SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: VM Host: Slackware-current, VM Guests: Artix, Venom, antiX, Gentoo, FreeBSD, OpenBSD, OpenIndiana
Posts: 1,011
Rep:
kernel hardening
this is directed to anyone interested in customized kernels
1)
download kconfig-hardened-check: https://github.com/a13xp0p0v/kconfig-hardened-check
2) unpack and run:
path_to/kconfig-hardened-check-master/bin/kconfig-hardened-check -c /usr/src/linux-5.13.12/.config
script will list all the options that can be modified to get hardened kernel but it will not modify anything.
reconfigure .config buid kernel and run the tool again
I got down to 19 failed options and preserved all kernel functionality I need.
- some options must be enabled to run virtualbox successfully.
- I disabled all debugging
- some security options sacrifice stability for security (as described when running xconfig)
Obviously, on personal workstation/desktop systems this is not very important but I regarded this as a challenge
I would think a simple list would be safer or an article about kernel hardening with a checklist (or following the hardened gentoo handbook for example). Or checking a copied config file in /home/user/test/.config.
I don't think I would ever run some external script in /usr/src/linux-src. I WOULD STRONGLY ADVICE AGAINST IT.
Thanks for the thought though, but I'm familiar enough with the hardening options in the Kernel already, and I tend to use many of them. And if I have any problems or questions, I can just consult the relevant sections and choices in menuconfig. It's not that much work actually, it's not like these options are hidden among the drivers.
Distribution: VM Host: Slackware-current, VM Guests: Artix, Venom, antiX, Gentoo, FreeBSD, OpenBSD, OpenIndiana
Posts: 1,011
Original Poster
Rep:
Quote:
Originally Posted by zeebra
I would think a simple list would be safer or an article about kernel hardening with a checklist (or following the hardened gentoo handbook for example). Or checking a copied config file in /home/user/test/.config.
I don't think I would ever run some external script in /usr/src/linux-src. I WOULD STRONGLY ADVICE AGAINST IT.
Thanks for the thought though, but I'm familiar enough with the hardening options in the Kernel already, and I tend to use many of them. And if I have any problems or questions, I can just consult the relevant sections and choices in menuconfig. It's not that much work actually, it's not like these options are hidden among the drivers.
Popov is Linux Kernel Dveloper. Pretty easy to check.
Script is suggested by Whonix: https://www.whonix.org/wiki/Hardened-kernel
I assume that Whonix is well known name of hardened linux VM
I am using this script for last two years, yes, you can run this script to check the file for flaws located anywhere you want. I thought that this is pretty obvious that one can run check on the file located anywhere you want.
edit:
If you know all this, then obviously this is not for you. Of course experienced user is able to check what this script does (aside from verifying the source) and with minimal effort credibility of the source.
Distribution: VM Host: Slackware-current, VM Guests: Artix, Venom, antiX, Gentoo, FreeBSD, OpenBSD, OpenIndiana
Posts: 1,011
Original Poster
Rep:
here is the list of the options that can be safely enabled/disabled. I would at first make such kernel as secondary and keep kernel that is known too boot until all is tested.
