documentation/docs/alpine-desktop-setup/post-install/security.md

# Security

There are a few things that have to be done to optimize the security of the system.

Here are a few of the sources used:

* [Madaidans-insecurities page](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel).

* [PlagueOS](https://0xacab.org/optout/plagueos/-/wikis/Security-Considerations)

## Apparmor and LSM

Apparmor is a mandatory access control (MAC) mechanism which restricts a programs capabilities. Installation is easy:

```
# apk add apparmor apparmor-profiles
# rc-update add apparmor default
```

Add apparmor and other "Linux Security Modules" to the `cmdline` in `/etc/kernel-hooks/secureboothook.conf`:

```
cmdline="... apparmor=1 lsm=landlock,lockdown,yama,integrity,apparmor"
```

Then reconfigure `kernel-hooks` and reboot for it to take effect:

```
# apk fix kernel-hooks
# reboot
```

You can check the status of apparmor using `apparmor-utils`:

```
# apk add apparmor-utils
# aa-status
```

## Cmdline

There are a lot of kernel settings which can be passed to the command line to make a system more secure. So lets add them to `/etc/kernel-hooks/secureboot.conf`:

```
cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 lockdown=confidentiality mce=0 loglevel=0 intel_iommu=on amd_iommu=on iommu=force efi=disable_early_pci_dma spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full mds=full l1ft=flush ipv6.disable=1 rd.shell=0 rd.emergency=reboot"
```

After reconfiguring `kernel-hooks` try to reboot and it should boot. Although there are more options that might make the system more secure, these come with a big performance hit most of the time so these settings should do for now. 

> Whilst booting up your system you may see sysctl complaining about ipv6 setting. [It's getting worked on](https://git.bijl.us/lnco/documentation/issues/30).

## Sysctl

More kernel settings can be configured through sysctl. Edit the file `/etc/sysctl.d/main.conf`:

```
# Main security configuration.

## Kernel
kernel.kptr_restrict=2
kernel.dmesg_restrict=1
kernel.printk=3 3 3 3
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
dev.tty.ldisc_autoload=0
kernel.kexec_load_disabled=1
kernel.sysrq=0
kernel.perf_event_paranoid=3
random.trust_cpu=off

## Network
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_rfc1337=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.icmp_echo_ignore_all=1
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.tcp_sack=0
net.ipv4.tcp_dsack=0
net.ipv4.tcp_fack=0

## User space
kernel.yama.ptrace_scope=2
vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16
fs.protected_symlinks=1
fs.protected_hardlinks=1
fs.protected_fifos=2
fs.protected_regular=2

## For hardened_malloc
vm.max_map_count=1048576
```

This list is still incomplete.

## Blacklisting modules

WIP

## Linux-Hardened

WIP

## Hardened Malloc (WIP)

Musl's default memory allocator which comes with Alpine Linux is already pretty secure but not as secure as [hardened-malloc](https://github.com/GrapheneOS/hardened_malloc/):

```
# apk add hardened-malloc
```

Then to set it system wide edit `/etc/ld-musl-x86_64.path`:

```
/usr/lib/libhardened_malloc.so
/lib
/usr/lib
/usr/local/lib
```

You can also use the light variant of hardened-malloc because the default one may not work well with some graphical applications:

```
/usr/lib/libhardened_malloc-light.so
```

## Entropy

Improve the security of the system by improving the entropy and thus randomness. Install `jitterentropy-library`:

```
# apk add jitterentropy-library
```

And create a config file in `/usr/lib/modules-load.d/jitterentropy.conf` so that the kernel module gets loaded:

```
jitterentropy_rng
```

## PAM

There are a few changes that can be made to improve login protection.

Delays can be a deterent against bruteforcing login attempts. Simply add this line to it's corresponding section in `/etc/pam.d/login`:

```
auth optional pam_faildelay.so delay=5000000
```

Which will add a 5 second delay between login attempts.

