Kernel Hardening - security-misc

1 Like

Most seem to be kernel config options. Not things that can be changed via sysctl or boot parameters.

One that does look interesting though is page_alloc.shuffle=1 although this is only for later kernel versions. Debian will likely enable this by default once it comes.

There’s nothing here we don’t already do or would require a custom kernel.

Also, Copperhead is not a good source anymore after they kicked out Daniel Micay and started scamming users.

2 Likes

Indeed.

perhaps it is more efficient to tell ujpstream to not include map files in the package?

Does removing them add any protection for a publicly compiled kernel anyhow?

2 Likes

madaidan via Whonix Forum:

There’s nothing here we don’t already do or would require a custom kernel.

Also, Copperhead is not a good source anymore after they kicked out Daniel Micay and started scamming users.

I didn’t follow these developments. However, possibly these these
websites are still the same as created by Daniel Micay and never updated
since. Also, we’d use them as as inspiration (like from any source
anyway), and then independently verify all claims (before we make
changes on our side) not for face value.

1 Like

@onion_knight wrote in VMs do no start until the CPU configuration is set to “Copy host CPU configuration” - #4 by onion_knight

3 posts were merged into an existing topic: enable Linux kernel gpg verification in grub and/or enable Secure Boot by default

1 Like

Something useful here?

1 Like

A post was merged into an existing topic: kernel recompilation for better hardening

I just wanted to point out in folder /etc/default/grub.d/40_kernel_hardening.cfg, there is this entry: “slab_debug=FZP”
Should it be “slub_debug=FZP” instead?

3 Likes

Yes, thanks! I don’t know how we overlooked that.

1 Like

Sure thing! I have many same harden features on my host and see (on host) that the slab_nomerge setting is used together with slub_debug=FZP (and also page_poison=1)

I found an excellent write-up on Tails site in this documentation section

2 Likes

This guide has some interesting stuff although I’m not sure I’d trust someone to give an informed opinion on security when they’re using leetspeak and saying stuff like “S0rry. I barely use SELinux for reasons. The 1st one is I don’t trust NSA”.

There is some interesting anti-DDoS sysctl settings though which may be helpful.

1 Like

Some of those sysctl settings are useful; I know Whonix has a lot of them by default. Also, Whonix’s iptables rules are great for stopping some attacks the author mentions without having to mess with memory page size and other performance-related setting
I lol’d at his h4ck0rz stuff to

1 Like

Something useful here?

https://wiki.kairaven.de/open/os/linux/tuxsectune

1 Like

There doesn’t seem to be anything that we don’t already do or are working on.

There is a section on /etc/fstab which might be useful for (re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security? - #15 by Patrick

1 Like

I can say that this setting works very well in regular Debian Buster.
It is an /etc/fstab line to help protect shared memory

tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0

You can edit the file directly, or more favourably, if there is such a thing as /etc/fstab.d? you can put it there.

I have not tried it on Whonix but it would probably work

1 Like

Was discussed before. Even an upstream issue was opened. Please search first.

2 Likes
2 Likes