Strong Stack Protector

An XCCDF Rule

Description

This features adds canary logic protection to more kinds of vulnerable functions than CONFIG_STACKPROTECTOR, but not to all functions so that performance is not severily impacted. This configuration is available from kernel 4.18. This config requires gcc version 4.9 or above, or a distribution gcc with the feature backported ("-fstack-protector-strong"). The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_STACKPROTECTOR_STRONG, run the following command: grep CONFIG_STACKPROTECTOR_STRONG /boot/config-* For each kernel installed, a line with value "y" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

This provides a mechanism that protects more vulnerable functions than CONFIG_STACKPROTECTOR, balancing between security and performance.

ID: xccdf_org.ssgproject.content_rule_kernel_config_stackprotector_strong
Severity: Medium
References: BP28(R15)
Updated: about 1 year ago