Config notes
| Domain | Object | Recommendations |
|---|---|---|
| Hardware-Integrity-1 | Bootloader | Must control bootloader integrity. |
| Hardware-Integrity-2 | Board | Must use a HSM. |
| Hardware-Integrity-3 | RTC | Must not be alterable. |
| Domain | Object | Recommendations |
|---|---|---|
| Hardware-Certificate-1 | System | Shall allow storing dedicated certificates. |
| Hardware-Certificate-2 | ECU | The ECU must verify the certification authority hierarchy. |
| Hardware-Certificate-3 | System | Allow the modification of certificates only if the source can be authenticated by a certificate already stored or in the higher levels of the chain of trust. |
| Domain | Object | Recommendations |
|---|---|---|
| Hardware-Memory-1 | ECU | The ECU shall never expose the unencrypted key in RAM when using cryptographic keys. |
| Hardware-Memory-2 | Bootloader | Internal NVM only |
| Hardware-Module-3 | - | HSM must be used to secure keys. |
| Domain | Variable / Config name |
Value |
|---|---|---|
| Boot-Image-Selection-1 | CONFIG_BOOTDELAY |
-2 |
| Boot-Image-Selection-2 | bootdelay | -2 |
| Domain | Config name |
State |
|---|---|---|
| Boot-Image-Authenticity-1 | CONFIG_FIT |
Enable |
| Boot-Image-Authenticity-2 | CONFIG_FIT_SIGNATURE |
Enable |
| Boot-Image-Authenticity-3 | CONFIG_RSA |
Enable |
| Boot-Image-Authenticity-4 | CONFIG_OF_CONTROL |
Enable |
| Boot-Image-Authenticity-5 | CONFIG_OF_SEPARATE |
Enable |
| Boot-Image-Authenticity-6 | CONFIG_DEFAULT_DEVICE_TREE |
Enable |
| Domain | Communication modes | State |
|---|---|---|
| Boot-Communication-1 | USB |
Disabled and Compiled-out if not required. |
| Boot-Communication-2 | USB |
Else, Kernel should be configured to only enable the minimum required USB devices and filesystems should be treated with special care. |
| Boot-Communication-3 | Ethernet |
Disabled |
| Boot-Communication-4 | U-boot and sboot DOCSIS |
Disabled |
| Boot-Communication-5 | Serial ports |
Disabled |
| Domain | Config name |
State |
|---|---|---|
| Boot-Communication-USB-1 | CONFIG_CMD_USB |
Not defined |
| Boot-Communication-USB-2 | CONFIG_USB_UHCI |
Not defined |
| Boot-Communication-USB-3 | CONFIG_USB_KEYBOARD |
Not defined |
| Boot-Communication-USB-4 | CONFIG_USB_STORAGE |
Not defined |
| Boot-Communication-USB-5 | CONFIG_USB_HOST_ETHER |
Not defined |
| Domain | Communication modes | State |
|---|---|---|
| Boot-Communication-1 | Network interfaces |
Preferably no network interface is allowed, otherwise, restrict the services to those used. |
| Domain | Object | Recommendations |
|---|---|---|
| Boot-Communication-1 | Services, ports and devices |
Restrict the services, ports and devices to those used. |
| Domain | Command name |
State |
|---|---|---|
| Boot-Communication-Flash-1 | do_nand |
Disable |
| Domain | Config name |
Value |
|---|---|---|
| Boot-Consoles-Serial-1 | CONFIG_SILENT_CONSOLE |
Disable |
| Boot-Consoles-Serial-2 | CONFIG_SYS_DEVICE_NULLDEV |
Disable |
| Boot-Consoles-Serial-3 | CONFIG_SILENT_CONSOLE_UPDATE_ON_RELOC |
Disable |
| Domain | Environment variable name |
State |
|---|---|---|
| Boot-Consoles-Serial-1 | INC_DEBUG_PRINT |
Not defined |
| Domain | Config name |
State |
|---|---|---|
| Boot-Consoles-Variables-1 | CONFIG_ENV_IS_IN_MMC |
#undef |
| Boot-Consoles-Variables-2 | CONFIG_ENV_IS_IN_EEPROM |
#undef |
