View previous topic :: View next topic |
Author |
Message |
Goverp Advocate
Joined: 07 Mar 2007 Posts: 2185
|
Posted: Wed Oct 16, 2024 12:13 pm Post subject: make hardening.config |
|
|
There's a relatively new (kernel 6.7) "hardening.config" "make" target for the kernel. I thought I'd try it. It clams to set various settings which provide more security without too heavy a performance overhead.
It's easy to use - in your kernel build directory (usually /usr/src/linux for vanilla Gentoo setups), and run
Code: | make hardening.config |
It keeps the rest of your configuration untouched.
It added a few more checks to my kernel - I disabled some I thought were overkill for my environment. I'll report back later if I notice any performance impact.
(Note that I use git sources from kernel.org rather than gentoo-sources; maybe the latter already include the hardened settings.)
<edit>No noticeable performance impact. I've not tried any benchmarking though.</edit> _________________ Greybeard
Last edited by Goverp on Wed Oct 16, 2024 3:27 pm; edited 1 time in total |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5211 Location: Bavaria
|
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54618 Location: 56N 3W
|
Posted: Wed Oct 16, 2024 12:51 pm Post subject: |
|
|
Beaten by a short _ead.
gentoo-sources does include several preset knobs for hardening
You can use the groups or set them to your taste _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
user Apprentice
Joined: 08 Feb 2004 Posts: 212
|
Posted: Wed Oct 16, 2024 1:57 pm Post subject: |
|
|
Hi,
package app-admin/kernel-hardening-checker is also helpful for searching through unstructured kernel config options regarding hardening items. |
|
Back to top |
|
|
CaptainBlood Advocate
Joined: 24 Jan 2010 Posts: 3977
|
Posted: Wed Oct 16, 2024 2:38 pm Post subject: |
|
|
user wrote: | Hi,
package app-admin/kernel-hardening-checker is also helpful for searching through unstructured kernel config options regarding hardening items. | Using it here.
Some settings must be used with a pinch of salt, Code: | CONFIG_STATIC_USERMODEHELPER | especially which prevents system to boot here.
Some user-space additional work seems required, which role seems to filter kernel calls to user space.
Couldn't find data reliable enough to my taste to start to work on that feature.
Code: | CONFIG_BLK_DEV_WRITE_MOUNTED | is another one I could figure how to work it out.
Prevented from booting IIRC.
All other settings impact are only performance related here.
Some settings make only sense with new enough CPU, e.g. Code: | CONFIG_X86_USER_SHADOW_STACK | which kernel reports for CPU=>2020.
I'd advise to experiment on an alternate version of the kernel.
Setting Code: | CONFIG_LOCALVERSION | should help.
Thks 4 ur attention, interest & support. _________________ USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. " |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5211 Location: Bavaria
|
Posted: Wed Oct 16, 2024 3:21 pm Post subject: |
|
|
CaptainBlood wrote: | [...] Some settings must be used with a pinch of salt, Code: | CONFIG_STATIC_USERMODEHELPER | especially which prevents system to boot here.
Some user-space additional work seems required, which role seems to filter kernel calls to user space. |
Yes, this is the reason I wrote:
Quote: | 8. Enable it and make sure that the PATH is empty. But test it if everything still works afterwards, because I got a report that iptables does not work properly anymore if it has to load netfilter modules (not verified because I have all netfilter modules statically configured in the kernel and therefore have no problem with iptables AND this option). |
I have just added to my article:
https://wiki.gentoo.org/index.php?title=User:Pietinger/Tutorials/Kernel_Hardening_with_KSPP&curid=312650&diff=1316477&oldid=1315956 _________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
|