By default |
||||
Available |
||||
Unimplemented |
||||
feature |
wheezy |
jessie |
stretch |
buster |
No Open Ports |
Minimal install |
Minimal install |
Minimal install |
Minimal install |
SHA-512 |
SHA-512 |
SHA-512 |
SHA-512 |
|
SYN cookies |
Y |
Y |
Y |
Y |
Filesystem Capabilities |
Y |
Y |
Y |
Y |
Configurable Firewall |
||||
Cloud PRNG seed |
|
|
|
|
PR_SET_SECCOMP |
Y |
Y |
Y |
Y |
Optional |
Optional |
Optional |
Enabled |
|
Optional |
Optional |
Optional |
Optional |
|
Installer |
Installer |
Installer |
Installer |
|
eCryptfs |
Optional |
Optional |
Optional |
Optional |
Stack Protector |
package list |
package list |
package list |
package list |
Stack Protector (strong) |
N |
package list |
package list |
package list |
Heap Protector |
glibc |
glibc |
glibc |
glibc |
Pointer Obfuscation |
glibc |
glibc |
glibc |
glibc |
Stack ASLR |
Y |
Y |
Y |
Y |
Libs/mmap ASLR |
Y |
Y |
Y |
Y |
Exec ASLR |
Y |
Y |
Y |
Y |
brk ASLR |
Y |
Y |
Y |
Y |
VDSO ASLR |
Y |
Y |
Y |
Y |
Built as PIE |
package list |
package list |
package list |
package list |
Built with Fortify Source |
package list |
package list |
package list |
package list |
Built with RELRO |
package list |
package list |
package list |
package list |
Built with BIND_NOW |
package list |
package list |
package list |
package list |
Non-Executable Memory |
amd64 |
amd64 |
amd64 |
amd64 |
/proc/$pid/maps protection |
Y |
Y |
Y |
Y |
Symlink restrictions |
Y |
Y |
Y |
Y |
Hardlink restrictions |
Y |
Y |
Y |
Y |
ptrace scope |
N |
N |
yama/sysctl |
yama/sysctl |
0-address protection |
Y |
Y |
Y |
Y |
/dev/mem protection |
Y |
Y |
Y |
Y |
/dev/kmem disabled |
Y |
Y |
Y |
Y |
Option to block module loading |
Y |
Y |
Y |
Y |
Read-only data sections |
Y |
Y |
Y |
Y |
Module RO/NX |
Y |
Y |
Y |
Y |
Blacklist Rare Protocols |
N |
N |
N |
N |
Syscall Filtering |
N |
? |
Y |
Y |
Block kexec |
N |
? |
sysctl |
sysctl |