Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How do you guys harden the kernel?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
tinkerer
n00b
n00b


Joined: 19 May 2021
Posts: 5

PostPosted: Wed May 19, 2021 11:02 am    Post subject: How do you guys harden the kernel? Reply with quote

Hi,

Just out of curiosity. How do you guys harden the kernel?

Do you have custom patches, modules or favorite sysctl options?
Back to top
View user's profile Send private message
pietinger
l33t
l33t


Joined: 17 Oct 2006
Posts: 841
Location: Bavaria

PostPosted: Wed May 19, 2021 11:08 am    Post subject: Reply with quote

I am using this link:
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

And from this forum post:
https://forums.gentoo.org/viewtopic-p-8480264.html#8480264
you will find another link.
(dont try to do all of this: https://docs.clip-os.org/clipos/kernel.html#configuration ).
Back to top
View user's profile Send private message
CaptainBlood
Advocate
Advocate


Joined: 24 Jan 2010
Posts: 2134

PostPosted: Wed May 19, 2021 12:16 pm    Post subject: Reply with quote

Code:
sys-kernel/kconfig-hardened-check [1]
     Installed versions:  0.5.9^m(16:21:17 08/05/2021)(PYTHON_TARGETS="python3_8 -python3_10 -python3_7 -python3_9")
     Homepage:            https://github.com/a13xp0p0v/kconfig-hardened-check
     Description:         A script for checking the hardening options in the Linux kernel config

[1] "mv" /var/db/repos/mv
Thks 4 ur attention, interest & support.
_________________
Poor testing hurts everyone... climate included :)
Back to top
View user's profile Send private message
mirekm
Apprentice
Apprentice


Joined: 12 Feb 2004
Posts: 203
Location: Gliwice

PostPosted: Thu May 20, 2021 5:21 am    Post subject: Reply with quote

Anthrax hardened patch:
https://github.com/anthraxx/linux-hardened
Back to top
View user's profile Send private message
CaptainBlood
Advocate
Advocate


Joined: 24 Jan 2010
Posts: 2134

PostPosted: Thu May 20, 2021 7:47 am    Post subject: Reply with quote

mirekm wrote:
Anthrax hardened patch:
https://github.com/anthraxx/linux-hardened

Could you plz elaborate a little on the steps how to apply?

Thks 4 ur attention, interest & support.
_________________
Poor testing hurts everyone... climate included :)
Back to top
View user's profile Send private message
kukibl
Apprentice
Apprentice


Joined: 10 Jun 2008
Posts: 167

PostPosted: Thu May 20, 2021 9:41 am    Post subject: Reply with quote

I assume you download .patch file from releases page and apply it to your current kernel source with patch command or download/clone complete source, which should be patched already (?) and untar it manually?

https://github.com/anthraxx/linux-hardened/releases

https://www.kernel.org/doc/html/v5.10/process/applying-patches.html?highlight=patch#how-do-i-apply-or-revert-a-patch

It would be nice to have an ebuild for this. Will try it this weekend.
Back to top
View user's profile Send private message
figueroa
Veteran
Veteran


Joined: 14 Aug 2005
Posts: 1602
Location: Edge of the Marsh USA

PostPosted: Fri May 21, 2021 3:42 am    Post subject: Reply with quote

Harden in small steps. It's easy to get a kernel you can't boot -- the ultimate security.
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5
i7-2600 @ 3.40GHz; 16 gb
amd64/17.1/desktop (stable)
Radeon HD 7570 & spinning rust
Back to top
View user's profile Send private message
CaptainBlood
Advocate
Advocate


Joined: 24 Jan 2010
Posts: 2134

PostPosted: Fri May 21, 2021 4:23 am    Post subject: Reply with quote

figueroa wrote:
Harden in small steps
+1
figueroa wrote:
It's easy to get a kernel you can't boot
That why multi-kernel boot design is more than welcome in this regard.

Thks 4 ur attention, interest & support.
_________________
Poor testing hurts everyone... climate included :)
Back to top
View user's profile Send private message
pietinger
l33t
l33t


Joined: 17 Oct 2006
Posts: 841
Location: Bavaria

PostPosted: Fri May 21, 2021 1:35 pm    Post subject: Reply with quote

kukibl wrote:
I assume you download .patch file from releases page and apply it to your current kernel source with patch command or download/clone complete source, which should be patched already (?) and untar it manually?

https://github.com/anthraxx/linux-hardened/releases

https://www.kernel.org/doc/html/v5.10/process/applying-patches.html?highlight=patch#how-do-i-apply-or-revert-a-patch

It would be nice to have an ebuild for this. Will try it this weekend.


I am also interested in this and looked into the "linux-hardened-5.10.36-hardened1.patch" (because there is no .38 yet). There is something I dont like:

SELinux is enabled by default.

Because you cannot have SELinux AND AppArmor enabled both in the kernel, this will cause a problem for me because I am using AppArmor.

When browsing some more links I found: https://madaidans-insecurities.github.io/guides/linux-hardening.html
which I loved on first sight, because of:
Quote:
1. Choosing the right Linux
[...]
The best distribution to use as a base for your hardened operating system would be Gentoo Linux as it allows you to configure your system exactly how you want it to be which will be extremely useful, especially when we come to more secure compilation flags later in the guide.


I also found this:
https://www.whonix.org/wiki/Hardened-kernel
Back to top
View user's profile Send private message
mirekm
Apprentice
Apprentice


Joined: 12 Feb 2004
Posts: 203
Location: Gliwice

PostPosted: Fri May 21, 2021 5:06 pm    Post subject: Reply with quote

No problem.
I install gentoo sources, then reverse patch:
Code:
[*]1510_fs-enable-link-security-restrictions-by-default.patch

which is located in genpatches base. Above patch collide with Anthrax patches.
After that clean installation of Anthrax patch is possible.

CaptainBlood wrote:
mirekm wrote:
Anthrax hardened patch:
https://github.com/anthraxx/linux-hardened

Could you plz elaborate a little on the steps how to apply?

Thks 4 ur attention, interest & support.
Back to top
View user's profile Send private message
kukibl
Apprentice
Apprentice


Joined: 10 Jun 2008
Posts: 167

PostPosted: Fri May 21, 2021 10:05 pm    Post subject: Reply with quote

pietinger wrote:

When browsing some more links I found: https://madaidans-insecurities.github.io/guides/linux-hardening.html
which I loved on first sight, because of:
Quote:
1. Choosing the right Linux
[...]
The best distribution to use as a base for your hardened operating system would be Gentoo Linux as it allows you to configure your system exactly how you want it to be which will be extremely useful, especially when we come to more secure compilation flags later in the guide.



I read all the articles from his (I assume it's he/him) blog few months ago. It's interesting he does not recommend using Linux at all on the desktop, except QubesOS, but again it is not traditional Linux distro. Btw he is Whonix developer.

On the other hand, I'm not sure who is the target audience for the hardening tips on provided link? Desktop, servers, both? There is sandboxing of GUIs, Pulseaudio stuff etc. so it should be for desktops? :?:
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum