4.9 KiB
Security
There are a few things that have to be done to optimize the security of the system.
Here are a few of the sources used:
Apparmor and LSM
Apparmor is a mandatory access control (MAC) mechanism which restricts a programs capabilities. Installation is easy:
# apk add apparmor apparmor-profiles
# rc-update add apparmor default
Add apparmor and other "Linux Security Modules" to the cmdline in /etc/kernel-hooks/secureboothook.conf:
cmdline="... apparmor=1 lsm=landlock,lockdown,yama,integrity,apparmor"
Then reconfigure kernel-hooks and reboot for it to take effect:
# apk fix kernel-hooks
# reboot
You can check the status of apparmor using apparmor-utils:
# apk add apparmor-utils
# aa-status
Cmdline
There are a lot of kernel settings which can be passed to the command line to make a system more secure. So lets add them to /etc/kernel-hooks/secureboot.conf:
cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 lockdown=confidentiality mce=0 loglevel=0 intel_iommu=on amd_iommu=on iommu=force efi=disable_early_pci_dma spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full mds=full l1ft=flush ipv6.disable=1 rd.shell=0 rd.emergency=reboot"
After reconfiguring kernel-hooks try to reboot and it should boot. Although there are more options that might make the system more secure, these come with a big performance hit most of the time so these settings should do for now.
Whilst booting up your system you may see sysctl complaining about ipv6 setting. It's getting worked on.
Sysctl
More kernel settings can be configured through sysctl. Edit the file /etc/sysctl.d/main.conf:
# Main security configuration.
## Kernel
kernel.kptr_restrict=2
kernel.dmesg_restrict=1
kernel.printk=3 3 3 3
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
dev.tty.ldisc_autoload=0
kernel.kexec_load_disabled=1
kernel.sysrq=0
kernel.perf_event_paranoid=3
random.trust_cpu=off
## Network
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_rfc1337=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.icmp_echo_ignore_all=1
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.tcp_sack=0
net.ipv4.tcp_dsack=0
net.ipv4.tcp_fack=0
## User space
kernel.yama.ptrace_scope=2
vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16
fs.protected_symlinks=1
fs.protected_hardlinks=1
fs.protected_fifos=2
fs.protected_regular=2
## For hardened_malloc
vm.max_map_count=1048576
This list is still incomplete.
Blacklisting modules
WIP
Linux-Hardened
WIP
Hardened Malloc (WIP)
Musl's default memory allocator which comes with Alpine Linux is already pretty secure but not as secure as hardened-malloc:
# apk add hardened-malloc
Then to set it system wide edit /etc/ld-musl-x86_64.path:
/usr/lib/libhardened_malloc.so
/lib
/usr/lib
/usr/local/lib
You can also use the light variant of hardened-malloc because the default one may not work well with some graphical applications:
/usr/lib/libhardened_malloc-light.so
Entropy
Improve the security of the system by improving the entropy and thus randomness. Install jitterentropy-library:
# apk add jitterentropy-library
And create a config file in /usr/lib/modules-load.d/jitterentropy.conf so that the kernel module gets loaded:
jitterentropy_rng
PAM
There are a few changes that can be made to improve login protection.
Delays can be a deterent against bruteforcing login attempts. Simply add this line to it's corresponding section in /etc/pam.d/login:
auth optional pam_faildelay.so delay=5000000
Which will add a 5 second delay between login attempts.
The system can also enforce strong passwords with PAM with libpwquality which has to be installed first:
# apk add libpwquality
Then configure /etc/pam.d/passwd, you can configure it to your liking, but these settings should do:
password required pam_pwquality.so retry=2 minlen=10 difok=0 dcredit=0 ucredit=1 lcredit=0 ocredit=0 enforce_for_root
password required pam_unix.so use_authtok sha512 shadow nullok rounds=1000000
Then change your password so that its also secure:
$ passwd