The system can also enforce strong passwords with PAM with `libpwquality` which has to be installed first:

```
# apk add libpwquality
```

Then configure `/etc/pam.d/passwd`, you can configure it to your [liking](https://madaidans-insecurities.github.io/guides/linux-hardening.html#pam), but these settings should do:

```
password required pam_pwquality.so retry=2 minlen=10 difok=0 dcredit=0 ucredit=1 lcredit=0 ocredit=0 enforce_for_root
password required pam_unix.so use_authtok sha512 shadow nullok rounds=1000000
``` 

Then change your password so that its also secure:

```
$ passwd
```
Added initial security page 2023-12-28 23:59:55 +01:00			`# Security`

			`There are a few things that have to be done to optimize the security of the system.`

Updated fstab and added entropy 2023-12-29 15:42:12 +01:00			`Here are a few of the sources used:`

			`* [Madaidans-insecurities page](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel).`

Added section on login pam 2023-12-29 17:06:13 +01:00			`* [PlagueOS](https://0xacab.org/optout/plagueos/-/wikis/Security-Considerations)`

Added initial security page 2023-12-28 23:59:55 +01:00			`## Apparmor and LSM`

			`Apparmor is a mandatory access control (MAC) mechanism which restricts a programs capabilities. Installation is easy:`

			```
			`# apk add apparmor apparmor-profiles`
			`# rc-update add apparmor default`
			```

			Add apparmor and other "Linux Security Modules" to the `cmdline` in `/etc/kernel-hooks/secureboothook.conf`:

			```
			`cmdline="... apparmor=1 lsm=landlock,lockdown,yama,integrity,apparmor"`
			```

			Then reconfigure `kernel-hooks` and reboot for it to take effect:

			```
			`# apk fix kernel-hooks`
			`# reboot`
			```

			You can check the status of apparmor using `apparmor-utils`:

			```
			`# apk add apparmor-utils`
			`# aa-status`
			```

			`## Cmdline`

Updated fstab and added entropy 2023-12-29 15:42:12 +01:00			There are a lot of kernel settings which can be passed to the command line to make a system more secure. So lets add them to `/etc/kernel-hooks/secureboot.conf`:
Added initial security page 2023-12-28 23:59:55 +01:00
			```
Updated things a bit 2023-12-29 15:10:42 +01:00			`cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 lockdown=confidentiality mce=0 loglevel=0 intel_iommu=on amd_iommu=on iommu=force efi=disable_early_pci_dma spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full mds=full l1ft=flush ipv6.disable=1 rd.shell=0 rd.emergency=reboot"`
Added initial security page 2023-12-28 23:59:55 +01:00			```

What is a ipv6? 2023-12-29 01:04:48 +01:00			After reconfiguring `kernel-hooks` try to reboot and it should boot. Although there are more options that might make the system more secure, these come with a big performance hit most of the time so these settings should do for now.

			`> Whilst booting up your system you may see sysctl complaining about ipv6 setting. [It's getting worked on](https://git.bijl.us/lnco/documentation/issues/30).`
Added initial security page 2023-12-28 23:59:55 +01:00
			`## Sysctl`

Updated fstab and added entropy 2023-12-29 15:42:12 +01:00			More kernel settings can be configured through sysctl. Edit the file `/etc/sysctl.d/main.conf`:
Added sysctl thing 2023-12-29 00:46:35 +01:00
			```
			`# Main security configuration.`

			`## Kernel`
			`kernel.kptr_restrict=2`
			`kernel.dmesg_restrict=1`
			`kernel.printk=3 3 3 3`
			`kernel.unprivileged_bpf_disabled=1`
			`net.core.bpf_jit_harden=2`
			`dev.tty.ldisc_autoload=0`
			`kernel.kexec_load_disabled=1`
			`kernel.sysrq=0`
			`kernel.perf_event_paranoid=3`
Updated fstab and added entropy 2023-12-29 15:42:12 +01:00			`random.trust_cpu=off`
Added sysctl thing 2023-12-29 00:46:35 +01:00
			`## Network`
			`net.ipv4.tcp_syncookies=1`
			`net.ipv4.tcp_rfc1337=1`
			`net.ipv4.conf.all.rp_filter=1`
			`net.ipv4.conf.default.rp_filter=1`
			`net.ipv4.conf.all.accept_redirects=0`
			`net.ipv4.conf.default.accept_redirects=0`
			`net.ipv4.conf.all.secure_redirects=0`
			`net.ipv4.conf.default.secure_redirects=0`
			`net.ipv4.conf.all.send_redirects=0`
			`net.ipv4.conf.default.send_redirects=0`
			`net.ipv4.icmp_echo_ignore_all=1`
			`net.ipv4.conf.all.accept_source_route=0`
			`net.ipv4.conf.default.accept_source_route=0`
			`net.ipv4.tcp_sack=0`
			`net.ipv4.tcp_dsack=0`
			`net.ipv4.tcp_fack=0`

A few corrections 2023-12-29 00:58:39 +01:00			`## User space`
Added sysctl thing 2023-12-29 00:46:35 +01:00			`kernel.yama.ptrace_scope=2`
			`vm.mmap_rnd_bits=32`
			`vm.mmap_rnd_compat_bits=16`
			`fs.protected_symlinks=1`
			`fs.protected_hardlinks=1`
			`fs.protected_fifos=2`
			`fs.protected_regular=2`
A few corrections 2023-12-29 00:58:39 +01:00
			`## For hardened_malloc`
			`vm.max_map_count=1048576`
Added sysctl thing 2023-12-29 00:46:35 +01:00			```

			`This list is still incomplete.`
Added initial security page 2023-12-28 23:59:55 +01:00
Added section on hardened-malloc 2023-12-29 01:54:50 +01:00			`## Blacklisting modules`
Added initial security page 2023-12-28 23:59:55 +01:00
			`WIP`
Added section on hardened-malloc 2023-12-29 01:54:50 +01:00
			`## Linux-Hardened`

			`WIP`

			`## Hardened Malloc (WIP)`

			`Musl's default memory allocator which comes with Alpine Linux is already pretty secure but not as secure as [hardened-malloc](https://github.com/GrapheneOS/hardened_malloc/):`

			```
			`# apk add hardened-malloc`
			```

			Then to set it system wide edit `/etc/ld-musl-x86_64.path`:

			```
			`/usr/lib/libhardened_malloc.so`
Updated Hardened_malloc 2023-12-29 14:58:20 +01:00			`/lib`
			`/usr/lib`
			`/usr/local/lib`
Added section on hardened-malloc 2023-12-29 01:54:50 +01:00			```

			`You can also use the light variant of hardened-malloc because the default one may not work well with some graphical applications:`

			```
			`/usr/lib/libhardened_malloc-light.so`
			```
Updated fstab and added entropy 2023-12-29 15:42:12 +01:00
			`## Entropy`

			Improve the security of the system by improving the entropy and thus randomness. Install `jitterentropy-library`:

			```
			`# apk add jitterentropy-library`
			```

			And create a config file in `/usr/lib/modules-load.d/jitterentropy.conf` so that the kernel module gets loaded:

			```
			`jitterentropy_rng`
			```
Added section on login pam 2023-12-29 17:06:13 +01:00
			`## PAM`

			`There are a few changes that can be made to improve login protection.`

			Delays can be a deterent against bruteforcing login attempts. Simply add this line to it's corresponding section in `/etc/pam.d/login`:

			```
			`auth optional pam_faildelay.so delay=5000000`
			```

			`Which will add a 5 second delay between login attempts.`

			The system can also enforce strong passwords with PAM with `libpwquality` which has to be installed first:

			```
			`# apk add libpwquality`
			```

			Then configure `/etc/pam.d/passwd`, you can configure it to your [liking](https://madaidans-insecurities.github.io/guides/linux-hardening.html#pam), but these settings should do:

			```
			`password required pam_pwquality.so retry=2 minlen=10 difok=0 dcredit=0 ucredit=1 lcredit=0 ocredit=0 enforce_for_root`
			`password required pam_unix.so use_authtok sha512 shadow nullok rounds=1000000`
			```

			`Then change your password so that its also secure:`

			```
			`$ passwd`
			```