| Boot-Consoles-Variables-3 | CONFIG_ENV_IS_IN_FLASH |
#undef |
| Boot-Consoles-Variables-4 | CONFIG_ENV_IS_IN_DATAFLASH |
#undef |
| Boot-Consoles-Variables-5 | CONFIG_ENV_IS_IN_FAT |
#undef |
| Boot-Consoles-Variables-6 | CONFIG_ENV_IS_IN_NAND |
#undef |
| Boot-Consoles-Variables-7 | CONFIG_ENV_IS_IN_NVRAM |
#undef |
| Boot-Consoles-Variables-8 | CONFIG_ENV_IS_IN_ONENAND |
#undef |
| Boot-Consoles-Variables-9 | CONFIG_ENV_IS_IN_SPI_FLASH |
#undef |
| Boot-Consoles-Variables-10 | CONFIG_ENV_IS_IN_REMOTE |
#undef |
| Boot-Consoles-Variables-11 | CONFIG_ENV_IS_IN_UBI |
#undef |
| Boot-Consoles-Variables-12 | CONFIG_ENV_IS_NOWHERE |
#define |
| Domain | Command name |
State |
|---|---|---|
| Boot-Consoles-MemDump-1 | md |
Disabled |
| Boot-Consoles-MemDump-2 | mm |
Disabled |
| Boot-Consoles-MemDump-3 | nm |
Disabled |
| Boot-Consoles-MemDump-4 | mw |
Disabled |
| Boot-Consoles-MemDump-5 | cp |
Disabled |
| Boot-Consoles-MemDump-6 | mwc |
Disabled |
| Boot-Consoles-MemDump-7 | mdc |
Disabled |
| Boot-Consoles-MemDump-8 | mtest |
Disabled |
| Boot-Consoles-MemDump-9 | loopw |
Disabled |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-General-MAC-1 | CONFIG_IP_NF_SECURITY | m |
| Kernel-General-MAC-2 | CONFIG_IP6_NF_SECURITY | m |
| Kernel-General-MAC-3 | CONFIG_EXT2_FS_SECURITY | y |
| Kernel-General-MAC-4 | CONFIG_EXT3_FS_SECURITY | y |
| Kernel-General-MAC-5 | CONFIG_EXT4_FS_SECURITY | y |
| Kernel-General-MAC-6 | CONFIG_SECURITY | y |
| Kernel-General-MAC-7 | CONFIG_SECURITY_SMACK | y |
| Kernel-General-MAC-8 | CONFIG_TMPFS_XATTR | y |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-General-kexec-1 | CONFIG_KEXEC |
n |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-General-IPAutoConf-1 | CONFIG_IP_PNP |
n |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-General-SysCtl_SysCall-1 | CONFIG_SYSCTL_SYSCALL |
n |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-General-LegacyLinux-1 | CONFIG_USELIB |
n |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-General-FirmHelper-1 | CONFIG_FW_LOADER_USER_HELPER |
n |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-General-PanicOnOOPS-1 | CONFIG_PANIC_ON_OOPS |
y |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-General-SocketMon-1 | CONFIG_PACKET_DIAG |
n |
| Kernel-General-SocketMon-2 | CONFIG_UNIX_DIAG |
n |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-General-BPF_JIT-1 | CONFIG_BPF_JIT |
n |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-General-ModuleSigning-1 | CONFIG_MODULE_SIG_FORCE |
y |
| Domain | Variable name |
Value |
|---|---|---|
| Kernel-General-ModuleSigning-2 | kernel.modules_disabled |
1 |
| Domain | Object | State |
|---|---|---|
| Kernel-General-Drivers-1 | USB |
Disabled |
| Kernel-General-Drivers-2 | PCMCIA |
Disabled |
| Kernel-General-Drivers-3 | Other hotplug bus |
Disabled |
| Domain | compiler and linker options |
State |
|---|---|---|
| Kernel-General-IndependentExec-1 | -pie -fpic |
Enable |
| Domain | compiler and linker options |
State |
|---|---|---|
| Kernel-General-OverwriteAttacks-1 | -z,relro |
Enable |
| Kernel-General-OverwriteAttacks-2 | -z,now |
Enable |
| Domain | Object | Recommendations |
|---|---|---|
| Kernel-General-LibraryLinking-1 | Dynamic linking | Should generally not be allowed. |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Memory-RestrictAccess-1 | CONFIG_DEVKMEM |
