kernel hardening
by Aeterna from LinuxQuestions.org on (#5NG31)
this is directed to anyone interested in customized kernels :)
1)
download kconfig-hardened-check too:
https://github.com/a13xp0p0v/kconfig-hardened-check
2) unpack and run:
path_to/kconfig-hardened-check-master/bin/kconfig-hardened-check -c /usr/src/linux-5.13.12/.config
script will list all the options that can be modified to get hardened kernel but it will not modify anything.
reconfigure .config buid kernel and run the tool again
I got down to 19 failed options and preserved all kernel functionality (for example, in addition to listed options I disabled ipv6 nor eBPF - both have a lot of security issues)
- some options must be enabled because I run virtualbox
- I disabled all debugging
- some security options sacrifice stability for security (as described when running xconfig)
Obviously, on personal workstation/desktop systems this is not very important but I regarded this as a challenge :)
1)
download kconfig-hardened-check too:
https://github.com/a13xp0p0v/kconfig-hardened-check
2) unpack and run:
path_to/kconfig-hardened-check-master/bin/kconfig-hardened-check -c /usr/src/linux-5.13.12/.config
script will list all the options that can be modified to get hardened kernel but it will not modify anything.
reconfigure .config buid kernel and run the tool again
I got down to 19 failed options and preserved all kernel functionality (for example, in addition to listed options I disabled ipv6 nor eBPF - both have a lot of security issues)
- some options must be enabled because I run virtualbox
- I disabled all debugging
- some security options sacrifice stability for security (as described when running xconfig)
Obviously, on personal workstation/desktop systems this is not very important but I regarded this as a challenge :)