Skip to content

Latest commit



69 lines (65 loc) · 8.36 KB

File metadata and controls

69 lines (65 loc) · 8.36 KB

CBL-Mariner operating system security features

Type Feature Status Additional information
Configurable Firewall By default iptables
SYN cookies By default CONFIG_SYN_COOKIES=y
Signed updates By default tdnf, dnf
Build options
Built as PIE By default -fPIE, -pie
Built with Stack Protector Strong By default -fstack-protector, -fstack-protector-strong
Built with Format Security By default -Wformat-security
Built with Fortify Source By default _FORTIFY_SOURCE
Built with --enable-bind-now By default --enable-bind-now
Built with RELRO By default relro
Address Space Layout
Randomization (ASLR)
Stack ASLR By default Available in the mainline kernel since 2.6.15
Libs/mmap ASLR By default Available in the mainline kernel since 2.6.15
Exec ASLR By default Available in the mainline kernel since 2.6.25
brk ASLR By default Available in the mainline kernel since 2.6.22
VDSO ASLR By default Available for x86_64 in the mainline kernel since 2.6.22
Kernel hardening
/proc/$pid/maps protection By default Enabled by default since mainline kernel 2.6.27
Symlink restrictions By default fs.protected_symlinks
Hardlink restrictions By default fs.protected_hardlinks
0-address protection By default vm.mmap_min_addr
Kernel Address Display Restriction By default kernel.kptr_restrict
Block module loading Available kernel.modules_disabled
/dev/mem protection By default CONFIG_STRICT_DEVMEM=y
/dev/kmem disabled By default CONFIG_DEVKMEM=n
Kernel Module RO/NX By default CONFIG_STRICT_MODULE_RWX=y
Write-protect kernel .rodata sections By default CONFIG_STRICT_KERNEL_RWX=y
Kernel Stack Protector By default CONFIG_STACKPROTECTOR=y
gcc/glibc hardening
Overflow checking in new operator By default gcc
Pointer Obfuscation By default glibc pointer encryption
Heap Consistency Checking By default glibc Heap Consistency Checking
System call filtering
Syscall Filtering (seccomp) Available CONFIG_SECCOMP_FILTER=y
Seccomp sandbox Available PR_SET_SECCOMP
Process isolation
Ptrace Mitigation Available Yama
User namespaces Available CONFIG_USER_NS=y
Private /tmp for systemd services Available PrivateTmp
Polyinstantiate /tmp, /var/tmp,
and user home folders
Available namespace.conf
Mandatory access control By default SELinux
Encrypted Storage
Encrypted Volumes Available Encrypt during OS installation
Password hashing By default SHA-512
Filesystem Capabilities Available Capabilities and chattr
Tamper Resistant Logs Available journalctl --verify
Kernel Lockdown Integrity mode by default kernel lockdown


Fedora Project Security Features Matrix

Ubuntu Security Features