2023-12-28 23:59:55 +01:00
# Security
2024-01-03 21:02:59 +01:00
There are a few things that have to be done to optimize the security of the system. Some of the sources used are listed below.
2023-12-29 15:42:12 +01:00
* [Madaidans-insecurities page ](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel ).
2023-12-29 17:06:13 +01:00
* [PlagueOS ](https://0xacab.org/optout/plagueos/-/wikis/Security-Considerations )
2023-12-28 23:59:55 +01:00
## Apparmor and LSM
2024-01-03 21:02:59 +01:00
Apparmor is a mandatory access control mechanism that may restrict the capabilities of a program, install it via:
2023-12-28 23:59:55 +01:00
```
# apk add apparmor apparmor-profiles
# rc-update add apparmor default
```
2024-01-03 21:02:59 +01:00
Add apparmor and other "Linux Security Modules" to the `cmdline` in `/etc/kernel-hooks.d/secureboothook.conf` :
2023-12-28 23:59:55 +01:00
```
cmdline="... apparmor=1 lsm=landlock,lockdown,yama,integrity,apparmor"
```
Then reconfigure `kernel-hooks` and reboot for it to take effect:
```
# apk fix kernel-hooks
# reboot
```
You can check the status of apparmor using `apparmor-utils` :
```
# apk add apparmor-utils
# aa-status
```
2024-01-03 21:02:59 +01:00
## Kernel settings
2023-12-28 23:59:55 +01:00
2024-01-03 21:02:59 +01:00
### Commandline
2023-12-28 23:59:55 +01:00
2024-01-03 21:02:59 +01:00
There are a lot of kernel settings which can be passed to the command line to make a system more secure. So lets add them to `/etc/kernel-hooks/secureboot.conf` .
2023-12-28 23:59:55 +01:00
```
2023-12-29 15:10:42 +01:00
cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 lockdown=confidentiality mce=0 loglevel=0 intel_iommu=on amd_iommu=on iommu=force efi=disable_early_pci_dma spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full mds=full l1ft=flush ipv6.disable=1 rd.shell=0 rd.emergency=reboot"
2023-12-28 23:59:55 +01:00
```
2023-12-29 01:04:48 +01:00
After reconfiguring `kernel-hooks` try to reboot and it should boot. Although there are more options that might make the system more secure, these come with a big performance hit most of the time so these settings should do for now.
2024-01-03 21:02:59 +01:00
> Whilst booting up your system you may see sysctl complaining about ipv6 settings. [We are trying to resolve the problem](https://git.bijl.us/lnco/documentation/issues/30).
2023-12-28 23:59:55 +01:00
2024-01-03 21:02:59 +01:00
### Sysctl
2023-12-28 23:59:55 +01:00
2024-01-03 21:02:59 +01:00
More kernel settings can be configured through sysctl. Edit `/etc/sysctl.d/main.conf` :
2023-12-29 00:46:35 +01:00
```
# Main security configuration.
## Kernel
kernel.kptr_restrict=2
kernel.dmesg_restrict=1
kernel.printk=3 3 3 3
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
dev.tty.ldisc_autoload=0
kernel.kexec_load_disabled=1
kernel.sysrq=0
kernel.perf_event_paranoid=3
## Network
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_rfc1337=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.icmp_echo_ignore_all=1
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.tcp_sack=0
net.ipv4.tcp_dsack=0
net.ipv4.tcp_fack=0
2023-12-29 00:58:39 +01:00
## User space
2023-12-29 00:46:35 +01:00
kernel.yama.ptrace_scope=2
vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16
fs.protected_symlinks=1
fs.protected_hardlinks=1
fs.protected_fifos=2
fs.protected_regular=2
2023-12-29 00:58:39 +01:00
## For hardened_malloc
vm.max_map_count=1048576
2023-12-29 00:46:35 +01:00
```
2023-12-29 21:33:58 +01:00
This list is most likely still incomplete but should be good enough for now.
2023-12-28 23:59:55 +01:00
2023-12-29 01:54:50 +01:00
## Blacklisting modules
2023-12-28 23:59:55 +01:00
2024-01-03 21:02:59 +01:00
Work in progress.
2023-12-29 01:54:50 +01:00
## Linux-Hardened
2024-01-03 21:02:59 +01:00
Work in progress.
2023-12-29 01:54:50 +01:00
## Hardened Malloc (WIP)
2024-01-03 21:02:59 +01:00
The default memory allocator of Musl is already reasonably secure but not as secure as [hardened-malloc ](https://github.com/GrapheneOS/hardened_malloc/ ):
2023-12-29 01:54:50 +01:00
```
# apk add hardened-malloc
```
2024-01-03 21:02:59 +01:00
Then to set it system-wide edit `/etc/ld-musl-x86_64.path` :
2023-12-29 01:54:50 +01:00
```
/usr/lib/libhardened_malloc.so
2023-12-29 14:58:20 +01:00
/lib
/usr/lib
/usr/local/lib
2023-12-29 01:54:50 +01:00
```
2024-01-03 21:02:59 +01:00
The light variant of hardened-malloc may also be used instead of the default when problems with graphical applications occur.
2023-12-29 01:54:50 +01:00
```
/usr/lib/libhardened_malloc-light.so
```
2023-12-29 15:42:12 +01:00
## Entropy
2024-01-03 21:02:59 +01:00
Improve the security of the system by increasing the entropy. Install `jitterentropy-library` :
2023-12-29 15:42:12 +01:00
```
# apk add jitterentropy-library
```
2024-01-03 21:02:59 +01:00
and create a config file in `/etc/modules-load.d/jitterentropy.conf` so that the kernel module gets loaded:
2023-12-29 15:42:12 +01:00
```
jitterentropy_rng
```
2023-12-29 17:06:13 +01:00
## PAM
There are a few changes that can be made to improve login protection.
2023-12-29 21:33:58 +01:00
First install PAM through `util-linux-login` :
```
# apk add util-linux-login
```
2024-01-03 21:02:59 +01:00
Delays can be a deterent against bruteforcing login attempts. Simply add the following to the line in `/etc/pam.d/login` :
2023-12-29 17:06:13 +01:00
```
auth optional pam_faildelay.so delay=5000000
```
2024-01-03 21:02:59 +01:00
which will add a 5 second delay between login attempts.
2023-12-29 17:06:13 +01:00
2023-12-29 17:33:02 +01:00
The system can also enforce a stronger hash algorithm for a more secure login protector. Edit the file `/etc/pam.d/base-password` and add the line:
2023-12-29 17:06:13 +01:00
```
2023-12-29 17:33:02 +01:00
password required pam_unix.so nullock sha512 shadow rounds=1000000
2023-12-29 17:06:13 +01:00
```
2024-01-06 14:41:52 +01:00
> If an account has already been created then change your password so that it is also secure with: `passwd <username>`. When creating a password make sure that it is at least 8 characters long.