1.6 KiB
Security
There are a few things that have to be done to optimize the security of the system.
Apparmor and LSM
Apparmor is a mandatory access control (MAC) mechanism which restricts a programs capabilities. Installation is easy:
# apk add apparmor apparmor-profiles
# rc-update add apparmor default
Add apparmor and other "Linux Security Modules" to the cmdline in /etc/kernel-hooks/secureboothook.conf:
cmdline="... apparmor=1 lsm=landlock,lockdown,yama,integrity,apparmor"
Then reconfigure kernel-hooks and reboot for it to take effect:
# apk fix kernel-hooks
# reboot
You can check the status of apparmor using apparmor-utils:
# apk add apparmor-utils
# aa-status
Cmdline
There are a lot of kernel settings which can be passed to the command line to make a system more secure. Madaidans-insecurities page describes each of their function and how they improve security of the system so lets add them to /etc/kernel-hooks/secureboot.conf:
cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 lockdown=confidentiality mce=0 loglevel=0 iommu=force spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full mds=full l1ft=flush"
After reconfiguring kernel-hooks try to reboot and it should boot. Although there are more options that might make the system more secure, these come with a big performance hit most of the time so these settings should do for now.
Sysctl
WIP
Hardened Malloc
WIP