Create separate entries for some hardening mechanisms

[david-a-wheeler]

Review Ubuntu's Security Features to look for potential criterion questions. It might be useful to phrase at least some of these as separate criteria if #650 is implemented.

Credit: Credit goes to Matthew "Matt" Van Gundy, Cisco.

[wanganyv]

I've readed the Ubuntu Security Features wiki pages. IMHO, "Security features of Ubuntu" and "kernel hardening options" are not suitable for general open source projects. But the Userspace Hardening methods (look like gcc security parameters for compilation and linkage) may become potential criteria for projects implemented in C/C++.

[Seirdy]

Some less common hardening that might deserve mention can include:

• documented interoperability with MAC systems (e.g. SELinux, AppArmor)
• usage of sandboxing and syscall-filtering mechanisms (seccomp, landlock, pledge/unveil, capsicum)
• compatibility with aggressive toolchain hardening (e.g. fstack-protector-all, fcf-protection=full, Clang features like CFI-sanitation, shadow call stacks, auto-var-init, etc)
• tested to work on systems with strict enforcement of policies like W^X, full ASLR and PIE-only execution.