n |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Memory-CoreDump-1 | CONFIG_PROC_KCORE |
n |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Memory-Swap-1 | CONFIG_SWAP |
n |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Memory-LoadAllSymbols-1 | CONFIG_KALLSYMS |
n |
| Kernel-Memory-LoadAllSymbols-2 | CONFIG_KALLSYMS_ALL |
n |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Memory-Stack-1 | CONFIG_CC_STACKPROTECTOR |
y |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Memory-Access-1 | CONFIG_DEVMEM |
n |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Memory-CrossMemAttach-1 | CROSS_MEMORY_ATTACH |
n |
| Domain | compiler and linker options |
State |
|---|---|---|
| Kernel-Memory-StackSmashing-1 | -fstack-protector-all |
Enable |
| Domain | compiler options and config name |
Value |
|---|---|---|
| Kernel-Memory-BufferOverflows-1 | -D_FORTIFY_SOURCE |
2 |
| Kernel-Memory-BufferOverflows-2 | CONFIG_FORTIFY_SOURCE |
y |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Consoles-Serial-1 | CONFIG_SERIAL_8250 |
n |
| Kernel-Consoles-Serial-2 | CONFIG_SERIAL_8250_CONSOLE |
n |
| Kernel-Consoles-Serial-3 | CONFIG_SERIAL_CORE |
n |
| Kernel-Consoles-Serial-4 | CONFIG_SERIAL_CORE_CONSOLE |
n |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Consoles-CommandLine-1 | CONFIG_CMDLINE_BOOL |
y |
| Kernel-Consoles-CommandLine-2 | CONFIG_CMDLINE |
"insert kernel command line here" |
| Kernel-Consoles-CommandLine-3 | CONFIG_CMDLINE_OVERRIDE |
y |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Consoles-KDBG-1 | CONFIG_KGDB |
n |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Consoles-SysRQ-1 | CONFIG_MAGIC_SYSRQ |
n |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Consoles-BinaryFormat-1 | CONFIG_BINFMT_MISC |
n |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Debug-Symbols-1 | CONFIG_DEBUG_INFO |
n |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Debug-Kprobes-1 | CONFIG_KPROBES |
n |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Debug-Tracing-1 | CONFIG_FTRACE |
n |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Debug-Profiling-1 | CONFIG_OPROFILE |
n |
| Kernel-Debug-Profiling-2 | CONFIG_PROFILING |
n |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Debug-OOPSOnBUG-1 | CONFIG_DEBUG_BUGVERBOSE |
n |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Debug-Dev-1 | CONFIG_DEBUG_KERNEL |
n |
| Kernel-Debug-Dev-2 | CONFIG_EMBEDDED |
n |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Debug-FileSystem-1 | CONFIG_DEBUG_FS |
n |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Debug-BUG-1 | CONFIG_BUG |
n |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Debug-CoreDumps-1 | CONFIG_COREDUMP |
n |
| Domain | File name |
Value |
|---|---|---|
| Kernel-Debug-AdressDisplay-1 | /proc/sys/kernel/kptr_restrict |
1 |
| Domain | File or Directorie name |
State |
|---|---|---|
| Kernel-Debug-AdressDisplay-1 | /boot/vmlinuz* |
Readable Only for root user |
| Kernel-Debug-AdressDisplay-2 | /boot/System.map* |
Readable Only for root user |
| Kernel-Debug-AdressDisplay-3 | /sys/kernel/debug/ |
Readable Only for root user |
| Kernel-Debug-AdressDisplay-4 | /proc/slabinfo |
Readable Only for root user |
| Domain | File name |
Value |
|---|---|---|
| Kernel-Debug-DMESG-1 | /proc/sys/kernel/dmesg_restrict |
1 |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-Debug-Config-1 | CONFIG_IKCONFIG |
n |
| Domain | Config name |
Value |
|---|---|---|
| Kernel-FileSystems-NFS-1 | CONFIG_NFSD |
n |
| Kernel-FileSystems-NFS-2 | CONFIG_NFS_FS |
n |
| Domain | Partition |
Value |
|---|---|---|
| Kernel-FileSystems-Mount-1 | /boot |
nosuid, nodev and noexec. |
| Kernel-FileSystems-Mount-2 | /var & /tmp |
In /etc/fstab or vfstab, add nosuid, nodev and noexec. |
| Kernel-FileSystems-Mount-3 | Non-root local | If type is ext2 or ext3 and mount point not '/', add nodev. |
| Kernel-FileSystems-Mount-4 | Removable storage | Add nosuid, nodev and noexec. |
| Kernel-FileSystems-Mount-5 | Temporary storage | Add nosuid, nodev and noexec. |
| Kernel-FileSystems-Mount-6 | /dev/shm |
Add nosuid, nodev and noexec. |
| Kernel-FileSystems-Mount-7 | /dev |
Add nosuid and noexec. |
| Domain | Config name |
State or Value |
|---|---|---|
| Kernel-FileSystems-Mount-1 | CONFIG_DEVTMPFS_MOUNT |
Disabled or add remount with noexec and nosuid to system startup. |
| Domain | Label name |
Recommendations |
|---|---|---|
| Kernel-MAC-Floor-1 | ^ |
Only for privileged system services. |
| Kernel-MAC-Floor-2 | * |
Used for device files or /tmp Access restriction via DAC. |
| Domain | Label name |
Recommendations |
|---|---|---|
| Kernel-MAC-System-1 | System |
Process should write only to file with transmute attribute. |
| Kernel-MAC-System-2 | System::run |
Files are created with the directory label from user and system domain (transmute) Lock is implicit with w. |
| Kernel-MAC-System-3 | System::Shared |
Files are created with the directory label from system domain (transmute) User domain has locked privilege. |
| Kernel-MAC-System-4 | System::Log |
Some limitation may impose to add w to enable append. |
| Kernel-MAC-System-5 | System::Sub |
Isolation of risky Subsystem. |
| Domain | Label name |
Recommendations |
|---|---|---|
| Kernel-MAC-System-1 | User::Pkg::$AppID |
Only one Label is allowed per App. A data directory is created by the AppFw in rwx mode. |
| Kernel-MAC-System-2 | User::Home |
AppFw needs to create a directory in /home/$USER/App-Shared at first launch if not present with label app-data access is User::App-Shared without transmute. |
| Kernel-MAC-System-3 | User::App-Shared |
Shared space between all App running for a given user. |
| Domain | Object | Recommendations |
|---|---|---|
| Platform-SystemD-1 | Security model | Use Namespaces for containerization. |
| Platform-SystemD-2 | Security model | Use CGroups to organise processes. |
| Domain | Object | Recommendations |
|---|---|---|
| Platform-DBus-1 | Security model | Use D-Bus as IPC. |
| Platform-DBus-2 | Security model | Apply D-BUS security patches: D-Bus CVE |
| Domain | Tool name |
State |
|---|---|---|
| Platform-Utilities-1 | connman |
Used as a connection manager. |
| Platform-Utilities-2 | bluez |
Used as a Bluetooth manager. |
| Platform-Utilities-3 | gstreamer |
Used to manage multimedia file format. |
| Platform-Utilities-4 | alsa |
Used to provides an API for sound card device drivers. |
| Domain | Object | Recommendations |
|---|---|---|
| Platform-AGLFw-AppFw-1 | Security model | Use the AppFw as Security model. |
| Domain | Object | Recommendations |
|---|---|---|
| Platform-AGLFw-Cynara-1 | Permissions | Use Cynara as policy-checker service. |
| Domain | Tool name |
State |
|---|---|---|
| Platform-Utilities-1 | busybox |
Used to provide a number of tools. Do not compile development tools. |
| Domain | Utility name and normal path |
State |
|---|---|---|
| Platform-Utilities-1 | chgrp in /bin/chgrp |
Disabled |
| Platform-Utilities-2 | chmod in /bin/chmod |
Disabled |
| Platform-Utilities-3 | chown in /bin/chown |
Disabled |
| Platform-Utilities-4 | dmesg in /bin/dmesg |
Disabled |
| Platform-Utilities-5 | Dnsdomainname in /bin/dnsdomainname |
Disabled |
| Platform-Utilities-6 | dropbear, Remove "dropbear" from /etc/init.d/rcs |
Disabled |
| Platform-Utilities-7 | Editors in (vi) /bin/vi |
Disabled |
| Platform-Utilities-8 | find in /bin/find |
Disabled |
| Platform-Utilities-9 | gdbserver in /bin/gdbserver |
Disabled |
| Platform-Utilities-10 | hexdump in /bin/hexdump |
Disabled |
| Platform-Utilities-11 | hostname in /bin/hostname |
Disabled |
| Platform-Utilities-12 | install in /bin/install |
Disabled |
| Platform-Utilities-13 | iostat in /bin/iostat |
Disabled |
| Platform-Utilities-14 | killall in /bin/killall |
Disabled |
| Platform-Utilities-15 | klogd in /sbin/klogd |
Disabled |
| Platform-Utilities-16 | logger in /bin/logger |
Disabled |
| Platform-Utilities-17 | lsmod in /sbin/lsmod |
Disabled |
| Platform-Utilities-18 | pmap in /bin/pmap |
Disabled |
| Platform-Utilities-19 | ps in /bin/ps |
Disabled |
| Platform-Utilities-20 | ps in /bin/ps |
Disabled |
| Platform-Utilities-21 | rpm in /bin/rpm |
Disabled |
| Platform-Utilities-22 | SSH |
Disabled |
| Platform-Utilities-23 | stbhotplug in /sbin/stbhotplug |
Disabled |
| Platform-Utilities-24 | strace in /bin/trace |
Disabled |
| Platform-Utilities-25 | su in /bin/su |
Disabled |
| Platform-Utilities-26 | syslogd in (logger) /bin/logger |
Disabled |
| Platform-Utilities-27 | top in /bin/top |
Disabled |
| Platform-Utilities-28 | UART in /proc/tty/driver/ |
Disabled |
| Platform-Utilities-29 | which in /bin/which |
Disabled |
| Platform-Utilities-30 | who and whoami in /bin/whoami |
Disabled |
| Platform-Utilities-31 | awk (busybox) |
Enabled |
| Platform-Utilities-32 | cut (busybox) |
Enabled |
| Platform-Utilities-33 | df (busybox) |
Enabled |
| Platform-Utilities-34 | echo (busybox) |
Enabled |
| Platform-Utilities-35 | fdisk (busybox) |
Enabled |
| Platform-Utilities-36 | grep (busybox) |
Enabled |
| Platform-Utilities-37 | mkdir (busybox) |
Enabled |
| Platform-Utilities-38 | mount (vfat) (busybox) |
Enabled |
| Platform-Utilities-39 | printf (busybox) |
Enabled |
| Platform-Utilities-40 | sed in /bin/sed (busybox) |
Enabled |
| Platform-Utilities-41 | tail (busybox) |
Enabled |
| Platform-Utilities-42 | tee (busybox) |
Enabled |
| Platform-Utilities-43 | test (busybox) |
Enabled |
| Domain | Object | Recommendations |
|---|---|---|
| Platform-Users-root-1 | Main application | Should not execute as root. |
| Platform-Users-root-2 | UI | Should run in a context on a user with no capability. |
| Domain | Utility name |
State |
|---|---|---|
| Platform-Users-root-3 | login |
Not allowed |
| Platform-Users-root-4 | su |
Not allowed |
| Platform-Users-root-5 | ssh |
Not allowed |
| Platform-Users-root-6 | scp |
Not allowed |
| Platform-Users-root-7 | sftp |
Not allowed |
| Domain | Object | Recommendations |
|---|---|---|
| Application-Installation-1 | AppFw | Provide offline-mode in order to install app with the base image. |
