Whonix should implement more kernel hardening. All of these settings add no or a very minimal performance decrease.
Setting “kernel.kptr_restrict=1” makes kernel symbols in /proc/kallsyms only accessible to root which can make it more difficult for a kernel exploit to resolve addresses/symbols. Setting it to 2 hides the symbols regardless of privileges.
Setting “kernel.dmesg_restrict=1” restricts access to the kernel logs which can give an attacker less information on what they can do.
Setting “kernel.unprivileged_bpf_disabled=1” and “net.core.bpf_jit_harden=2” hardens the BPF JIT compiler and restricts it to root. It comes with a performance drop on systems that use the JIT compiler a lot but this should only really effect servers.
Setting “vm.mmap_rnd_bits=32” and “vm.mmap_rnd_compat_bits=16” improves KASLR effectiveness for mmap.
These can all be set in files in /etc/sysctl.d
I have tested all of these on Whonix Gateway and Whonix Workstation and they worked fine.
Adding “slab_nomerge” as a boot parameter may also be useful. slab_nomerge disables the merging of slabs of similar sizes. Sometimes a slab can be used in a vulnerable way which an attacker can exploit.
Mounting /proc with hidepid=2 in /etc/fstab will hide other users’ processes from unprivileged users. This makes it a lot harder for an attacker to get information about other running processes. This did break systemd-logind for me on Whonix even when I added an exception for systemd-logind.
It may also be good to look into using the linux-hardened kernel. Would it be possible to use this for Whonix?
Edit by Patrick: