By default

Available

Unimplemented

feature

wheezy

jessie

No Open Ports

Minimal install does not listen ports

Minimal install does not listen ports

Password hashing

Manual Chapter 4. Authentication

Manual Chapter 4. Authentication

SYN cookies

Guide also #520668

Guide also #520668

Filesystem Capabilities

acl and CONFIG_EXT4_FS_SECURITY

acl and CONFIG_EXT4_FS_SECURITY

Configurable Firewall

iptables

iptables

Cloud PRNG seed

PR_SET_SECCOMP

By default. Examples 1

By default. Examples 1

AppArmor

AppArmor

AppArmor

SELinux

wiki

wiki

SMACK

Available since 2.6.25 kernel

Available since 2.6.25 kernel

Encrypted LVM

installation

installation

eCryptfs

ecryptfs-utils

ecryptfs-utils

Stack Protector

yes, package list

yes, package list

Stack Protector (strong)

no

yes, package list

Heap Protector

glibc

glibc

Pointer Obfuscation

glibc

glibc

Stack ASLR

kernel

kernel

Libs/mmap ASLR

kernel

kernel

Exec ASLR

kernel

kernel

brk ASLR

kernel

kernel

VDSO ASLR

kernel

kernel

Built as PIE

yes, package list

yes, package list

Built with Fortify Source

yes, package list

yes, package list

Built with RELRO

yes, package list

yes, package list

Built with BIND_NOW

yes, package list

yes, package list

Non-Executable Memory

/proc/$pid/maps protection

kernel

kernel

Symlink restrictions

kernel

kernel

Hardlink restrictions

kernel

kernel

ptrace scope

?

?

0-address protection

kernel

kernel

/dev/mem protection

?

?

/dev/kmem disabled

?

?

Block module loading

?

?

Read-only data sections

?

?

Stack protector

?

?

Module RO/NX

?

?

Blacklist Rare Protocols

kernel

kernel

Syscall Filtering

?

?

Block kexec

?

?