documentation/docs/alpine-desktop-setup/post-install/security.md
2023-12-29 00:11:24 +01:00

1.6 KiB

Security

There are a few things that have to be done to optimize the security of the system.

Apparmor and LSM

Apparmor is a mandatory access control (MAC) mechanism which restricts a programs capabilities. Installation is easy:

# apk add apparmor apparmor-profiles
# rc-update add apparmor default

Add apparmor and other "Linux Security Modules" to the cmdline in /etc/kernel-hooks/secureboothook.conf:

cmdline="... apparmor=1 lsm=landlock,lockdown,yama,integrity,apparmor"

Then reconfigure kernel-hooks and reboot for it to take effect:

# apk fix kernel-hooks
# reboot

You can check the status of apparmor using apparmor-utils:

# apk add apparmor-utils
# aa-status

Cmdline

There are a lot of kernel settings which can be passed to the command line to make a system more secure. Madaidans-insecurities page describes each of their function and how they improve security of the system so lets add them to /etc/kernel-hooks/secureboot.conf:

cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 lockdown=confidentiality mce=0 loglevel=0 iommu=force spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full mds=full l1ft=flush"

After reconfiguring kernel-hooks try to reboot and it should boot. Although there are more options that might make the system more secure, these come with a big performance hit most of the time so these settings should do for now.

Sysctl

WIP

Hardened Malloc

WIP