Security Handbook/Kernel security

From Gentoo Wiki
Jump to:navigation Jump to:search
Security Handbook
General Guidance
Boot Path Security
Information Security
Mounting partitions
User and group limitations
File permissions
Kernel security
Firewalls and Network Security
Securing services
Chrooting and virtual servers
Intrusion detection
Staying up-to-date

This section is on securing the Linux kernel.

Background and history


Kerneli was a patch developed in the late 1990s/early 2000s[1][2] which added support for cryptographic ciphers, digest algorithms and cryptographic loop filters, as early versions of the kernel did not contain these due to export regulations. Since the introduction of the Crypto API in version 2.5.45[3][4], this is only of historical interest now.

Prior vulnerabilities


Removing whatever is unneeded when configuring the kernel will minimize attack surface, create a more optimized kernel, and reduce the chance for bugs in drivers or other features to be a means of compromise.

If loadable module support is unnecessary (CONFIG_MODULES=n), disable it. Though it is still possible to add rootkits without this feature, removing it makes it harder for attackers to install them via kernel modules. For further information see Kernel_Modules#Going completely "module-less". If modules are needed, the kernel should be set to load only digitally signed modules (see Signed kernel module support).


Debugging features

Kernel lockdown

Information on kernel lockdown modes is available at the dedicated page.

Kernel Self-Protection Project

The Kernel Self-Protection Project now has its own page that gives an overview of the project and how to enable the recommended hardening options on Gentoo.


Secure boot

Using sysctl

sysctl can be used to manipulate the /etc/sysctl.conf configuration file.

See also

  • Kernel — the core of the operating system.
  • Kernel Modules — object files that contain code to extend the kernel of an operating system.
  • Signed kernel module support — allows further hardening of the system by disallowing unsigned kernel modules, or kernel modules signed with the wrong key, to be loaded.

External resources