DRAFT - ANSSI-BP-028 (high)
Rules and Groups employed by this XCCDF Profile
-
Perform full reference count validation
Enabling this switches the refcounting infrastructure from a fast unchecked atomic_t implementation to a fully state checked implementation, which can have a slight impact in performance. This conf...Rule Medium Severity -
Avoid speculative indirect branches in kernel
Compile kernel with the retpoline compiler options to guard against kernel-to-user data leaks by avoiding speculative indirect branches. Requires a compiler with -mindirect-branch=thunk-extern supp...Rule Medium Severity -
Detect stack corruption on calls to schedule()
This option checks for a stack overrun on calls to schedule(). If the stack end location is found to be overwritten always panic as the content of the corrupted region can no longer be trusted. Thi...Rule Medium Severity -
Enable seccomp to safely compute untrusted bytecode
This kernel feature is useful for number crunching applications that may need to compute untrusted bytecode during their execution. By using pipes or other transports made available to the process ...Rule Medium Severity -
Enable use of Berkeley Packet Filter with seccomp
Enable tasks to build secure computing environments defined in terms of Berkeley Packet Filter programs which implement task-defined system call filtering polices. The configuration that was used ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules