2023-12-28 23:59:55 +01:00
# Security
There are a few things that have to be done to optimize the security of the system.
## Apparmor and LSM
Apparmor is a mandatory access control (MAC) mechanism which restricts a programs capabilities. Installation is easy:
```
# apk add apparmor apparmor-profiles
# rc-update add apparmor default
```
Add apparmor and other "Linux Security Modules" to the `cmdline` in `/etc/kernel-hooks/secureboothook.conf` :
```
cmdline="... apparmor=1 lsm=landlock,lockdown,yama,integrity,apparmor"
```
Then reconfigure `kernel-hooks` and reboot for it to take effect:
```
# apk fix kernel-hooks
# reboot
```
You can check the status of apparmor using `apparmor-utils` :
```
# apk add apparmor-utils
# aa-status
```
## Cmdline
2023-12-29 00:11:24 +01:00
There are a lot of kernel settings which can be passed to the command line to make a system more secure. [Madaidans-insecurities page ](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel ) describes each of their function and how they improve security of the system so lets add them to `/etc/kernel-hooks/secureboot.conf` :
2023-12-28 23:59:55 +01:00
```
cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 lockdown=confidentiality mce=0 loglevel=0 iommu=force spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full mds=full l1ft=flush"
```
2023-12-29 00:09:15 +01:00
After reconfiguring `kernel-hooks` try to reboot and it should boot. Although there are more options that might make the system more secure, these come with a big performance hit most of the time so these settings should do for now.
2023-12-28 23:59:55 +01:00
## Sysctl
2023-12-29 00:46:35 +01:00
More kernel settings can be configured through sysctl. All these settings are also explained on [Madaidans-insecurities page ](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel ). Edit the file `/etc/sysctl.d/main.conf` :
```
# Main security configuration.
## Kernel
kernel.kptr_restrict=2
kernel.dmesg_restrict=1
kernel.printk=3 3 3 3
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
dev.tty.ldisc_autoload=0
vm.unprivileged_userfaultfd=0
kernel.kexec_load_disabled=1
kernel.sysrq=0
kernel.perf_event_paranoid=3
## Network
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_rfc1337=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.icmp_echo_ignore_all=1
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv4.tcp_sack=0
net.ipv4.tcp_dsack=0
net.ipv4.tcp_fack=0
# User space
kernel.yama.ptrace_scope=2
vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16
fs.protected_symlinks=1
fs.protected_hardlinks=1
fs.protected_fifos=2
fs.protected_regular=2
```
This list is still incomplete.
2023-12-28 23:59:55 +01:00
## Hardened Malloc
WIP