Quote:
==================================================================================================== =====================
option name | desired val | decision | reason | check result
==================================================================================================== =====================
CONFIG_BUG | y |defconfig | self_protection | OK
CONFIG_SLUB_DEBUG | y |defconfig | self_protection | OK
CONFIG_GCC_PLUGINS | y |defconfig | self_protection | OK
CONFIG_STACKPROTECTOR_STRONG | y |defconfig | self_protection | OK
CONFIG_STRICT_KERNEL_RWX | y |defconfig | self_protection | OK
CONFIG_STRICT_MODULE_RWX | y |defconfig | self_protection | OK
CONFIG_REFCOUNT_FULL | y |defconfig | self_protection | OK: version >= 5.5
CONFIG_IOMMU_SUPPORT | y |defconfig | self_protection | OK
CONFIG_MICROCODE | y |defconfig | self_protection | OK
CONFIG_RETPOLINE | y |defconfig | self_protection | OK
CONFIG_X86_SMAP | y |defconfig | self_protection | OK
CONFIG_SYN_COOKIES | y |defconfig | self_protection | OK
CONFIG_X86_UMIP | y |defconfig | self_protection | OK
CONFIG_PAGE_TABLE_ISOLATION | y |defconfig | self_protection | OK
CONFIG_RANDOMIZE_MEMORY | y |defconfig | self_protection | OK
CONFIG_INTEL_IOMMU | y |defconfig | self_protection | OK
CONFIG_AMD_IOMMU | y |defconfig | self_protection | OK
CONFIG_VMAP_STACK | y |defconfig | self_protection | OK
CONFIG_RANDOMIZE_BASE | y |defconfig | self_protection | OK
CONFIG_THREAD_INFO_IN_TASK | y |defconfig | self_protection | OK
CONFIG_BUG_ON_DATA_CORRUPTION | y | kspp | self_protection | FAIL: "is not set"
CONFIG_DEBUG_WX | y | kspp | self_protection | FAIL: "is not set"
CONFIG_SCHED_STACK_END_CHECK | y | kspp | self_protection | FAIL: "is not set"
CONFIG_SLAB_FREELIST_HARDENED | y | kspp | self_protection | OK
CONFIG_SLAB_FREELIST_RANDOM | y | kspp | self_protection | OK
CONFIG_SHUFFLE_PAGE_ALLOCATOR | y | kspp | self_protection | OK
CONFIG_FORTIFY_SOURCE | y | kspp | self_protection | OK
CONFIG_DEBUG_LIST | y | kspp | self_protection | FAIL: "is not set"
CONFIG_DEBUG_SG | y | kspp | self_protection | FAIL: "is not set"
CONFIG_DEBUG_CREDENTIALS | y | kspp | self_protection | FAIL: "is not set"
CONFIG_DEBUG_NOTIFIERS | y | kspp | self_protection | FAIL: "is not set"
CONFIG_INIT_ON_ALLOC_DEFAULT_ON | y | kspp | self_protection | OK
CONFIG_GCC_PLUGIN_LATENT_ENTROPY | y | kspp | self_protection | OK
CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection | OK
CONFIG_HARDENED_USERCOPY | y | kspp | self_protection | OK
CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp | self_protection | OK
CONFIG_MODULE_SIG | y | kspp | self_protection | OK
CONFIG_MODULE_SIG_ALL | y | kspp | self_protection | OK
CONFIG_MODULE_SIG_SHA512 | y | kspp | self_protection | OK
CONFIG_MODULE_SIG_FORCE | y | kspp | self_protection | FAIL: "is not set"
CONFIG_INIT_STACK_ALL_ZERO | y | kspp | self_protection | OK: CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL "y"
CONFIG_INIT_ON_FREE_DEFAULT_ON | y | kspp | self_protection | OK
CONFIG_GCC_PLUGIN_STACKLEAK | y | kspp | self_protection | OK
CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | kspp | self_protection | OK
CONFIG_SECURITY_DMESG_RESTRICT | y | clipos | self_protection | OK
CONFIG_DEBUG_VIRTUAL | y | clipos | self_protection | FAIL: "is not set"
CONFIG_STATIC_USERMODEHELPER | y | clipos | self_protection | FAIL: "is not set"
CONFIG_EFI_DISABLE_PCI_DMA | y | clipos | self_protection | OK
CONFIG_SLAB_MERGE_DEFAULT | is not set | clipos | self_protection | OK
CONFIG_RANDOM_TRUST_BOOTLOADER | is not set | clipos | self_protection | OK
CONFIG_RANDOM_TRUST_CPU | is not set | clipos | self_protection | OK
CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE | is not set | clipos | self_protection | OK
CONFIG_STACKLEAK_METRICS | is not set | clipos | self_protection | OK
CONFIG_STACKLEAK_RUNTIME_DISABLE | is not set | clipos | self_protection | OK
CONFIG_INTEL_IOMMU_SVM | y | clipos | self_protection | OK
CONFIG_INTEL_IOMMU_DEFAULT_ON | y | clipos | self_protection | OK
CONFIG_UBSAN_BOUNDS | y | my | self_protection | FAIL: CONFIG_UBSAN_TRAP not "y"
CONFIG_SLUB_DEBUG_ON | y | my | self_protection | FAIL: "is not set"
CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection | OK
CONFIG_AMD_IOMMU_V2 | y | my | self_protection | OK
CONFIG_SECURITY | y |defconfig | security_policy | OK
CONFIG_SECURITY_YAMA | y | kspp | security_policy | OK
CONFIG_SECURITY_WRITABLE_HOOKS | is not set | my | security_policy | OK: not found
CONFIG_SECURITY_LOCKDOWN_LSM | y | clipos | security_policy | OK
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY | y | clipos | security_policy | OK
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY| y | clipos | security_policy | FAIL: "is not set"
CONFIG_SECURITY_SAFESETID | y | my | security_policy | OK
CONFIG_SECURITY_LOADPIN | y | my | security_policy | OK
CONFIG_SECURITY_LOADPIN_ENFORCE | y | my | security_policy | OK
CONFIG_SECCOMP | y |defconfig | cut_attack_surface | OK
CONFIG_SECCOMP_FILTER | y |defconfig | cut_attack_surface | OK
CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface | OK: CONFIG_DEVMEM "is not set"
CONFIG_ACPI_CUSTOM_METHOD | is not set | kspp | cut_attack_surface | OK: not found
CONFIG_COMPAT_BRK | is not set | kspp | cut_attack_surface | OK
CONFIG_DEVKMEM | is not set | kspp | cut_attack_surface | OK: not found
CONFIG_COMPAT_VDSO | is not set | kspp | cut_attack_surface | OK: not found
CONFIG_BINFMT_MISC | is not set | kspp | cut_attack_surface | OK
CONFIG_INET_DIAG | is not set | kspp | cut_attack_surface | OK
CONFIG_KEXEC | is not set | kspp | cut_attack_surface | OK
CONFIG_PROC_KCORE | is not set | kspp | cut_attack_surface | OK
CONFIG_LEGACY_PTYS | is not set | kspp | cut_attack_surface | OK
CONFIG_HIBERNATION | is not set | kspp | cut_attack_surface | FAIL: "y"
CONFIG_IA32_EMULATION | is not set | kspp | cut_attack_surface | OK
CONFIG_X86_X32 | is not set | kspp | cut_attack_surface | OK
CONFIG_MODIFY_LDT_SYSCALL | is not set | kspp | cut_attack_surface | OK
CONFIG_OABI_COMPAT | is not set | kspp | cut_attack_surface | OK: not found
CONFIG_MODULES | is not set | kspp | cut_attack_surface | FAIL: "y"
CONFIG_DEVMEM | is not set | kspp | cut_attack_surface | OK
CONFIG_IO_STRICT_DEVMEM | y | kspp | cut_attack_surface | OK: CONFIG_DEVMEM "is not set"
CONFIG_LEGACY_VSYSCALL_NONE | y | kspp | cut_attack_surface | OK
CONFIG_ZSMALLOC_STAT | is not set |grsecurity| cut_attack_surface | OK
CONFIG_PAGE_OWNER | is not set |grsecurity| cut_attack_surface | OK
CONFIG_DEBUG_KMEMLEAK | is not set |grsecurity| cut_attack_surface | OK
CONFIG_BINFMT_AOUT | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_KPROBES | is not set |grsecurity| cut_attack_surface | OK
CONFIG_UPROBES | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_GENERIC_TRACER | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_PROC_VMCORE | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_PROC_PAGE_MONITOR | is not set |grsecurity| cut_attack_surface | OK
