By default

Available

Unimplemented

feature

wheezy

jessie

No Open Ports

Minimal install does not listen ports

Minimal install does not listen ports

Password hashing

Manual Chapter 4. Authentication

Manual Chapter 4. Authentication

SYN cookies

Guide also #520668

Guide also #520668

Filesystem Capabilities

acl and CONFIG_EXT4_FS_SECURITY

acl and CONFIG_EXT4_FS_SECURITY

Configurable Firewall

iptables

iptables

Cloud PRNG seed

PR_SET_SECCOMP

By default. Examples 1

By default. Examples 1

AppArmor

AppArmor

AppArmor

SELinux

wiki

wiki

SMACK

Available since 2.6.25 kernel

Available since 2.6.25 kernel

Encrypted LVM

installation

installation

eCryptfs

ecryptfs-utils

ecryptfs-utils

Stack Protector

?

?

Heap Protector

?

?

Pointer Obfuscation

?

?

Stack ASLR

?

?

Libs/mmap ASLR

?

?

Exec ASLR

?

?

brk ASLR

?

?

VDSO ASLR

?

?

Built as PIE

?

?

Built with Fortify Source

?

?

Built with RELRO

?

?

Built with BIND_NOW

?

?

Non-Executable Memory

?

?

/proc/$pid/maps protection

?

?

Symlink restrictions

?

?

Hardlink restrictions

?

?

ptrace scope

?

?

0-address protection

kernel

kernel

/dev/mem protection

?

?

/dev/kmem disabled

?

?

Block module loading

?

?

Read-only data sections

?

?

Stack protector

?

?

Module RO/NX

?

?

Kernel Address Display Restriction

?

?

Blacklist Rare Protocols

?

?

Syscall Filtering

?

?

Block kexec

?

?