Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
make hardening.config
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
Goverp
Advocate
Advocate


Joined: 07 Mar 2007
Posts: 2182

PostPosted: Wed Oct 16, 2024 12:13 pm    Post subject: make hardening.config Reply with quote

There's a relatively new (kernel 6.7) "hardening.config" "make" target for the kernel. I thought I'd try it. It clams to set various settings which provide more security without too heavy a performance overhead.
It's easy to use - in your kernel build directory (usually /usr/src/linux for vanilla Gentoo setups), and run
Code:
make hardening.config

It keeps the rest of your configuration untouched.

It added a few more checks to my kernel - I disabled some I thought were overkill for my environment. I'll report back later if I notice any performance impact.
(Note that I use git sources from kernel.org rather than gentoo-sources; maybe the latter already include the hardened settings.)

<edit>No noticeable performance impact. I've not tried any benchmarking though.</edit>
_________________
Greybeard


Last edited by Goverp on Wed Oct 16, 2024 3:27 pm; edited 1 time in total
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5167
Location: Bavaria

PostPosted: Wed Oct 16, 2024 12:47 pm    Post subject: Reply with quote

I would just like to point out that there are two files (for x86):

/usr/src/linux/kernel/configs/hardening.config
/usr/src/linux/arch/x86/configs/hardening.config

(also mentioned here: https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Kernel_Hardening_with_KSPP )
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54596
Location: 56N 3W

PostPosted: Wed Oct 16, 2024 12:51 pm    Post subject: Reply with quote

Beaten by a short _ead.

gentoo-sources does include several preset knobs for hardening
You can use the groups or set them to your taste
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
user
Apprentice
Apprentice


Joined: 08 Feb 2004
Posts: 212

PostPosted: Wed Oct 16, 2024 1:57 pm    Post subject: Reply with quote

Hi,
package app-admin/kernel-hardening-checker is also helpful for searching through unstructured kernel config options regarding hardening items.
Back to top
View user's profile Send private message
CaptainBlood
Advocate
Advocate


Joined: 24 Jan 2010
Posts: 3937

PostPosted: Wed Oct 16, 2024 2:38 pm    Post subject: Reply with quote

user wrote:
Hi,
package app-admin/kernel-hardening-checker is also helpful for searching through unstructured kernel config options regarding hardening items.
Using it here.

Some settings must be used with a pinch of salt,
Code:
CONFIG_STATIC_USERMODEHELPER
especially which prevents system to boot here.
Some user-space additional work seems required, which role seems to filter kernel calls to user space.
Couldn't find data reliable enough to my taste to start to work on that feature.
Code:
CONFIG_BLK_DEV_WRITE_MOUNTED
is another one I could figure how to work it out.
Prevented from booting IIRC.

All other settings impact are only performance related here.

Some settings make only sense with new enough CPU, e.g.
Code:
CONFIG_X86_USER_SHADOW_STACK
which kernel reports for CPU=>2020.

I'd advise to experiment on an alternate version of the kernel.
Setting
Code:
CONFIG_LOCALVERSION
should help.

Thks 4 ur attention, interest & support.
_________________
USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. "
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5167
Location: Bavaria

PostPosted: Wed Oct 16, 2024 3:21 pm    Post subject: Reply with quote

CaptainBlood wrote:
[...] Some settings must be used with a pinch of salt,
Code:
CONFIG_STATIC_USERMODEHELPER
especially which prevents system to boot here.
Some user-space additional work seems required, which role seems to filter kernel calls to user space.

Yes, this is the reason I wrote:
Quote:
8. Enable it and make sure that the PATH is empty. But test it if everything still works afterwards, because I got a report that iptables does not work properly anymore if it has to load netfilter modules (not verified because I have all netfilter modules statically configured in the kernel and therefore have no problem with iptables AND this option).


I have just added to my article:
https://wiki.gentoo.org/index.php?title=User:Pietinger/Tutorials/Kernel_Hardening_with_KSPP&curid=312650&diff=1316477&oldid=1315956
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum