From fa630a1109d4c793246d709a3ab9dd4ed8cdfc15 Mon Sep 17 00:00:00 2001 From: Luc Date: Sat, 10 Aug 2024 22:34:26 +0200 Subject: [PATCH] Removed an error. --- .../post-install/drivers.md | 16 +- .../post-install/security.md | 171 +++++++++++++++++- docs/alpine-server-setup/post-install/swap.md | 26 ++- 3 files changed, 210 insertions(+), 3 deletions(-) mode change 120000 => 100644 docs/alpine-server-setup/post-install/drivers.md mode change 120000 => 100644 docs/alpine-server-setup/post-install/security.md mode change 120000 => 100644 docs/alpine-server-setup/post-install/swap.md diff --git a/docs/alpine-server-setup/post-install/drivers.md b/docs/alpine-server-setup/post-install/drivers.md deleted file mode 120000 index 848471e..0000000 --- a/docs/alpine-server-setup/post-install/drivers.md +++ /dev/null @@ -1 +0,0 @@ -alpine-desktop-setup/post-install/drivers.md \ No newline at end of file diff --git a/docs/alpine-server-setup/post-install/drivers.md b/docs/alpine-server-setup/post-install/drivers.md new file mode 100644 index 0000000..88376ea --- /dev/null +++ b/docs/alpine-server-setup/post-install/drivers.md @@ -0,0 +1,15 @@ +# Firmware and drivers + +Device firmware and drivers are necessary for graphics and also security. Luckily the graphics drivers will be installed through `home-manager` which now only leaves the CPU firmware. For Intel systems install `intel-ucode` and for AMD systems install `amd-ucode`: + +``` +# apk add intel-ucode + +# apk add amd-ucode +``` + +To make sure it is included during boot, regenerate the initramfs with: + +``` +# apk fix kernel-hooks +``` diff --git a/docs/alpine-server-setup/post-install/security.md b/docs/alpine-server-setup/post-install/security.md deleted file mode 120000 index 988cd0a..0000000 --- a/docs/alpine-server-setup/post-install/security.md +++ /dev/null @@ -1 +0,0 @@ -alpine-desktop-setup/post-install/security.md \ No newline at end of file diff --git a/docs/alpine-server-setup/post-install/security.md b/docs/alpine-server-setup/post-install/security.md new file mode 100644 index 0000000..6afd2c8 --- /dev/null +++ b/docs/alpine-server-setup/post-install/security.md @@ -0,0 +1,170 @@ +# Security + +There are a few things that have to be done to optimize the security of the system. Some of the sources used are listed below. + +* [Madaidans-insecurities page](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel). +* [PlagueOS](https://0xacab.org/optout/plagueos/-/wikis/Security-Considerations) + +## Apparmor and LSM + +Apparmor is a mandatory access control mechanism that may restrict the capabilities of a program, install it via: + +``` +# apk add apparmor apparmor-profiles +# rc-update add apparmor default +``` + +Add apparmor and other "Linux Security Modules" to the `cmdline` in `/etc/kernel-hooks.d/secureboothook.conf`: + +``` +cmdline="... apparmor=1 lsm=landlock,lockdown,yama,integrity,apparmor" +``` + +Then reconfigure `kernel-hooks` and reboot for it to take effect: + +``` +# apk fix kernel-hooks +# reboot +``` + +You can check the status of apparmor using `apparmor-utils`: + +``` +# apk add apparmor-utils +# aa-status +``` +## Kernel settings + +### Commandline + +There are a lot of kernel settings which can be passed to the command line to make a system more secure. So lets add them to `/etc/kernel-hooks/secureboot.conf`. + +``` +cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 lockdown=confidentiality mce=0 loglevel=0 intel_iommu=on amd_iommu=on iommu=force efi=disable_early_pci_dma spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full mds=full l1ft=flush ipv6.disable=1 rd.shell=0 rd.emergency=reboot" +``` + +After reconfiguring `kernel-hooks` try to reboot and it should boot. Although there are more options that might make the system more secure, these come with a big performance hit most of the time so these settings should do for now. + +> Whilst booting up your system you may see sysctl complaining about ipv6 settings. [We are trying to resolve the problem](https://git.bijl.us/lnco/documentation/issues/30). + +### Sysctl + +More kernel settings can be configured through sysctl. Edit `/etc/sysctl.d/main.conf`: + +``` +# Main security configuration. + +## Kernel +kernel.kptr_restrict=2 +kernel.dmesg_restrict=1 +kernel.printk=3 3 3 3 +kernel.unprivileged_bpf_disabled=1 +net.core.bpf_jit_harden=2 +dev.tty.ldisc_autoload=0 +kernel.kexec_load_disabled=1 +kernel.sysrq=0 +kernel.perf_event_paranoid=3 + +## Network +net.ipv4.tcp_syncookies=1 +net.ipv4.tcp_rfc1337=1 +net.ipv4.conf.all.rp_filter=1 +net.ipv4.conf.default.rp_filter=1 +net.ipv4.conf.all.accept_redirects=0 +net.ipv4.conf.default.accept_redirects=0 +net.ipv4.conf.all.secure_redirects=0 +net.ipv4.conf.default.secure_redirects=0 +net.ipv4.conf.all.send_redirects=0 +net.ipv4.conf.default.send_redirects=0 +net.ipv4.icmp_echo_ignore_all=1 +net.ipv4.conf.all.accept_source_route=0 +net.ipv4.conf.default.accept_source_route=0 +net.ipv4.tcp_sack=0 +net.ipv4.tcp_dsack=0 +net.ipv4.tcp_fack=0 + +## User space +kernel.yama.ptrace_scope=2 +vm.mmap_rnd_bits=32 +vm.mmap_rnd_compat_bits=16 +fs.protected_symlinks=1 +fs.protected_hardlinks=1 +fs.protected_fifos=2 +fs.protected_regular=2 + +## For hardened_malloc +vm.max_map_count=1048576 +``` + +This list is most likely still incomplete but should be good enough for now. + +## Blacklisting modules + +Work in progress. + +## Linux-Hardened + +Work in progress. + +## Hardened Malloc (WIP) + +The default memory allocator of Musl is already reasonably secure but not as secure as [hardened-malloc](https://github.com/GrapheneOS/hardened_malloc/): + +``` +# apk add hardened-malloc +``` + +Then to set it system-wide edit `/etc/ld-musl-x86_64.path`: + +``` +/usr/lib/libhardened_malloc.so +/lib +/usr/lib +/usr/local/lib +``` + +The light variant of hardened-malloc may also be used instead of the default when problems with graphical applications occur. + +``` +/usr/lib/libhardened_malloc-light.so +``` + +## Entropy + +Improve the security of the system by increasing the entropy. Install `jitterentropy-library`: + +``` +# apk add jitterentropy-library +``` + +and create a config file in `/etc/modules-load.d/jitterentropy.conf` so that the kernel module gets loaded: + +``` +jitterentropy_rng +``` + +## PAM + +There are a few changes that can be made to improve login protection. + +First install PAM through `util-linux-login`: + +``` +# apk add util-linux-login +``` + +Delays can be a deterent against bruteforcing login attempts. Simply add the following to the line in `/etc/pam.d/login`: + +``` +auth optional pam_faildelay.so delay=5000000 +``` + +which will add a 5 second delay between login attempts. + +The system can also enforce a stronger hash algorithm for a more secure login protector. Edit the file `/etc/pam.d/base-password` and add the line: + +``` +password required pam_unix.so nullock sha512 shadow rounds=1000000 +``` + +> If an account has already been created then change your password so that it is also secure with: `passwd `. When creating a password make sure that it is at least 8 characters long. diff --git a/docs/alpine-server-setup/post-install/swap.md b/docs/alpine-server-setup/post-install/swap.md deleted file mode 120000 index 2cba21c..0000000 --- a/docs/alpine-server-setup/post-install/swap.md +++ /dev/null @@ -1 +0,0 @@ -alpine-desktop-setup/post-install/swap.md \ No newline at end of file diff --git a/docs/alpine-server-setup/post-install/swap.md b/docs/alpine-server-setup/post-install/swap.md new file mode 100644 index 0000000..08e5986 --- /dev/null +++ b/docs/alpine-server-setup/post-install/swap.md @@ -0,0 +1,25 @@ +# Swap + +Because a Linux system requires swap to function properly install `zram-init`. To keep it simple, it will utilise RAM to store compressed swap. + +Install it with: + +``` +# apk add zram-init +# rc-update add zram-init default +``` + +`zram-init` can be configured in `/etc/conf.d/zram-init`. The amount of devices and the size of zram can be changed here, for example: + +``` +num_devices=1 + +# swap - 500M + +#size0=512 +size0=`LC_ALL=C free -m | awk '/^mem:/{print int($2/4)}'` +``` + +Now the size of the swap device will be one fourth of the ram size. Reboot the computer or restart the service to check if it works. + +Also be sure to read the [ArchWiki](https://wiki.archlinux.org/title/Zram) for more information.