lnorg/documentation
1
2
Fork 0
Code Issues 30 Pull requests Projects 6 Activity

Removed an error.

Browse source
This commit is contained in:
Luc Bijl 2024-08-10 22:34:26 +02:00
parent 822f0bd55e
commit fa630a1109
3 changed files with 210 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
docs/alpine-server-setup/post-install/drivers.md
View file

@ -1 +0,0 @@
alpine-desktop-setup/post-install/drivers.md

15
docs/alpine-server-setup/post-install/drivers.md Normal file
View file

@ -0,0 +1,15 @@
# Firmware and drivers
Device firmware and drivers are necessary for graphics and also security. Luckily the graphics drivers will be installed through `home-manager` which now only leaves the CPU firmware. For Intel systems install `intel-ucode` and for AMD systems install `amd-ucode`:
```
# apk add intel-ucode
<or>
# apk add amd-ucode
```
To make sure it is included during boot, regenerate the initramfs with:
```
# apk fix kernel-hooks
```

1
docs/alpine-server-setup/post-install/security.md
View file

@ -1 +0,0 @@
alpine-desktop-setup/post-install/security.md

170
docs/alpine-server-setup/post-install/security.md Normal file
View file

@ -0,0 +1,170 @@
# Security
There are a few things that have to be done to optimize the security of the system. Some of the sources used are listed below.
* [Madaidans-insecurities page](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel).
* [PlagueOS](https://0xacab.org/optout/plagueos/-/wikis/Security-Considerations)
## Apparmor and LSM
Apparmor is a mandatory access control mechanism that may restrict the capabilities of a program, install it via:
```
# apk add apparmor apparmor-profiles
# rc-update add apparmor default
```
Add apparmor and other "Linux Security Modules" to the `cmdline` in `/etc/kernel-hooks.d/secureboothook.conf`:
```
cmdline="... apparmor=1 lsm=landlock,lockdown,yama,integrity,apparmor"
```
Then reconfigure `kernel-hooks` and reboot for it to take effect:
```
# apk fix kernel-hooks
# reboot
```
You can check the status of apparmor using `apparmor-utils`:
```
# apk add apparmor-utils
# aa-status
```
## Kernel settings
### Commandline
There are a lot of kernel settings which can be passed to the command line to make a system more secure. So lets add them to `/etc/kernel-hooks/secureboot.conf`.
```
cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 lockdown=confidentiality mce=0 loglevel=0 intel_iommu=on amd_iommu=on iommu=force efi=disable_early_pci_dma spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full mds=full l1ft=flush ipv6.disable=1 rd.shell=0 rd.emergency=reboot"
```
After reconfiguring `kernel-hooks` try to reboot and it should boot. Although there are more options that might make the system more secure, these come with a big performance hit most of the time so these settings should do for now.
> Whilst booting up your system you may see sysctl complaining about ipv6 settings. [We are trying to resolve the problem](https://git.bijl.us/lnco/documentation/issues/30).
### Sysctl
More kernel settings can be configured through sysctl. Edit `/etc/sysctl.d/main.conf`:
```
# Main security configuration.
## Kernel
kernel.kptr_restrict=2
kernel.dmesg_restrict=1
kernel.printk=3 3 3 3
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
dev.tty.ldisc_autoload=0
kernel.kexec_load_disabled=1
kernel.sysrq=0
kernel.perf_event_paranoid=3
## Network
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_rfc1337=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.icmp_echo_ignore_all=1
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.tcp_sack=0
net.ipv4.tcp_dsack=0
net.ipv4.tcp_fack=0
## User space
kernel.yama.ptrace_scope=2
vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16
fs.protected_symlinks=1
fs.protected_hardlinks=1
fs.protected_fifos=2
fs.protected_regular=2
## For hardened_malloc
vm.max_map_count=1048576
```
This list is most likely still incomplete but should be good enough for now.
## Blacklisting modules
Work in progress.
## Linux-Hardened
Work in progress.
## Hardened Malloc (WIP)
The default memory allocator of Musl is already reasonably secure but not as secure as [hardened-malloc](https://github.com/GrapheneOS/hardened_malloc/):
```
# apk add hardened-malloc
```
Then to set it system-wide edit `/etc/ld-musl-x86_64.path`:
```
/usr/lib/libhardened_malloc.so
/lib
/usr/lib
/usr/local/lib
```
The light variant of hardened-malloc may also be used instead of the default when problems with graphical applications occur.
```
/usr/lib/libhardened_malloc-light.so
```
## Entropy
Improve the security of the system by increasing the entropy. Install `jitterentropy-library`:
```
# apk add jitterentropy-library
```
and create a config file in `/etc/modules-load.d/jitterentropy.conf` so that the kernel module gets loaded:
```
jitterentropy_rng
```
## PAM
There are a few changes that can be made to improve login protection.
First install PAM through `util-linux-login`:
```
# apk add util-linux-login
```
Delays can be a deterent against bruteforcing login attempts. Simply add the following to the line in `/etc/pam.d/login`:
```
auth optional pam_faildelay.so delay=5000000
```
which will add a 5 second delay between login attempts.
The system can also enforce a stronger hash algorithm for a more secure login protector. Edit the file `/etc/pam.d/base-password` and add the line:
```
password required pam_unix.so nullock sha512 shadow rounds=1000000
```
> If an account has already been created then change your password so that it is also secure with: `passwd <username>`. When creating a password make sure that it is at least 8 characters long.

1
docs/alpine-server-setup/post-install/swap.md
View file

@ -1 +0,0 @@
alpine-desktop-setup/post-install/swap.md

25
docs/alpine-server-setup/post-install/swap.md Normal file
View file

@ -0,0 +1,25 @@
# Swap
Because a Linux system requires swap to function properly install `zram-init`. To keep it simple, it will utilise RAM to store compressed swap.
Install it with:
```
# apk add zram-init
# rc-update add zram-init default
```
`zram-init` can be configured in `/etc/conf.d/zram-init`. The amount of devices and the size of zram can be changed here, for example:
```
num_devices=1
# swap - 500M
#size0=512
size0=`LC_ALL=C free -m | awk '/^mem:/{print int($2/4)}'`
```
Now the size of the swap device will be one fourth of the ram size. Reboot the computer or restart the service to check if it works.
Also be sure to read the [ArchWiki](https://wiki.archlinux.org/title/Zram) for more information.