Removed an error.

2024-08-10 22:34:26 +02:00 · 2024-08-10 22:34:26 +02:00 · fa630a1109
commit fa630a1109
parent 822f0bd55e
3 changed files with 210 additions and 3 deletions
--- a/docs/alpine-server-setup/post-install/drivers.md
+++ b/docs/alpine-server-setup/post-install/drivers.md
@ -1 +0,0 @@
-alpine-desktop-setup/post-install/drivers.md
--- a/docs/alpine-server-setup/post-install/drivers.md
+++ b/docs/alpine-server-setup/post-install/drivers.md
@ -0,0 +1,15 @@
+# Firmware and drivers
+
+Device firmware and drivers are necessary for graphics and also security. Luckily the graphics drivers will be installed through `home-manager` which now only leaves the CPU firmware. For Intel systems install `intel-ucode` and for AMD systems install `amd-ucode`:
+
+```
+# apk add intel-ucode
+<or>
+# apk add amd-ucode
+```
+
+To make sure it is included during boot, regenerate the initramfs with:
+
+```
+# apk fix kernel-hooks
+```
--- a/docs/alpine-server-setup/post-install/security.md
+++ b/docs/alpine-server-setup/post-install/security.md
@ -1 +0,0 @@
-alpine-desktop-setup/post-install/security.md
--- a/docs/alpine-server-setup/post-install/security.md
+++ b/docs/alpine-server-setup/post-install/security.md
@ -0,0 +1,170 @@
+# Security
+
+There are a few things that have to be done to optimize the security of the system. Some of the sources used are listed below.
+
+* [Madaidans-insecurities page](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel).
+* [PlagueOS](https://0xacab.org/optout/plagueos/-/wikis/Security-Considerations)
+
+## Apparmor and LSM
+
+Apparmor is a mandatory access control mechanism that may restrict the capabilities of a program, install it via:
+
+```
+# apk add apparmor apparmor-profiles
+# rc-update add apparmor default
+```
+
+Add apparmor and other "Linux Security Modules" to the `cmdline` in `/etc/kernel-hooks.d/secureboothook.conf`:
+
+```
+cmdline="... apparmor=1 lsm=landlock,lockdown,yama,integrity,apparmor"
+```
+
+Then reconfigure `kernel-hooks` and reboot for it to take effect:
+
+```
+# apk fix kernel-hooks
+# reboot
+```
+
+You can check the status of apparmor using `apparmor-utils`:
+
+```
+# apk add apparmor-utils
+# aa-status
+```
+## Kernel settings 
+
+### Commandline
+
+There are a lot of kernel settings which can be passed to the command line to make a system more secure. So lets add them to `/etc/kernel-hooks/secureboot.conf`.
+
+```
+cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 lockdown=confidentiality mce=0 loglevel=0 intel_iommu=on amd_iommu=on iommu=force efi=disable_early_pci_dma spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full mds=full l1ft=flush ipv6.disable=1 rd.shell=0 rd.emergency=reboot"
+```
+
+After reconfiguring `kernel-hooks` try to reboot and it should boot. Although there are more options that might make the system more secure, these come with a big performance hit most of the time so these settings should do for now. 
+
+> Whilst booting up your system you may see sysctl complaining about ipv6 settings. [We are trying to resolve the problem](https://git.bijl.us/lnco/documentation/issues/30).
+
+### Sysctl
+
+More kernel settings can be configured through sysctl. Edit `/etc/sysctl.d/main.conf`:
+
+```
+# Main security configuration.
