From 041d5737843454068aad1283d6a5e81d449274f3 Mon Sep 17 00:00:00 2001 From: Tastatur Date: Fri, 29 Dec 2023 15:42:12 +0100 Subject: [PATCH] Updated fstab and added entropy --- docs/alpine-desktop-setup/installation.md | 6 ++--- .../post-install/security.md | 24 ++++++++++++++++--- 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/docs/alpine-desktop-setup/installation.md b/docs/alpine-desktop-setup/installation.md index 9fcc74d..cdf24a9 100644 --- a/docs/alpine-desktop-setup/installation.md +++ b/docs/alpine-desktop-setup/installation.md @@ -49,12 +49,12 @@ clock_systohc="NO" Edit `/etc/fstab` for correct mounts: ``` -/dev/disk/by-label/efi /boot/efi vfat defaults 0 2 +/dev/disk/by-label/efi /boot/efi vfat defaults,nodev,nosuid,noexec 0 2 /dev/vg/root / ext4 defaults,noatime 0 1 -/dev/vg/home /home ext4 defaults,noatime,nodev 0 1 +/dev/vg/home /home ext4 defaults,noatime,nosuid,nodev 0 1 /dev/vg/tmp /tmp ext4 defaults,nodev,nosuid,noexec 0 1 /dev/vg/var /var ext4 defaults,nodev,nosuid,noexec 0 1 -/dev/vg/nix /nix ext4 defaults,nodev,nosuid 0 1 +/dev/vg/nix /nix ext4 defaults,noatime,nodev,nosuid 0 1 proc /proc proc nosuid,nodev,noexec,hidepid=2 0 0 ``` diff --git a/docs/alpine-desktop-setup/post-install/security.md b/docs/alpine-desktop-setup/post-install/security.md index ede2897..c9b15d7 100644 --- a/docs/alpine-desktop-setup/post-install/security.md +++ b/docs/alpine-desktop-setup/post-install/security.md @@ -2,6 +2,10 @@ There are a few things that have to be done to optimize the security of the system. +Here are a few of the sources used: + +* [Madaidans-insecurities page](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel). + ## Apparmor and LSM Apparmor is a mandatory access control (MAC) mechanism which restricts a programs capabilities. Installation is easy: @@ -33,7 +37,7 @@ You can check the status of apparmor using `apparmor-utils`: ## Cmdline -There are a lot of kernel settings which can be passed to the command line to make a system more secure. [Madaidans-insecurities page](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel) describes each of their function and how they improve security of the system so lets add them to `/etc/kernel-hooks/secureboot.conf`: +There are a lot of kernel settings which can be passed to the command line to make a system more secure. So lets add them to `/etc/kernel-hooks/secureboot.conf`: ``` cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 lockdown=confidentiality mce=0 loglevel=0 intel_iommu=on amd_iommu=on iommu=force efi=disable_early_pci_dma spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full mds=full l1ft=flush ipv6.disable=1 rd.shell=0 rd.emergency=reboot" @@ -45,7 +49,7 @@ After reconfiguring `kernel-hooks` try to reboot and it should boot. Although th ## Sysctl -More kernel settings can be configured through sysctl. All these settings are also explained on [Madaidans-insecurities page](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel). Edit the file `/etc/sysctl.d/main.conf`: +More kernel settings can be configured through sysctl. Edit the file `/etc/sysctl.d/main.conf`: ``` # Main security configuration. @@ -60,6 +64,7 @@ dev.tty.ldisc_autoload=0 kernel.kexec_load_disabled=1 kernel.sysrq=0 kernel.perf_event_paranoid=3 +random.trust_cpu=off ## Network net.ipv4.tcp_syncookies=1 @@ -90,7 +95,6 @@ fs.protected_regular=2 ## For hardened_malloc vm.max_map_count=1048576 - ``` This list is still incomplete. @@ -125,3 +129,17 @@ You can also use the light variant of hardened-malloc because the default one ma ``` /usr/lib/libhardened_malloc-light.so ``` + +## Entropy + +Improve the security of the system by improving the entropy and thus randomness. Install `jitterentropy-library`: + +``` +# apk add jitterentropy-library +``` + +And create a config file in `/usr/lib/modules-load.d/jitterentropy.conf` so that the kernel module gets loaded: + +``` +jitterentropy_rng +```