Report for image: agl-demo-platform-crosssdk With the kernel conf at: /w/workspace/release-jjb-chinook-snapshot/MACHINE/qemux86-64/label/agl-test-slave/repoclone/output/tmp/work-shared/qemux86-64/kernel-build-artifacts/.config Hardening options that need improvement: Actual value: CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE : not set Recommended value: CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE : y Comment: Enables randomization of PIE load address for ELF binaries. This hinders some types of security attacks by making it more difficult for an attacker to predict target addresses. Actual value: CONFIG_BINFMT_MISC : m Recommended value: CONFIG_BINFMT_MISC : not set Comment: Enables support for binary formats other than ELF. Providing the ability to use alternate interpreters would assist an attacker in discovering attack vectors. Actual value: CONFIG_BUG : y Recommended value: CONFIG_BUG : not set Comment: Enables display of backtrace and register information for BUGs and WARNs in kernel space. Verbose logging would assist an attacker in discovering attack vectors. Actual value: CONFIG_CC_STACKPROTECTOR : not set Recommended value: CONFIG_CC_STACKPROTECTOR : y Comment: Enables the stack protector GCC feature which defends against stack-based buffer overflows Actual value: CONFIG_CMDLINE_BOOL : not set Recommended value: CONFIG_CMDLINE_BOOL : y Comment: Enables the kernel command line to be hardcoded directly into the kernel. Hardcoding the command line allows tighter control over kernel command line options. Actual value: CONFIG_CMDLINE_OVERRIDE : not set Recommended value: CONFIG_CMDLINE_OVERRIDE : y Comment: Enables the kernel to ignore the boot loader command line and to use only the hardcoded command line. Hardcoding the command line allows tighter control over kernel command line options. Actual value: CONFIG_COREDUMP : y Recommended value: CONFIG_COREDUMP : not set Comment: Enables support for performing core dumps. Providing core dumps would assist an attacker in discovering attack vectors. Actual value: CONFIG_CROSS_MEMORY_ATTACH : y Recommended value: CONFIG_CROSS_MEMORY_ATTACH : not set Comment: Enables cross-process virtual memory access. Providing virtual memory access to and from a hostile process would assist an attacker in discovering attack vectors. Actual value: CONFIG_DEBUG_BUGVERBOSE : y Recommended value: CONFIG_DEBUG_BUGVERBOSE : not set Comment: Enables verbose logging for BUG() panics. Verbose logging would assist an attacker in discovering attack vectors. Actual value: CONFIG_DEBUG_FS : y Recommended value: CONFIG_DEBUG_FS : not set Comment: Enables the kernel debug filesystem. The kernel debug filesystem presents a lot of useful information and means of manipulation of the kernel to an attacker. Actual value: CONFIG_DEBUG_RODATA : not set Recommended value: CONFIG_DEBUG_RODATA : y Comment: Sets kernel text and rodata sections as read-only and write-protected. This guards against malicious attempts to change the kernel's executable code. Actual value: CONFIG_DEBUG_STACKOVERFLOW : not set Recommended value: CONFIG_DEBUG_STACKOVERFLOW : y Comment: Enables messages to be printed if free stack space drops below a certain limit. Leaking information about resources used by the kernel would assist an attacker in discovering attack vectors. Actual value: CONFIG_DEFAULT_MMAP_MIN_ADDR : 4096 Recommended value: CONFIG_DEFAULT_MMAP_MIN_ADDR : 65536 Comment: Defines the portion of low virtual memory that should be protected from userspace allocation. Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs. Actual value: CONFIG_DEVKMEM : y Recommended value: CONFIG_DEVKMEM : not set Comment: Enables kmem device, which direct maps kernel memory. Providing a view into kernel memory would assist an attacker in discovering attack vectors. Actual value: CONFIG_DEVMEM : y Recommended value: CONFIG_DEVMEM : not set Comment: Enables mem device, which provides access to physical memory. Providing a view into physical memory would assist an attacker in discovering attack vectors. Actual value: CONFIG_FTRACE : y Recommended value: CONFIG_FTRACE : not set Comment: Enables the kernel to trace every function. Providing kernel trace functionality would assist an attacker in discovering attack vectors. Actual value: CONFIG_IKCONFIG : y Recommended value: CONFIG_IKCONFIG : not set Comment: Enables access to the kernel config through /proc/config.gz. Leaking the kernel configuration would assist an attacker in discovering attack vectors. Actual value: CONFIG_IKCONFIG_PROC : y Recommended value: CONFIG_IKCONFIG_PROC : not set Comment: Enables access to the kernel config through /proc/config.gz. Leaking the kernel configuration would assist an attacker in discovering attack vectors. Actual value: CONFIG_IP_PNP : y Recommended value: CONFIG_IP_PNP : not set Comment: Enables automatic configuration of IP addresses of devices and of the routing table during kernel boot. Providing networking functionality before the system has come up would assist an attacker in discovering attack vectors. Actual value: CONFIG_KALLSYMS : y Recommended value: CONFIG_KALLSYMS : not set Comment: Enables printing of symbolic crash information and symbolic stack backtraces. Verbose logging would assist an attacker in discovering attack vectors. Actual value: CONFIG_KPROBES : y Recommended value: CONFIG_KPROBES : not set Comment: Enables Kernel Dynamic Probes. Providing kprobes allows the attacker to collect debug and performance information. Actual value: CONFIG_MAGIC_SYSRQ : y Recommended value: CONFIG_MAGIC_SYSRQ : not set Comment: Enables a console device to interpret special characters as SysRQ system commands. SysRQ commands are an immediate attack vector as they provide the ability to dump information or reboot the device. Actual value: CONFIG_MODULE_SIG_FORCE : not set Recommended value: CONFIG_MODULE_SIG_FORCE : y Comment: Enables validation of module signature. Disabling this option enables an attacker to load unsigned modules. Actual value: CONFIG_MODULE_UNLOAD : y Recommended value: CONFIG_MODULE_UNLOAD : not set Comment: Enables the ability to unload a kernel module. Allowing module unloading enables the attacker to disable security modules. Actual value: CONFIG_NAMESPACES : y Recommended value: CONFIG_NAMESPACES : not set Comment: Enabling this can result in duplicates of dev nodes, pids and mount points, which can be useful to attackers trying to spoof running environments on devices. Actual value: CONFIG_NFSD : m Recommended value: CONFIG_NFSD : not set Comment: Enables remote access to files residing on this system using Sun's Network File System protocol. Providing remote access to the file system would assist an attacker in discovering attack vectors. Actual value: CONFIG_NFS_FS : y Recommended value: CONFIG_NFS_FS : not set Comment: Enables remote access to files residing on this system using Sun's Network File System protocol. Providing remote access to the file system would assist an attacker in discovering attack vectors. Actual value: CONFIG_PANIC_ON_OOPS : not set Recommended value: CONFIG_PANIC_ON_OOPS : y Comment: Enables conversion of kernel OOPs to PANIC. When fuzzing the kernel or attempting kernel exploits, attackers are likely to trigger kernel OOPSes. Setting the behavior on OOPS to PANIC can impede their progress. Actual value: CONFIG_PROC_KCORE : y Recommended value: CONFIG_PROC_KCORE : not set Comment: Enables access to a kernel core dump from userspace. Providing access to core dumps of the kernel would assist an attacker in discovering attack vectors. Actual value: CONFIG_RANDOMIZE_BASE : not set Recommended value: CONFIG_RANDOMIZE_BASE : y Comment: Enables Kernel Address Space Layout randomization (kASLR). This hinders some types of security attacks by making it more difficult for an attacker to predict target addresses. Actual value: CONFIG_RANDOMIZE_BASE_MAX_OFFSET : not set Recommended value: CONFIG_RANDOMIZE_BASE_MAX_OFFSET : 0x20000000,0x40000000 Comment: Defines the maximal offset in bytes that will be applied to the kernel when kernel Address Space Layout Randomization (kASLR) is active. Actual value: