Security Handbook/Kernel security

Security Handbook
Concepts
General Guidance
Boot Path Security
Information Security
Logging
Mounting partitions
User and group limitations
File permissions
PAM
Kernel security
Firewalls and Network Security
Securing services
Chrooting and virtual servers
Intrusion detection
Staying up-to-date

This section is on securing the Linux kernel.

Background and history

Resources

Official documentation

Bugs (upstream)

Kerneli

Kerneli was a patch developed in the late 1990s/early 2000s^[1]^[2] which added support for cryptographic ciphers, digest algorithms and cryptographic loop filters, as early versions of the kernel did not contain these due to export regulations. Since the introduction of the Crypto API in version 2.5.45^[3]^[4], this is only of historical interest now.

Prior vulnerabilities

Basics

Removing whatever is unneeded when configuring the kernel will minimize attack surface, create a more optimized kernel, and reduce the chance for bugs in drivers or other features to be a means of compromise.

If loadable module support is unnecessary (CONFIG_MODULES=n), disable it. Though it is still possible to add rootkits without this feature, removing it makes it harder for attackers to install them via kernel modules. For further information see Kernel_Modules#Going completely "module-less". If modules are needed, the kernel should be set to load only digitally signed modules (see Signed kernel module support).

Particulars

Debugging features

Kernel lockdown

Information on kernel lockdown modes is available at the dedicated page.

Kernel Self-Protection Project

The Kernel Self-Protection Project now has its own page that gives an overview of the project and how to enable the recommended hardening options on Gentoo.

Memory

Secure boot

Using sysctl

sysctl can be used to manipulate the /etc/sysctl.conf configuration file.

External resources

An abridged history of Linux kernel security — Russell Currey (Everything Open 2023)
ASLR-NG: ASLR Next Generation
Kernel Address Space Layout Randomization — Kees Cook, Linux Security Summit 2013^[5]
Kernel address randomization — Jonathan Corbet, 2011
Kernel Security Is Cool Again — Casey Schaufler, linux.conf.au 2019
Overview of the Linux Kernel Security Subsystem — James Morris, Microsoft
Rule Set Based Access Control (RSBAC)
The OpenWall Project

References

← PAM Home Firewalls and Network Security →

[1] ttps://web.archive.org/web/20030621175244/http://www.kerneli.org/index.php

[2] ttps://web.archive.org/web/20041115031321/http://mail.nl.linux.org/linux-crypto/2000-09/msg00015.html

[3] ttps://lwn.net/Articles/13587/

[4] ttps://web.archive.org/web/20080218022224/http://www.linuxjournal.com/article/6451

[5] ttps://kernsec.org/wiki/index.php/Linux_Security_Summit_2013

[1]

[2]

[3]

[4]

[5]