Skip to content
ATO Pathways
  Log In

Guide to the Secure Configuration of openSUSE

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Enable poison without sanity check

    Skip the sanity checking on alloc, only fill the pages with poison on free. This reduces some of the overhead of the poisoning feature. This config...
    Rule Medium Severity
    Show

  • Use zero for poisoning instead of debugging value

    Instead of using the existing poison value, fill the pages with zeros. This makes it harder to detect when errors are occurring due to sanitization...
    Rule Medium Severity
    Show

  • Remove the kernel mapping in user mode

    This feature reduces the number of hardware side channels by ensuring that the majority of kernel addresses are not mapped into userspace. This con...
    Rule High Severity
    Show

  • Kernel panic oops

    Enable the kernel to panic when it oopses. This has the same effect as setting oops=panic on the kernel command line. The configuration that was u...
    Rule Medium Severity
    Show

  • Kernel panic timeout

    Set the timeout value (in seconds) until a reboot occurs when the kernel panics. A timeout of 0 configures the system to wait forever. With a timeo...
    Rule Medium Severity
    Show

  • Disable support for /proc/kkcore

    Provides a virtual ELF core file of the live kernel. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. ...
    Rule Low Severity
    Show

  • Randomize the address of the kernel image (KASLR)

    In support of Kernel Address Space Layout Randomization (KASLR), this randomizes the physical address at which the kernel image is decompressed and...
    Rule Medium Severity
    Show

  • Randomize the kernel memory sections

    Randomizes the base virtual address of kernel memory sections (physical memory mapping, vmalloc &amp; vmemmap). This configuration is available fro...
    Rule Medium Severity
    Show

  • net.ipv6.conf.all.accept_ra_pinfo

    Accept prefix information in router advertisements?
    Value
    Show

  • Avoid speculative indirect branches in kernel

    Compile kernel with the retpoline compiler options to guard against kernel-to-user data leaks by avoiding speculative indirect branches. Requires a...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules