ANSSI-BP-028 (high)
Rules and Groups employed by this XCCDF Profile
-
Detect stack corruption on calls to schedule()
This option checks for a stack overrun on calls to schedule(). If the stack end location is found to be overwritten always panic as the content of the corrupted region can no longer be trusted. Thi...Rule Medium Severity -
Harden slab freelist metadata
This feature protects integrity of the allocator's metadata. This configuration is available from kernel 4.14. The configuration that was used to build kernel is available at <code>/boot/config-*<...Rule Medium Severity -
Randomize slab freelist
Randomizes the freelist order used on creating new pages. This configuration is available from kernel 5.9, but may be available if backported by distros. The configuration that was used to build k...Rule Medium Severity -
Disallow merge of slab caches
For reduced kernel memory fragmentation, slab caches can be merged when they share the same size and other characteristics. This carries a risk of kernel heap overflows being able to overwrite obje...Rule Medium Severity -
Stack Protector buffer overlow detection
This feature puts, at the beginning of functions, a canary value on the stack just before the return address, and validates the value just before actually returning. This configuration is available...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules