lnorg/documentation
1
2
Fork 0
Code Issues 30 Pull requests Projects 6 Activity
documentation/docs/alpine-desktop-setup/post-install/security.md

3.6 KiB
Raw Blame History

Security

There are a few things that have to be done to optimize the security of the system.

Apparmor and LSM

Apparmor is a mandatory access control (MAC) mechanism which restricts a programs capabilities. Installation is easy:

# apk add apparmor apparmor-profiles
# rc-update add apparmor default

Add apparmor and other "Linux Security Modules" to the cmdline in /etc/kernel-hooks/secureboothook.conf:

cmdline="... apparmor=1 lsm=landlock,lockdown,yama,integrity,apparmor"

Then reconfigure kernel-hooks and reboot for it to take effect:

# apk fix kernel-hooks
# reboot

You can check the status of apparmor using apparmor-utils:

# apk add apparmor-utils
# aa-status

Cmdline

There are a lot of kernel settings which can be passed to the command line to make a system more secure. Madaidans-insecurities page describes each of their function and how they improve security of the system so lets add them to /etc/kernel-hooks/secureboot.conf:

cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 lockdown=confidentiality mce=0 loglevel=0 iommu=force spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full mds=full l1ft=flush ipv6.disable=1 rd.shell=0 rd.emergency=reboot"

After reconfiguring kernel-hooks try to reboot and it should boot. Although there are more options that might make the system more secure, these come with a big performance hit most of the time so these settings should do for now.

Whilst booting up your system you may see sysctl complaining about ipv6 setting. It's getting worked on.

Sysctl

More kernel settings can be configured through sysctl. All these settings are also explained on Madaidans-insecurities page. Edit the file /etc/sysctl.d/main.conf:

# Main security configuration.

## Kernel
kernel.kptr_restrict=2
kernel.dmesg_restrict=1
kernel.printk=3 3 3 3
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
dev.tty.ldisc_autoload=0
kernel.kexec_load_disabled=1
kernel.sysrq=0
kernel.perf_event_paranoid=3

## Network
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_rfc1337=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.icmp_echo_ignore_all=1
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.tcp_sack=0
net.ipv4.tcp_dsack=0
net.ipv4.tcp_fack=0

## User space
kernel.yama.ptrace_scope=2
vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16
fs.protected_symlinks=1
fs.protected_hardlinks=1
fs.protected_fifos=2
fs.protected_regular=2

## For hardened_malloc
vm.max_map_count=1048576

This list is still incomplete.

Blacklisting modules

WIP

Linux-Hardened

WIP

Hardened Malloc (WIP)

Musl's default memory allocator which comes with Alpine Linux is already pretty secure but not as secure as hardened-malloc:

# apk add hardened-malloc

Then to set it system wide edit /etc/ld-musl-x86_64.path:

/usr/lib/libhardened_malloc.so

You can also use the light variant of hardened-malloc because the default one may not work well with some graphical applications:

/usr/lib/libhardened_malloc-light.so