Atomic Secured Linux Kernel Features

Introduction

This is a list of the AED Secured Kernel Features.

Note

This list is not complete, and is currently being updated. To get a full list of kernel features, please see the AED product page or contact support.


Protections

Address Space Protection

  • This menu lets you choose options that affect the Address Space Protection

Deny writing to /dev/kmem, /dev/mem, and /dev/port

  • /dev/kmem and /dev/mem< won’t be allowed to be written to via mmap or otherwise to modify the running kernel. /dev/port also is not be allowed to be opened. This closes up four ways that are currently used to insert malicious code into the running kerne

  • Nothing legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem but only to video memory, which is the only writing we allow in this case. If you wish to use X with AED, please see the X_with_AED article for configuration instructions.

Disable Privileged I/O

  • All ioperm and iopl calls will return an error. Ioperm and iopl can be used to modify the running kernel.

  • Unfortunately, some programs need this access to operate properly, the most notable of which are XFree86 and hwclock. Hwclock is remedied by having RTC support in the kernel to ensure that hwclock operated correctly.

  • XFree86 still will not operate correctly with this protection enabled. If you wish to use X with AED, please see the X_with_AED article for configuration instructions to disable this protection.

Remove addresses from /proc/<pid>/[smaps|maps|stat]

  • The /proc/<pid>/maps and /proc/<pid>/stat files will give no information about the addresses of its mappings if PaX features that rely on random addresses are enabled on the task. This closes up a hole that makes ALSR, as exists some some Linux kernels, useless for suid binaries.

Harden module auto-loading

  • Module auto-loading in response to use of some feature implemented by an unloaded module is restricted to root users.

  • This feature helps defend against attacks by unprivileged users who abuse the auto-loading behavior to cause a vulnerable module to load that is then exploited. This feature will also prevent a legitimate use of auto-loading for a non-root user, the administrator can execute modprobe manually with the exact name of the module mentioned in the alert log.

  • Alternatively, the administrator can add the module to the list of modules loaded at boot time by modifying init

Hide kernel symbols

  • This feature restricted to users with CAP_SYS_MODULE to get information on loaded modules, and displaying all kernel symbols. For software compatibility reasons, /proc/kallsyms is restricted to the root user.

  • The AED RBAC system can also hide that entry even from root.

  • This feature revents leaking of kernel addresses through several /proc entries.

  • This feature also causes the permissions on /boot, /lib/modules, and the kernel source directory to change at compile time to prevent reading by non-root users.

  • This feature provides a useful protection against local and remote kernel exploitation of overflows and arbitrary read/write vulnerabilities.


Role Based Access Control Protections

Hide kernel processes

  • All kernel threads are hidden to all processes but those whose subject has the “view hidden processes” flag.

RBAC brute force protections

  • The kernel prevents attempts to brute force the RBAC authentication system, by setting a maximum number of times a user can attempt to authorize themselves with the RBAC system before being denied the ability to attempt authorization again for a specified time.

  • A minimum time the user must wait after attempting to authorize to the RBAC system with the maximum number of invalid passwords is also enforced.