You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Linux Kernel Defence Map shows the relationships between vulnerability classes, exploitation techniques, bug detection mechanisms, and defence technologies
There are many concepts that have interesting relationships with each other:
Vulnerability classes
Exploitation techniques
Bug detection mechanisms
Defence technologies
Some defence technologies are provided by the Linux kernel mainline.
Others are going out‑of‑tree for various reasons (some of them are commercial, for example).
Moreover, there are kernel defences that depend on special hardware features.
It would be convenient to have a graphical representation of Linux kernel security.
That's why I have created a Linux Kernel Defence Map showing the relationships between all these concepts.
The node connections don't mean "full mitigation." Rather, each connection represents some kind of relationship.
So the Linux Kernel Defence Map should help to navigate the documentation and Linux kernel sources.
It also provides the Common Weakness Enumeration (CWE) numbers for vulnerability classes.
This map describes kernel security hardening. It doesn't cover cutting attack surface, userspace security features
and policies enforced by various Linux Security Modules (LSM).
So there are plenty of security hardening options in the Linux kernel. A lot of them are
not enabled by the major distros. We have to configure these options ourselves to
make our systems more secure.
But nobody likes verifying configs manually. So I've created the kernel-hardening-checker
that checks security hardening options of the Linux kernel.
You are welcome to try it.
Linux Kernel Defence Map shows the relationships between vulnerability classes, exploitation techniques, bug detection mechanisms, and defence technologies