CONFIG_USELIB | is not set |grsecurity| cut_attack_surface | OK
CONFIG_CHECKPOINT_RESTORE | is not set |grsecurity| cut_attack_surface | OK
CONFIG_USERFAULTFD | is not set |grsecurity| cut_attack_surface | OK
CONFIG_HWPOISON_INJECT | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_MEM_SOFT_DIRTY | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_DEVPORT | is not set |grsecurity| cut_attack_surface | OK
CONFIG_DEBUG_FS | is not set |grsecurity| cut_attack_surface | OK
CONFIG_NOTIFIER_ERROR_INJECTION | is not set |grsecurity| cut_attack_surface | OK
CONFIG_X86_PTDUMP | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_DRM_LEGACY | is not set |maintainer| cut_attack_surface | OK
CONFIG_FB | is not set |maintainer| cut_attack_surface | FAIL: "y"
CONFIG_VT | is not set |maintainer| cut_attack_surface | FAIL: "y"
CONFIG_AIO | is not set |grapheneos| cut_attack_surface | OK
CONFIG_STAGING | is not set | clipos | cut_attack_surface | FAIL: "y"
CONFIG_KSM | is not set | clipos | cut_attack_surface | OK
CONFIG_KALLSYMS | is not set | clipos | cut_attack_surface | OK
CONFIG_X86_VSYSCALL_EMULATION | is not set | clipos | cut_attack_surface | OK
CONFIG_MAGIC_SYSRQ | is not set | clipos | cut_attack_surface | OK
CONFIG_KEXEC_FILE | is not set | clipos | cut_attack_surface | OK
CONFIG_USER_NS | is not set | clipos | cut_attack_surface | OK
CONFIG_X86_MSR | is not set | clipos | cut_attack_surface | OK
CONFIG_X86_CPUID | is not set | clipos | cut_attack_surface | OK
CONFIG_IO_URING | is not set | clipos | cut_attack_surface | FAIL: "y"
CONFIG_X86_IOPL_IOPERM | is not set | clipos | cut_attack_surface | OK
CONFIG_ACPI_TABLE_UPGRADE | is not set | clipos | cut_attack_surface | OK
CONFIG_EFI_CUSTOM_SSDT_OVERLAYS | is not set | clipos | cut_attack_surface | OK
CONFIG_LDISC_AUTOLOAD | is not set | clipos | cut_attack_surface | OK
CONFIG_X86_INTEL_TSX_MODE_OFF | y | clipos | cut_attack_surface | OK
CONFIG_EFI_TEST | is not set | lockdown | cut_attack_surface | OK
CONFIG_BPF_SYSCALL | is not set | lockdown | cut_attack_surface | OK
CONFIG_MMIOTRACE_TEST | is not set | lockdown | cut_attack_surface | OK: not found
CONFIG_TRIM_UNUSED_KSYMS | y | my | cut_attack_surface | FAIL: "is not set"
CONFIG_MMIOTRACE | is not set | my | cut_attack_surface | OK: not found
CONFIG_LIVEPATCH | is not set | my | cut_attack_surface | OK: not found
CONFIG_IP_DCCP | is not set | my | cut_attack_surface | OK
CONFIG_IP_SCTP | is not set | my | cut_attack_surface | OK
CONFIG_FTRACE | is not set | my | cut_attack_surface | OK
CONFIG_VIDEO_VIVID | is not set | my | cut_attack_surface | OK: not found
CONFIG_INPUT_EVBUG | is not set | my | cut_attack_surface | OK
CONFIG_INTEGRITY | y |defconfig |userspace_hardening | OK
CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_hardening | OK
options needed for virtualbox:
CONFIG_TRIM_UNUSED_KSYMS - must be disabled
CONFIG_STATIC_USERMODEHELPER - must be disabled
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY - must be disabled
CONFIG_MODULE_SIG_FORCE - must be disabled
on the laptop I want
CONFIG_HIBERNATION
enabled
when enabled
CONFIG_UBSAN_TRAP
will make kernel purposely unstable
every option is well described when running nconfig/xconfig so user whould know what each option mean. I am running the above setup for two years now so in intel laptops so I think that this is quite safe and does not affect kernel stability.
