diff --git a/features/security/security.cfg b/features/security/security.cfg
new file mode 100644
index 0000000000000000000000000000000000000000..efcbe056d046558525485f4524cace6c5656c3aa
--- /dev/null
+++ b/features/security/security.cfg
@@ -0,0 +1,48 @@
+# Protect against ioctl buffer overflows
+CONFIG_HARDENED_USERCOPY=y
+
+# Check for memory copies that might overflow a structure in str*() and mem*()
+# functions both at build-time and run-time
+CONFIG_FORTIFY_SOURCE=y
+
+# Harden the slab free list with randomization
+CONFIG_SLAB_FREELIST_RANDOM=y
+CONFIG_SLAB_FREELIST_HARDENED=y
+
+# Stack Protector is for buffer overflow detection and hardening
+CONFIG_CC_STACKPROTECTOR=y
+# CONFIG_CC_STACKPROTECTOR_NONE is not set
+CONFIG_CC_STACKPROTECTOR_REGULAR=y
+
+# Perform extensive checks on reference counting
+CONFIG_REFCOUNT_FULL=y
+
+# Disable to ensure random heap placement to make exploits harder
+# CONFIG_COMPAT_BRK is not set
+
+# Disable; exposes kernel text image layout
+# CONFIG_PROC_KCORE is not set
+
+# Increases the low-level kernel attack surface. Disable it instead.
+# Removes the modify_ldt system call.
+CONFIG_EXPERT=y
+CONFIG_MODIFY_LDT_SYSCALL=n
+
+# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
+# CONFIG_LEGACY_VSYSCALL_EMULATE is not set
+CONFIG_LEGACY_VSYSCALL_NONE=y
+
+# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.
+# CONFIG_INET_DIAG is not set
+
+# Do not allow direct physical memory access (enable only STRICT mode...)
+# CONFIG_DEVMEM is not set
+CONFIG_STRICT_DEVMEM=y
+CONFIG_IO_STRICT_DEVMEM=y
+
+# Perform additional validation of various commonly targeted structures
+CONFIG_SCHED_STACK_END_CHECK=y
+CONFIG_DEBUG_LIST=y
+CONFIG_DEBUG_SG=y
+CONFIG_DEBUG_NOTIFIERS=y
+CONFIG_DEBUG_CREDENTIALS=y
diff --git a/features/security/security.scc b/features/security/security.scc
new file mode 100644
index 0000000000000000000000000000000000000000..0864eb7d45fd84b609b83922584f4a73892a8f13
--- /dev/null
+++ b/features/security/security.scc
@@ -0,0 +1,4 @@
+define KFEATURE_DESCRIPTION "Enable/disable configurations that impact kernel security"
+define KFEATURE_COMPATIBILITY all
+
+kconf non-hardware security.cfg