cat /proc/cmdline | grep -i "nosmap"
BOOT_IMAGE=/vmlinuz-4.18.0-147.5.1.6.h425.eulerosv2r9.x86_64 root=/dev/mapper/euleros-root ro
crash_kexec_post_notifiers softlockup_panic=1 panic=3 reserve_kbox_mem=16M nmi_watchdog=1
fsck.mode=auto fsck.repair=yes crashkernel=512M resume=/dev/mapper/euleros-swap
rd.lvm.lv=euleros/root rd.lvm.lv=euleros/swap rd.shell=0 quiet nosmap
  • Rectification method:

    If SMAP is disabled, you need to delete the nosmap option from the startup parameter in the grub.cfg file. The modification takes effect after a restart.

    • If the boot mode is UEFI, run the following command to open the grub.cfg file and delete the nosmap option from the startup parameter.
      # vim /boot/efi/EFI/openEuler/grub.cfg
    • If the boot mode is legacy, run the following command to open the grub.cfg file and delete the nosmap option from the startup parameter.
      # vim /boot/grub2/grub.cfg

TEE_SECURITY_CONFIG_08: Ensuring That SMEP Is Enabled in the Kernel

Supervisor Mode Execution Prevention (SMEP) can be enabled to prevent the kernel from executing code in user space. If SMEP is not enabled, attackers can execute code in user space through kernel-mode code redirection, which enlarges the attack surface and impairs system security.

  • Check method:

    Run the following commands. If the command output contains the nosmep field, SMEP is disabled. Otherwise, SMEP is enabled. If the CPU does not support SMEP, skip this check item.

    # cat /proc/cmdline | grep -i "nosmep"
BOOT_IMAGE=/vmlinuz-4.18.0-147.5.1.6.h425.eulerosv2r9.x86_64 root=/dev/mapper/euleros-root ro
crash_kexec_post_notifiers softlockup_panic=1 panic=3 reserve_kbox_mem=16M nmi_watchdog=1
fsck.mode=auto fsck.repair=yes crashkernel=512M resume=/dev/mapper/euleros-swap
rd.lvm.lv=euleros/root rd.lvm.lv=euleros/swap rd.shell=0 quiet nosmep
  • Rectification method:

    If SMEP is disabled, you need to delete nosmep from the startup parameter in the grub.cfg file. The modification takes effect after a restart.

    • If the boot mode is UEFI, run the following command to open the grub.cfg file and delete the nosmep option from the startup parameter.
    # vim /boot/efi/EFI/openEuler/grub.cfg
    • If the boot mode is legacy, run the following command to open the grub.cfg file and delete the nosmep option from the startup parameter.
    # vim /boot/grub2/grub.cfg
Parent topic: Security Management