Debug
No debuggers shall be present on the file system. This includes, but is not limited to, the GNU Debugger client/server (commonly known in their short form names such as the gdb and gdbserver executable binaries respectively), the LLDB next generation debugger or the TCF (Target Communications Framework) agnostic framework. Including these binaries as part of the file system will facilitate an attacker's ability to reverse engineer and debug (either locally or remotely) any process that is currently executing on the device.
Kernel debug symbols
Debug symbols should always be removed from production kernels as they provide a lot of information to attackers.
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Debug-Symbols-1 | CONFIG_DEBUG_INFO |
n |
These kernel debug symbols are enabled by other config items in the kernel. Care should be taken to disable those also. If CONFIG_DEBUG_INFO cannot be disabled, then enabling CONFIG_DEBUG_INFO_REDUCED is second best.
At least CONFIG_DEBUG_INFO_REDUCED should be always enabled for developers to convert addresses in oops messages to line numbers.
Disable Kprobes
Kprobes enables you to dynamically break into any kernel routine and collect debugging and performance information non-disruptively. You can trap at almost any kernel code address, specifying a handler routine to be invoked when the breakpoint is hit.
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Debug-Kprobes-1 | CONFIG_KPROBES |
n |
Disable Tracing
FTrace enables the kernel to trace every kernel function. Providing kernel trace functionality would assist an attacker in discovering attack vectors.
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Debug-Tracing-1 | CONFIG_FTRACE |
n |
Disable Profiling
Profiling and OProfile enables profiling the whole system, include the kernel, kernel modules, libraries, and applications. Providing profiling functionality would assist an attacker in discovering attack vectors.
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Debug-Profiling-1 | CONFIG_OPROFILE |
n |
| Kernel-Debug-Profiling-2 | CONFIG_PROFILING |
n |
Disable OOPS print on BUG()
The output from OOPS print can be helpful in Return Oriented Programming (ROP) when trying to determine the effectiveness of an exploit.
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Debug-OOPSOnBUG-1 | CONFIG_DEBUG_BUGVERBOSE |
n |
Disable Kernel Debugging
There are development-only branches of code in the kernel enabled by the DEBUG_KERNEL conf. This should be disabled to compile-out these branches.
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Debug-Dev-1 | CONFIG_DEBUG_KERNEL |
n |
| Kernel-Debug-Dev-2 | CONFIG_EMBEDDED |
n |
In some kernel versions, disabling this requires also disabling CONFIG_EMBEDDED, and CONFIG_EXPERT. Disabling CONFIG_EXPERT makes it impossible to disable COREDUMP, DEBUG_BUGVERBOSE, NAMESPACES, KALLSYMS and BUG. In which case it is better to leave this enabled than enable the others.
Disable the kernel debug filesystem
The kernel debug filesystem presents a lot of useful information and means of manipulation of the kernel to an attacker.
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Debug-FileSystem-1 | CONFIG_DEBUG_FS |
n |
Disable BUG() support
The kernel will display backtrace and register information for BUGs and WARNs in kernel space, making it easier for attackers to develop exploits.
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Debug-BUG-1 | CONFIG_BUG |
n |
Disable core dumps
Core dumps provide a lot of debug information for hackers. So disabling core dumps are recommended in production builds.
This configuration is supported in Linux 3.7 and greater and thus should only be disabled for such versions.
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Debug-CoreDumps-1 | CONFIG_COREDUMP |
n |
Kernel Address Display Restriction
When attackers try to develop "run anywhere" exploits for kernel vulnerabilities, they frequently need to know the location of internal kernel structures. By treating kernel addresses as sensitive information, those locations are not visible to regular local users.
/proc/sys/kernel/kptr_restrict is set to "1" to block the reporting of known kernel address leaks.
| Domain | File name |
Value |
|---|---|---|
| Kernel-Debug-AdressDisplay-1 | /proc/sys/kernel/kptr_restrict |
1 |
Additionally, various files and directories should be readable only by the root user: /boot/vmlinuz*, /boot/System.map*, /sys/kernel/debug/, /proc/slabinfo
| Domain | File or Directorie name |
State |
|---|---|---|
| Kernel-Debug-AdressDisplay-1 | /boot/vmlinuz* |
Readable Only for root user |
| Kernel-Debug-AdressDisplay-2 | /boot/System.map* |
Readable Only for root user |
| Kernel-Debug-AdressDisplay-3 | /sys/kernel/debug/ |
Readable Only for root user |
| Kernel-Debug-AdressDisplay-4 | /proc/slabinfo |
Readable Only for root user |
DMESG Restrictions
When attackers try to develop "run anywhere" exploits for vulnerabilities, they frequently will use dmesg output. By treating dmesg output as sensitive information, this output is not available to the attacker.
/proc/sys/kernel/dmesg_restrict can be set to "1" to treat dmesg output as sensitive.
| Domain | File name |
Value |
|---|---|---|
| Kernel-Debug-DMESG-1 | /proc/sys/kernel/dmesg_restrict |
1 |
Enable the below compiler and linker options when building user-space applications to avoid stack smashing, buffer overflow attacks.
Disable /proc/config.gz
It is extremely important to not expose the kernel configuration used on a production device to a potential attacker. With access to the kernel config, it could be possible for an attacker to build a custom kernel for the device that may disable critical security features.
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Debug-Config-1 | CONFIG_IKCONFIG |
n |