| Application-Installation-2 | Integrity | Allow the installation of applications only if their integrity is good. |
| Domain | Tech name | Recommendations |
|---|---|---|
| Connectivity-BusAndConnector-Bus-1 | CAN | Implement hardware solution in order to prohibit sending unwanted signals. |
| Domain | Tech name | Recommendations |
|---|---|---|
| Connectivity-BusAndConnector-Connectors-1 | USB | Must be disabled. If not, only enable the minimum require USB devices. |
| Connectivity-BusAndConnector-Connectors-2 | USB | Confidential data exchanged with the ECU over USB must be secure. |
| Connectivity-BusAndConnector-Connectors-3 | USB | USB Boot on a ECU must be disable. |
| Connectivity-BusAndConnector-Connectors-4 | OBD-II | Must be disabled outside garages. |
| Domain | Object | Recommendations |
|---|---|---|
| Connectivity-Wireless-1 | Update | Always follow the latest updates of remote communication channels. |
| Domain | Tech name or object | Recommendations |
|---|---|---|
| Connectivity-Wireless-Wifi-1 | WEP, PSK, TKIP | Disabled |
| Connectivity-Wireless-Wifi-2 | WPA2 and AES-CCMP | Used |
| Connectivity-Wireless-Wifi-3 | WPA2 | Should protect data sniffing. |
| Connectivity-Wireless-Wifi-4 | PSK | Changing regularly the password. |
| Connectivity-Wireless-Wifi-5 | Device | Upgraded easily in software or firmware to have the last security update. |
| Domain | Tech name | Recommendations |
|---|---|---|
| Connectivity-Wireless-Bluetooth-1 | BLE | Use with caution. |
| Connectivity-Wireless-Bluetooth-2 | Bluetooth | Monitoring |
| Connectivity-Wireless-Bluetooth-3 | SSP | Avoid using the "Just Works" association model. |
| Connectivity-Wireless-Bluetooth-4 | Visibility | Configured by default as undiscoverable. Except when needed. |
| Connectivity-Wireless-Bluetooth-5 | Anti-scanning | Used, inter alia, to slow down brute force attacks. |
| Domain | Tech name | Recommendations |
|---|---|---|
| Connectivity-Wireless-Cellular-1 | GPRS/EDGE | Avoid |
| Connectivity-Wireless-Cellular-2 | UMTS/HSPA | Protected against Jamming. |
| Domain | Tech name | Recommendations |
|---|---|---|
| Connectivity-Wireless-Radio-1 | RDS | Only audio output and meta concerning radio. |
| Domain | Tech name | Recommendations |
|---|---|---|
| Connectivity-Wireless-NFC-1 | NFC | Protected against relay and replay attacks. |
| Connectivity-Wireless-NFC-2 | Device | Disable unneeded and unapproved services and profiles. |
| Domain | Object | Recommendations |
|---|---|---|
| Application-Cloud-Download-1 | authentication | Must implement authentication process. |
| Application-Cloud-Download-2 | Authorization | Must implement Authorization process. |
| Domain | Object | Recommendations |
|---|---|---|
| Application-Cloud-Infrastructure-1 | Packet | Should implement a DPI. |
| Application-Cloud-Infrastructure-2 | DoS | Must implement a DoS protection. |
| Application-Cloud-Infrastructure-3 | Test | Should implement scanning tools like SATS and DAST. |
| Application-Cloud-Infrastructure-4 | Log | Should implement security tools (IDS and IPS). |
| Application-Cloud-Infrastructure-5 | App integrity | Applications must be signed by the code signing authority. |
| Domain | Object | Recommendations |
|---|---|---|
| Application-Cloud-Transport-1 | Integrity, confidentiality and legitimacy | Should implement IPSec standards. |