Security Handbook/Kernel security
This section is on securing the Linux kernel.
Background and history
Kerneli
Kerneli was a patch developed in the late 1990s/early 2000s[1][2] which added support for cryptographic ciphers, digest algorithms and cryptographic loop filters, as early versions of the kernel did not contain these due to export regulations. Since the introduction of the Crypto API in version 2.5.45[3][4], this is only of historical interest now.
Prior vulnerabilities
Basics
Removing whatever is unneeded when configuring the kernel will minimize attack surface, create a more optimized kernel, and reduce the chance for bugs in drivers or other features to be a means of compromise.
If loadable module support is unnecessary (CONFIG_MODULES=n
), disable it. Though it is still possible to add rootkits without this feature, removing it makes it harder for attackers to install them via kernel modules. For further information see Kernel_Modules#Going completely "module-less". If modules are needed, the kernel should be set to load only digitally signed modules (see Signed kernel module support).
Particulars
Debugging features
Kernel lockdown
Information on kernel lockdown modes is available at the dedicated page.
Kernel Self-Protection Project
The Kernel Self-Protection Project now has its own page that gives an overview of the project and how to enable the recommended hardening options on Gentoo.
Memory
Secure boot
Using sysctl
sysctl can be used to manipulate the /etc/sysctl.conf configuration file.
See also
- Kernel — the core of the operating system.
- Kernel Modules — object files that contain code to extend the kernel of an operating system.
- Signed kernel module support — allows further hardening of the system by disallowing unsigned kernel modules, or kernel modules signed with the wrong key, to be loaded.
External resources
- An abridged history of Linux kernel security — Russell Currey (Everything Open 2023)
- ASLR-NG: ASLR Next Generation
- Kernel Address Space Layout Randomization — Kees Cook, Linux Security Summit 2013[5]
- Kernel address randomization — Jonathan Corbet, 2011
- Kernel Security Is Cool Again — Casey Schaufler, linux.conf.au 2019
- Overview of the Linux Kernel Security Subsystem — James Morris, Microsoft
- Rule Set Based Access Control (RSBAC)
- The OpenWall Project
References
- ↑ https://web.archive.org/web/20030621175244/http://www.kerneli.org/index.php
- ↑ https://web.archive.org/web/20041115031321/http://mail.nl.linux.org/linux-crypto/2000-09/msg00015.html
- ↑ https://lwn.net/Articles/13587/
- ↑ https://web.archive.org/web/20080218022224/http://www.linuxjournal.com/article/6451
- ↑ https://kernsec.org/wiki/index.php/Linux_Security_Summit_2013