Security Handbook/Kernel security

This section is on securing the system's kernel. == Kernel security ==

Removing functionality
The basic rule when configuring the kernel is to remove everything that you do not need. This will not only create a small kernel but also remove the vulnerabilities that may lie inside drivers and other features.

Also consider turning off loadable module support. Even though it is possible to add root kits without this features, it does make it harder for normal attackers to install root kits via kernel modules.

Grsecurity
The patch from Grsecurity is standard in the kernel package but is disabled by default. Configure your kernel as you normally do and then configure the Grsecurity options. An in-depth explanation on the available Grsecurity options is available on the Gentoo Hardened project page.

Recent hardened kernel sources provide the 4.* version of Grsecurity. For more information on this improved Grsecurity patch set, please consult the documentation available on the Grsecurity home page.

Kerneli
Kerneli is a patch that adds encryption to the existing kernel. By patching your kernel you will get new options such as cryptographic ciphers, digest algorithms and cryptographic loop filters.

Other kernel patches

 * The OpenWall Project
 * Rule Set Based Access Control (RSBAC)
 * NSA's security enhanced kernel (SE Linux)