Kernel Hardening

This page documents all of the things done to harden the kernel. Obscurix uses the linux-hardened kernel and a few custom settings to enhance security.

Sysctl Changes

Sysctl is used to change some settings in the kernel for increased security. They are documented below.

kernel.dmesg_restrict=1 is set to restrict the kernel logs to root only. This prevents an attacker from learning more about the system and what to exploit.

kernel.kptr_restrict=2 is set which hides the kernel symbols in /proc/kallsyms to prevent an attacker from using them to learn more about what to attack on your system.

kernel.unprivileged_bpf_disabled=1 is set which restricts the BPF JIT compiler to root only. This prevents a lot of possible attacks against the JIT compiler such as heap spraying.

net.core.bpf_jit_harden=2 is set which hardens the JIT compiler against certain attacks such as heap spraying attacks.

kernel.yama.ptrace_scope=2 is set which restricts the use of the ptrace() syscall to root only. ptrace can be used to inspect and modify running processes which is very dangerous.

kernel.kexec_load_disabled=1 is set which disables kexec as it can be used to livepatch the running kernel.

net.ipv4.tcp_syncookies=1 is set to enable TCP syncookies which prevents SYN flood attacks (a type of DoS).

net.ipv4.tcp_rfc1337=1 is set which prevents time-wait assassination attacks.

net.ipv4.conf.default.rp_filter=1 and net.ipv4.conf.all.rp_filter=1 are set which prevents certain IP spoofing methods.

net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0

are set which disables ICMP redirect acceptance.

net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
are set which disables ICMP redirect sending.

net.ipv4.icmp_echo_ignore_all=1 are set which makes your system ignore ICMP requests.

vm.mmap_rnd_bits=32 vm.mmap_rnd_compat_bits=16 are set which improves ASLR effectiveness for mmap.

net.ipv4.tcp_timestamps=0 is set which disables TCP timestamps. These can be used to find out your system time which can be an identifier.

net.ipv4.tcp_sack=0 is set which disables SACK. SACK is commonly exploited and rarely used.

kernel.sysrq=0 is set which disables the SysRq key. The SysRq key can be used to run arbitrary commands that would normally require root so it is best to disable it.

kernel.unprivileged_userns_clone=0 is set which disables unprivileged user namespaces. User namespaces add a lot of attack surface for privilege escalation so they are disabled for unprivileged users. Because of this, bubblewrap has to be made setuid.

kernel.deny_new_usb=1 is set which blocks all newly connected USB devices. This prevents any USB based attacks.

Boot Parameters

Obscurix passes some parameters to the kernel at boot through the bootloader to increase security. These are documented below.

apparmor=1 security=apparmor are used to enable AppArmor.

slab_nomerge is used which disables merging of slabs of similar sizes as they can sometimes be used in a vulnerable way and be exploited.

slub_debug=FZ is used which enables redzoning and sanity checks. Redzoning can help to prevent slabs from being overwritten past its size.

mce=0 is used which causes the kernel to panic on uncorrectable errors in ECC memory that could be exploited.

ipv6.disable=1 is used to disable the IPv6 stack which has some privacy issues, is not yet fully supported in Tor and adds extra attack surface.

pti=on is used to enable Kernel Page Table Isolation which prevents some KASLR bypasses and mitigates Meltdown.

mds=full,nosmt is used to enable all mitigations for the MDS vulnerability and disable smt which can be used to exploit the MDS vulnerability.

init_on_free=1 init_on_alloc=1 are used to initalize new memory pages with zeroes and to overwrite freed memory pages with zeroes.

lockdown=confidentiality is used to enable kernel lockdown which locks down many ways userspace can escalate to kernel mode.

intel_iommu=on amd_iommu=on are used which enables IOMMU to prevent DMA attacks.

modules.sig_enforce=1 is used which only allows kernel modules signed with a valid key to be loaded. Any kernel module signed with an invalid key or not signed at all will not be loaded. This increases security by making it much harder to load a malicious kernel module.

oops=panic is used which makes the kernel panic on oopses. This prevents the kernel from continuing to run a flawed process which can be exploited. Kernel exploits sometimes also cause an oops which this will help against. Sometimes, buggy drivers cause harmless oopses which will result in your system crashing so this boot parameter can only be used on certain hardware.

Other

/proc is mounted with hidepid=2 to prevent users from seeing eachother's processes. systemd-logind is exempted from this by making it run within the proc group. This is needed for user sessions to work correctly.