Hi,
Just out of curiosity. How do you guys harden the kernel?
Do you have custom patches, modules or favorite sysctl options?
How do you guys harden the kernel?
Message
I am using this link:
https://kernsec.org/wiki/index.php/Kern ... d_Settings
And from this forum post:
viewtopic-p-8480264.html#8480264
you will find another link.
(dont try to do all of this: https://docs.clip-os.org/clipos/kernel. ... figuration ).
https://kernsec.org/wiki/index.php/Kern ... d_Settings
And from this forum post:
viewtopic-p-8480264.html#8480264
you will find another link.
(dont try to do all of this: https://docs.clip-os.org/clipos/kernel. ... figuration ).
- CaptainBlood
- Advocate
- Posts: 4237
- Joined: Sun Jan 24, 2010 9:38 am
Code: Select all
sys-kernel/kconfig-hardened-check [1]
Installed versions: 0.5.9^m(16:21:17 08/05/2021)(PYTHON_TARGETS="python3_8 -python3_10 -python3_7 -python3_9")
Homepage: https://github.com/a13xp0p0v/kconfig-hardened-check
Description: A script for checking the hardening options in the Linux kernel config
[1] "mv" /var/db/repos/mvUSE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. "
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. "
Anthrax hardened patch:
https://github.com/anthraxx/linux-hardened
https://github.com/anthraxx/linux-hardened
- CaptainBlood
- Advocate
- Posts: 4237
- Joined: Sun Jan 24, 2010 9:38 am
Could you plz elaborate a little on the steps how to apply?mirekm wrote:Anthrax hardened patch:
https://github.com/anthraxx/linux-hardened
Thks 4 ur attention, interest & support.
USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. "
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. "
I assume you download .patch file from releases page and apply it to your current kernel source with patch command or download/clone complete source, which should be patched already (?) and untar it manually?
https://github.com/anthraxx/linux-hardened/releases
https://www.kernel.org/doc/html/v5.10/p ... rt-a-patch
It would be nice to have an ebuild for this. Will try it this weekend.
https://github.com/anthraxx/linux-hardened/releases
https://www.kernel.org/doc/html/v5.10/p ... rt-a-patch
It would be nice to have an ebuild for this. Will try it this weekend.
- CaptainBlood
- Advocate
- Posts: 4237
- Joined: Sun Jan 24, 2010 9:38 am
+1figueroa wrote:Harden in small steps
That why multi-kernel boot design is more than welcome in this regard.figueroa wrote:It's easy to get a kernel you can't boot
Thks 4 ur attention, interest & support.
USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. "
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. "
I am also interested in this and looked into the "linux-hardened-5.10.36-hardened1.patch" (because there is no .38 yet). There is something I dont like:kukibl wrote:I assume you download .patch file from releases page and apply it to your current kernel source with patch command or download/clone complete source, which should be patched already (?) and untar it manually?
https://github.com/anthraxx/linux-hardened/releases
https://www.kernel.org/doc/html/v5.10/p ... rt-a-patch
It would be nice to have an ebuild for this. Will try it this weekend.
SELinux is enabled by default.
Because you cannot have SELinux AND AppArmor enabled both in the kernel, this will cause a problem for me because I am using AppArmor.
When browsing some more links I found: https://madaidans-insecurities.github.i ... ening.html
which I loved on first sight, because of:
I also found this:1. Choosing the right Linux
[...]
The best distribution to use as a base for your hardened operating system would be Gentoo Linux as it allows you to configure your system exactly how you want it to be which will be extremely useful, especially when we come to more secure compilation flags later in the guide.
https://www.whonix.org/wiki/Hardened-kernel
No problem.
I install gentoo sources, then reverse patch:
which is located in genpatches base. Above patch collide with Anthrax patches.
After that clean installation of Anthrax patch is possible.
I install gentoo sources, then reverse patch:
Code: Select all
[*]1510_fs-enable-link-security-restrictions-by-default.patchAfter that clean installation of Anthrax patch is possible.
CaptainBlood wrote:Could you plz elaborate a little on the steps how to apply?mirekm wrote:Anthrax hardened patch:
https://github.com/anthraxx/linux-hardened
Thks 4 ur attention, interest & support.
I read all the articles from his (I assume it's he/him) blog few months ago. It's interesting he does not recommend using Linux at all on the desktop, except QubesOS, but again it is not traditional Linux distro. Btw he is Whonix developer.pietinger wrote: When browsing some more links I found: https://madaidans-insecurities.github.i ... ening.html
which I loved on first sight, because of:1. Choosing the right Linux
[...]
The best distribution to use as a base for your hardened operating system would be Gentoo Linux as it allows you to configure your system exactly how you want it to be which will be extremely useful, especially when we come to more secure compilation flags later in the guide.
On the other hand, I'm not sure who is the target audience for the hardening tips on provided link? Desktop, servers, both? There is sandboxing of GUIs, Pulseaudio stuff etc. so it should be for desktops?
