documentation/docs/alpine-server-setup/post-install/security.md
2024-08-10 22:34:26 +02:00

4.8 KiB

Security

There are a few things that have to be done to optimize the security of the system. Some of the sources used are listed below.

Apparmor and LSM

Apparmor is a mandatory access control mechanism that may restrict the capabilities of a program, install it via:

# apk add apparmor apparmor-profiles
# rc-update add apparmor default

Add apparmor and other "Linux Security Modules" to the cmdline in /etc/kernel-hooks.d/secureboothook.conf:

cmdline="... apparmor=1 lsm=landlock,lockdown,yama,integrity,apparmor"

Then reconfigure kernel-hooks and reboot for it to take effect:

# apk fix kernel-hooks
# reboot

You can check the status of apparmor using apparmor-utils:

# apk add apparmor-utils
# aa-status

Kernel settings

Commandline

There are a lot of kernel settings which can be passed to the command line to make a system more secure. So lets add them to /etc/kernel-hooks/secureboot.conf.

cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 lockdown=confidentiality mce=0 loglevel=0 intel_iommu=on amd_iommu=on iommu=force efi=disable_early_pci_dma spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full mds=full l1ft=flush ipv6.disable=1 rd.shell=0 rd.emergency=reboot"

After reconfiguring kernel-hooks try to reboot and it should boot. Although there are more options that might make the system more secure, these come with a big performance hit most of the time so these settings should do for now.

Whilst booting up your system you may see sysctl complaining about ipv6 settings. We are trying to resolve the problem.

Sysctl

More kernel settings can be configured through sysctl. Edit /etc/sysctl.d/main.conf:

# Main security configuration.

## Kernel
kernel.kptr_restrict=2
kernel.dmesg_restrict=1
kernel.printk=3 3 3 3
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
dev.tty.ldisc_autoload=0
kernel.kexec_load_disabled=1
kernel.sysrq=0
kernel.perf_event_paranoid=3

## Network
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_rfc1337=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.icmp_echo_ignore_all=1
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.tcp_sack=0
net.ipv4.tcp_dsack=0
net.ipv4.tcp_fack=0

## User space
kernel.yama.ptrace_scope=2
vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16
fs.protected_symlinks=1
fs.protected_hardlinks=1
fs.protected_fifos=2
fs.protected_regular=2

## For hardened_malloc
vm.max_map_count=1048576

This list is most likely still incomplete but should be good enough for now.

Blacklisting modules

Work in progress.

Linux-Hardened

Work in progress.

Hardened Malloc (WIP)

The default memory allocator of Musl is already reasonably secure but not as secure as hardened-malloc:

# apk add hardened-malloc

Then to set it system-wide edit /etc/ld-musl-x86_64.path:

/usr/lib/libhardened_malloc.so
/lib
/usr/lib
/usr/local/lib

The light variant of hardened-malloc may also be used instead of the default when problems with graphical applications occur.

/usr/lib/libhardened_malloc-light.so

Entropy

Improve the security of the system by increasing the entropy. Install jitterentropy-library:

# apk add jitterentropy-library

and create a config file in /etc/modules-load.d/jitterentropy.conf so that the kernel module gets loaded:

jitterentropy_rng

PAM

There are a few changes that can be made to improve login protection.

First install PAM through util-linux-login:

# apk add util-linux-login

Delays can be a deterent against bruteforcing login attempts. Simply add the following to the line in /etc/pam.d/login:

auth optional pam_faildelay.so delay=5000000

which will add a 5 second delay between login attempts.

The system can also enforce a stronger hash algorithm for a more secure login protector. Edit the file /etc/pam.d/base-password and add the line:

password required pam_unix.so nullock sha512 shadow rounds=1000000

If an account has already been created then change your password so that it is also secure with: passwd <username>. When creating a password make sure that it is at least 8 characters long.