Skip to main content
Azure Linux includes a comprehensive set of security features enabled by default to protect against various attack vectors.

Networking

FeatureStatusDescription
Configurable FirewallBy defaultiptables for packet filtering
SYN cookiesBy defaultCONFIG_SYN_COOKIES=y protects against SYN flood attacks

Updates

FeatureStatusDescription
Signed updatesBy defaultPackage signatures verified via tdnf and dnf
Always verify package signatures when installing software. Unsigned packages may have been tampered with or come from untrusted sources.

Build Options

All binaries in Azure Linux are built with hardening flags enabled by default:
FeatureStatusDescription
Position Independent Executable (PIE)By default-fPIE, -pie enables ASLR for executables
Stack Protector StrongBy default-fstack-protector-strong detects stack buffer overflows
Format SecurityBy default-Wformat-security validates format strings
Fortify SourceBy default_FORTIFY_SOURCE adds buffer overflow checks
Bind NowBy default—enable-bind-now resolves all symbols at load time
RELROBy defaultrelro makes segments read-only after relocation

Address Space Layout Randomization (ASLR)

ASLR randomizes memory addresses to make exploitation more difficult:
FeatureStatusDescription
Stack ASLRBy defaultAvailable since kernel 2.6.15
Libs/mmap ASLRBy defaultAvailable since kernel 2.6.15
Exec ASLRBy defaultAvailable since kernel 2.6.25
brk ASLRBy defaultAvailable since kernel 2.6.22
VDSO ASLRBy defaultAvailable for x86_64 since kernel 2.6.22

Kernel Hardening

Azure Linux includes extensive kernel hardening features:
FeatureStatusDescription
/proc/$pid/maps protectionBy defaultEnabled by default since kernel 2.6.27
Symlink restrictionsBy defaultfs.protected_symlinks prevents symlink attacks
Hardlink restrictionsBy defaultfs.protected_hardlinks prevents hardlink attacks
0-address protectionBy defaultvm.mmap_min_addr prevents NULL pointer dereference exploits
Kernel Address Display RestrictionBy defaultkernel.kptr_restrict hides kernel addresses
Block module loadingAvailablekernel.modules_disabled
/dev/mem protectionBy defaultCONFIG_STRICT_DEVMEM=y
/dev/kmem disabledBy defaultCONFIG_DEVKMEM=n
Kernel Module RO/NXBy defaultCONFIG_STRICT_MODULE_RWX=y
Write-protect kernel .rodata sectionsBy defaultCONFIG_STRICT_KERNEL_RWX=y
Kernel Stack ProtectorBy defaultCONFIG_STACKPROTECTOR=y
The kernel.modules_disabled sysctl permanently disables module loading until reboot. Only enable this after all required modules are loaded.

GCC/glibc Hardening

FeatureStatusDescription
Overflow checking in new operatorBy defaultgcc integer overflow protection
Pointer ObfuscationBy defaultglibc pointer encryption protects function pointers
Heap Consistency CheckingBy defaultglibc Heap Consistency Checking detects heap corruption

System Call Filtering

FeatureStatusDescription
Syscall Filtering (seccomp)AvailableCONFIG_SECCOMP_FILTER=y allows syscall filtering
Seccomp sandboxAvailablePR_SET_SECCOMP

Process Isolation

FeatureStatusDescription
Ptrace MitigationAvailableYama LSM restricts ptrace
User namespacesAvailableCONFIG_USER_NS=y
Private /tmp for systemd servicesAvailablePrivateTmp
Polyinstantiate /tmp, /var/tmp, and user home foldersAvailablenamespace.conf
Mandatory access controlBy defaultSELinux enforces access policies

Encrypted Storage

FeatureStatusDescription
Encrypted VolumesAvailableEncrypt volumes during OS installation
Encrypted storage is configured during installation. Enabling encryption on existing systems requires data migration.

Miscellaneous

FeatureStatusDescription
Password hashingBy defaultSHA-512 algorithm for secure password storage
Filesystem CapabilitiesAvailableCapabilities and chattr
Tamper Resistant LogsAvailablejournalctl —verify validates log integrity
Kernel LockdownIntegrity mode by defaultkernel lockdown restricts kernel modification

References

Build docs developers (and LLMs) love

Get started for freeTalk to us