| Type | Feature | Status | Additional information |
|---|---|---|---|
| Networking | |||
| Configurable Firewall | By default | iptables | |
| SYN cookies | By default | CONFIG_SYN_COOKIES=y | |
| Updates | |||
| Signed updates | By default | tdnf, dnf | |
| Build options | |||
| Built as PIE | By default | -fPIE, -pie | |
| Built with Stack Protector Strong | By default | -fstack-protector, -fstack-protector-strong | |
| Built with Format Security | By default | -Wformat-security | |
| Built with Fortify Source | By default | _FORTIFY_SOURCE | |
| Built with --enable-bind-now | By default | --enable-bind-now | |
| Built with RELRO | By default | relro | |
| Address Space Layout Randomization (ASLR) |
|||
| Stack ASLR | By default | Available in the mainline kernel since 2.6.15 | |
| Libs/mmap ASLR | By default | Available in the mainline kernel since 2.6.15 | |
| Exec ASLR | By default | Available in the mainline kernel since 2.6.25 | |
| brk ASLR | By default | Available in the mainline kernel since 2.6.22 | |
| VDSO ASLR | By default | Available for x86_64 in the mainline kernel since 2.6.22 | |
| Kernel hardening | |||
| /proc/$pid/maps protection | By default | Enabled by default since mainline kernel 2.6.27 | |
| Symlink restrictions | By default | fs.protected_symlinks | |
| Hardlink restrictions | By default | fs.protected_hardlinks | |
| 0-address protection | By default | vm.mmap_min_addr | |
| Kernel Address Display Restriction | By default | kernel.kptr_restrict | |
| Block module loading | Available | kernel.modules_disabled | |
| /dev/mem protection | By default | CONFIG_STRICT_DEVMEM=y | |
| /dev/kmem disabled | By default | CONFIG_DEVKMEM=n | |
| Kernel Module RO/NX | By default | CONFIG_STRICT_MODULE_RWX=y | |
| Write-protect kernel .rodata sections | By default | CONFIG_STRICT_KERNEL_RWX=y | |
| Kernel Stack Protector | By default | CONFIG_STACKPROTECTOR=y | |
| gcc/glibc hardening | |||
| Overflow checking in new operator | By default | gcc | |
| Pointer Obfuscation | By default | glibc pointer encryption | |
| Heap Consistency Checking | By default | glibc Heap Consistency Checking | |
| System call filtering | |||
| Syscall Filtering (seccomp) | Available | CONFIG_SECCOMP_FILTER=y | |
| Seccomp sandbox | Available | PR_SET_SECCOMP | |
| Process isolation | |||
| Ptrace Mitigation | Available | Yama | |
| User namespaces | Available | CONFIG_USER_NS=y | |
| Private /tmp for systemd services | Available | PrivateTmp | |
| Polyinstantiate /tmp, /var/tmp, and user home folders |
Available | namespace.conf | |
| Mandatory access control | By default | SELinux | |
| Encrypted Storage | |||
| Encrypted Volumes | Available | Encrypt during OS installation | |
| Miscellaneous | |||
| Password hashing | By default | SHA-512 | |
| Filesystem Capabilities | Available | Capabilities and chattr | |
| Tamper Resistant Logs | Available | journalctl --verify | |
| Kernel Lockdown | Integrity mode by default | kernel lockdown |