I did a few iterations of HLFS back 15+ years ago, and the main emphasis was on patches, not merely kernel options. When I started that stuff, linux was vulnerable to stack overflow and buffer overflow vulnerabilities. Your options were a paranoid Selinux which RH were bigging up, or Pax & GRSecurity patch suites. There was patches for gcc, glibc, kernel & some individual programs.
I had the impression everybody had tightened their games up, except Selinux. Nearly every bug I was patching for has been developed out of the kernel, & gcc. Features I was adding with patch suites has been implemented in the native programs. But Pax & Grsecurity are still up there. Are you using them?
Distribution: VM Host: Slackware-current, VM Guests: Artix, Venom, antiX, Gentoo, FreeBSD, OpenBSD, OpenIndiana
Posts: 1,011
Original Poster
Rep:
Quote:
Originally Posted by business_kid
I did a few iterations of HLFS back 15+ years ago, and the main emphasis was on patches, not merely kernel options. When I started that stuff, linux was vulnerable to stack overflow and buffer overflow vulnerabilities. Your options were a paranoid Selinux which RH were bigging up, or Pax & GRSecurity patch suites. There was patches for gcc, glibc, kernel & some individual programs.
I had the impression everybody had tightened their games up, except Selinux. Nearly every bug I was patching for has been developed out of the kernel, & gcc. Features I was adding with patch suites has been implemented in the native programs. But Pax & Grsecurity are still up there. Are you using them?
grsecurity is commercial now. I used it in the past though.
Now, before anyone asks: maintainer is Arch Linux Project Leader & Security Team.
To enable all these options in hardened kernel, more work from the user is needed, so I felt that simple modification of standard kernel is the easiest thing to do.
I am not certain though if kernel hardening is of any interest though.
Default, unmodified kernel had/has some security problems: IPv6 (I disabled it) and BPF (disabled too) are good examples of such issues. Because I don't any efficient way of controlling everything that potentially may cause problems, I use hardening approach and disable everything that I don't need.
I have a repo for hardened kernel config for Slackware. It used to use grsecurity (hence the repo name), but as it went commercial I switched to KSPP. Haven't updated it in a while, but I'll probably do that once Slackware 15 is released.
I use Lynis (free version) as a source of extra verification of my configurations, I even added/corrected some tests (for LILO, MySQL and PostgreSQL) but from my point of view it is somewhere in the middle. Not all tests are for Slackware (I have disabled some of them) and some need improvement.
Distribution: VM Host: Slackware-current, VM Guests: Artix, Venom, antiX, Gentoo, FreeBSD, OpenBSD, OpenIndiana
Posts: 1,011
Original Poster
Rep:
Quote:
Originally Posted by enorbet
What is the consensus on the usefulness (and depth and accuracy) of Enterprise system security evaluation abilities of LYNIS ?
You can also try few other programs but they are not tweaked for Slackware. Most are geared towards RedHat and Debian/Ubuntu. Nevertheless they partially can diagnose potential issues with Slackware and can point to some hardening options.
Thanks guys. I am aware from running Lynis that,m quite naturally, it is not distro specific and therefore must include systemd stuff. I have been able to ignore those concerns. I just wondered if the testing seemed fairly deep and accurate. I have learned a few things from it and made adjustments but besides being not distro specific it is also not SOHO Desktop specific and I haven't run a 24/7 server in over a decade, so currently my concern is a reasonably safe desktop system
FWIW I am presently building a system with a pre-ME era Intel CPU to compare. It is my understanding System76 sells some PCs that have such intrusive "features" disabled but I want to see for myself by comparing how secure pre vs/ post ME operates..
Nevertheless they partially can diagnose potential issues with Slackware and can point to some hardening options.
Just curiosity, but have you been using the hardening options which requires GCC plugins? What's your thought on the introduction of security features in the kernel that requires GCC plugins to work? Or the topic in general.. It has more to do with GCC actually, and the way they have now changed some policies and ways of doing things.
I don't like it much to be frank, so I haven't been using those options requiring GCC Plugins, although I would want to use them. I just don't like the idea of GCC plugins. Seems like something that can fracture things alot in the future.
And well, in the context of Slackware, has anyone been using GCC Plugins yet?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