+
+## Kernel
+kernel.kptr_restrict=2
+kernel.dmesg_restrict=1
+kernel.printk=3 3 3 3
+kernel.unprivileged_bpf_disabled=1
+net.core.bpf_jit_harden=2
+dev.tty.ldisc_autoload=0
+kernel.kexec_load_disabled=1
+kernel.sysrq=0
+kernel.perf_event_paranoid=3
+
+## Network
+net.ipv4.tcp_syncookies=1
+net.ipv4.tcp_rfc1337=1
+net.ipv4.conf.all.rp_filter=1
+net.ipv4.conf.default.rp_filter=1
+net.ipv4.conf.all.accept_redirects=0
+net.ipv4.conf.default.accept_redirects=0
+net.ipv4.conf.all.secure_redirects=0
+net.ipv4.conf.default.secure_redirects=0
+net.ipv4.conf.all.send_redirects=0
+net.ipv4.conf.default.send_redirects=0
+net.ipv4.icmp_echo_ignore_all=1
+net.ipv4.conf.all.accept_source_route=0
+net.ipv4.conf.default.accept_source_route=0
+net.ipv4.tcp_sack=0
+net.ipv4.tcp_dsack=0
+net.ipv4.tcp_fack=0
+
+## User space
+kernel.yama.ptrace_scope=2
+vm.mmap_rnd_bits=32
+vm.mmap_rnd_compat_bits=16
+fs.protected_symlinks=1
+fs.protected_hardlinks=1
+fs.protected_fifos=2
+fs.protected_regular=2
+
+## For hardened_malloc
+vm.max_map_count=1048576
+```
+
+This list is most likely still incomplete but should be good enough for now.
+
+## Blacklisting modules
+
+Work in progress.
+
+## Linux-Hardened
+
+Work in progress.
+
+## Hardened Malloc (WIP)
+
+The default memory allocator of Musl is already reasonably secure but not as secure as [hardened-malloc](https://github.com/GrapheneOS/hardened_malloc/):
+
+```
+# apk add hardened-malloc
+```
+
+Then to set it system-wide edit `/etc/ld-musl-x86_64.path`:
+
+```
+/usr/lib/libhardened_malloc.so
+/lib
+/usr/lib
+/usr/local/lib
+```
+
+The light variant of hardened-malloc may also be used instead of the default when problems with graphical applications occur.
+
+```
+/usr/lib/libhardened_malloc-light.so
+```
+
+## Entropy
+
+Improve the security of the system by increasing the entropy. Install `jitterentropy-library`:
+
+```
+# apk add jitterentropy-library
+```
+
+and create a config file in `/etc/modules-load.d/jitterentropy.conf` so that the kernel module gets loaded:
+
+```
+jitterentropy_rng
+```
+
+## PAM
+
+There are a few changes that can be made to improve login protection.
+
+First install PAM through `util-linux-login`:
+
+```
+# apk add util-linux-login
+```
+
+Delays can be a deterent against bruteforcing login attempts. Simply add the following to the line in `/etc/pam.d/login`:
+
+```
+auth optional pam_faildelay.so delay=5000000
+```
+
+which will add a 5 second delay between login attempts.
+
+The system can also enforce a stronger hash algorithm for a more secure login protector. Edit the file `/etc/pam.d/base-password` and add the line:
+
+```
+password required pam_unix.so nullock sha512 shadow rounds=1000000
+``` 
+
+> If an account has already been created then change your password so that it is also secure with: `passwd <username>`. When creating a password make sure that it is at least 8 characters long.
--- a/docs/alpine-server-setup/post-install/swap.md
+++ b/docs/alpine-server-setup/post-install/swap.md
@ -1 +0,0 @@
-alpine-desktop-setup/post-install/swap.md
--- a/docs/alpine-server-setup/post-install/swap.md
+++ b/docs/alpine-server-setup/post-install/swap.md
@ -0,0 +1,25 @@
+# Swap
+
+Because a Linux system requires swap to function properly install `zram-init`. To keep it simple, it will utilise RAM to store compressed swap.
+
+Install it with:
+
+```
+# apk add zram-init
+# rc-update add zram-init default
+```
+
+`zram-init` can be configured in `/etc/conf.d/zram-init`. The amount of devices and the size of zram can be changed here, for example:
+
+```
+num_devices=1
+
+# swap - 500M
+
+#size0=512
+size0=`LC_ALL=C free -m | awk '/^mem:/{print int($2/4)}'`
+```
+
+Now the size of the swap device will be one fourth of the ram size. Reboot the computer or restart the service to check if it works.
+
+Also be sure to read the [ArchWiki](https://wiki.archlinux.org/title/Zram) for more information.
				`@ -1 +0,0 @@`
				`alpine-desktop-setup/post-install/drivers.md`
				`@ -1 +0,0 @@`
				`alpine-desktop-setup/post-install/security.md`