CONFIG_SECURITY_DMESG_RESTRICT : not set Recommended value: CONFIG_SECURITY_DMESG_RESTRICT : y Comment: Enables restrictions on unprivileged users reading the kernel syslog via dmesg(8). Unrestricted access to kernel syslogs would assist an attacker in discovering attack vectors. Actual value: CONFIG_SERIAL_8250_CONSOLE : y Recommended value: CONFIG_SERIAL_8250_CONSOLE : not set Comment: Enables the serial console. Providing access to the serial console would assist an attacker in discovering attack vectors. Actual value: CONFIG_SERIAL_CORE : y Recommended value: CONFIG_SERIAL_CORE : not set Comment: Enables the serial console. Providing access to the serial console would assist an attacker in discovering attack vectors. Actual value: CONFIG_SERIAL_CORE_CONSOLE : y Recommended value: CONFIG_SERIAL_CORE_CONSOLE : not set Comment: Enables the serial console. Providing access to the serial console would assist an attacker in discovering attack vectors. Actual value: CONFIG_STRICT_DEVMEM : not set Recommended value: CONFIG_STRICT_DEVMEM : y Comment: Enables restriction of userspace access to kernel memory. Failure to enable this option provides an immediate attack vector. Actual value: CONFIG_SWAP : y Recommended value: CONFIG_SWAP : not set Comment: Enables swap files for kernel. The ability to read kernel memory pages in swap files would assist an attacker in discovering attack vectors. Actual value: CONFIG_USELIB : y Recommended value: CONFIG_USELIB : not set Comment: Enables the uselib syscall. The uselib system call has no valid use in any libc6 or uclibc system. Legacy features would assist an attacker in discovering attack vectors. Actual value: CONFIG_X86_INTEL_MPX : not set Recommended value: CONFIG_X86_INTEL_MPX : y Comment: Enables MPX hardware features that can be used with compiler-instrumented code to check memory references. It is designed to detect buffer overflow or underflow bugs. Actual value: CONFIG_X86_MSR : y Recommended value: CONFIG_X86_MSR : not set Comment: Enables privileged processes access to the x86 Model-Specific Registers (MSRs). MSR accesses are directed to a specific CPU on multi-processor systems. This alone does not provide security. Key-related options that need improvement: Actual value: CONFIG_ENCRYPTED_KEYS : not set Recommended value: CONFIG_ENCRYPTED_KEYS : y Actual value: CONFIG_TRUSTED_KEYS : not set Recommended value: CONFIG_TRUSTED_KEYS : y Security options that need improvement: Actual value: CONFIG_INTEL_TXT : not set Recommended value: CONFIG_INTEL_TXT : y Actual value: CONFIG_LSM_MMAP_MIN_ADDR : not set Recommended value: CONFIG_LSM_MMAP_MIN_ADDR : 65536 Actual value: CONFIG_SECURITYFS : not set Recommended value: CONFIG_SECURITYFS : y Actual value: CONFIG_SECURITY_NETWORKING : not set Recommended value: CONFIG_SECURITY_NETWORKING : y Actual value: CONFIG_SECURITY_YAMA : not set Recommended value: CONFIG_SECURITY_YAMA : y Actual value: CONFIG_SECURITY_YAMA_STACKED : not set Recommended value: CONFIG_SECURITY_YAMA_STACKED : y Integrity options that need improvement: Actual value: CONFIG_EVM : not set Recommended value: CONFIG_EVM : y Actual value: CONFIG_EVM_ATTR_FSUUID : not set Recommended value: CONFIG_EVM_ATTR_FSUUID : y Actual value: CONFIG_EVM_EXTRA_SMACK_XATTRS : not set Recommended value: CONFIG_EVM_EXTRA_SMACK_XATTRS : y Actual value: CONFIG_IMA : not set Recommended value: CONFIG_IMA : y Actual value: CONFIG_IMA_APPRAISE : not set Recommended value: CONFIG_IMA_APPRAISE : y Actual value: CONFIG_IMA_APPRAISE_SIGNED_INIT : not set Recommended value: CONFIG_IMA_APPRAISE_SIGNED_INIT : y Actual value: CONFIG_IMA_DEFAULT_HASH_SHA256 : not set Recommended value: CONFIG_IMA_DEFAULT_HASH_SHA256 : y Actual value: CONFIG_IMA_DEFAULT_HASH_SHA512 : not set Recommended value: CONFIG_IMA_DEFAULT_HASH_SHA512 : y Actual value: CONFIG_IMA_LSM_RULES : not set Recommended value: CONFIG_IMA_LSM_RULES : y Actual value: CONFIG_IMA_TRUSTED_KEYRING : not set Recommended value: CONFIG_IMA_TRUSTED_KEYRING : y Actual value: CONFIG_INTEGRITY_SIGNATURE : not set Recommended value: CONFIG_INTEGRITY_SIGNATURE : y