Linux hardening

From PrivacyWiki


Remember to check CPU vulnerability mitigations[edit | edit source]

This also affects Windows 10, but it doesn't expose this information or mitigation instructions as easily. MacOS users check How to enable full mitigation for Microarchitectural Data Sampling (MDS) vulnerabilities on Apple Support.

When running a recent enough Linux kernel, you can check the CPU vulnerabilities it detects by tail -n +1 /sys/devices/system/cpu/vulnerabilities/*. By using tail -n +1 instead of cat, the file names are also visible.

In case you have an Intel CPU, you may notice "SMT vulnerable" display after running the tail command. To mitigate this, disable hyper-threading from the UEFI/BIOS. You can also take the following mitigation steps below if your system/distribution uses GRUB and supports /etc/default/grub.d/:

  1. sudo mkdir /etc/default/grub.d/ to create a directory for additional grub configuration
  2. echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT l1tf=full,force mds=full,nosmt mitigations=auto,nosmt nosmt=force" | sudo tee /etc/default/grub.d/mitigations.cfg to create a new grub config file source with the echoed content
  3. sudo grub-mkconfig -o /boot/grub/grub.cfg to generate a new grub config file including these new kernel boot flags
  4. sudo reboot to reboot
  5. after the reboot, check tail -n +1 /sys/devices/system/cpu/vulnerabilities/* again to see that everything referring to SMT now says "SMT disabled."
Further reading[edit | edit source]
  • CPU.fail
  • Hardware vulnerabilities index on The Linux kernel user's and administrator's guide
  • How to install/update CPU microcode firmware on Linux - Regardless of your CPU manufacturer, you should always install the latest microcode packages available to be protected from CPU vulnerabilities, especially if the command above reports no microcode in its output.
  • MDS - Microarchitectural Data Sampling on The Linux kernel user's and administrator's guide
  • RIDL and Fallout: MDS attacks on mdsattacks.com
  • Simultaneous multithreading on Wikipedia

YAMA Ptracing[edit | edit source]

> As Linux grows in popularity, it will become a larger target for malware. One particularly troubling weakness of the Linux process interfaces is that a single user is able to examine the memory and running state of any of their processes. For example, if one application (e.g. Pidgin) was compromised, it would be possible for an attacker to attach to other running processes (e.g. Firefox, SSH sessions, GPG agent, etc) to extract additional credentials and continue to expand the scope of their attack without resorting to user-assisted phishing.

https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html

<code>

echo kernel.yama.ptrace_scope = 1 | sudo tee /etc/sysctl.d/00-ptrace-restricted.conf

sudo sysctl -p --system

</code>

Always disable userns[edit | edit source]

kernel.unprivileged_userns_clone should always be 0 due to opening a lot of attack surface for local privilege escalation. However software like Brave (https://github.com/brave/brave-browser/issues/3420) and a lot of Electron apps require it to be enabled https://github.com/electron/electron/issues/17972

https://wiki.archlinux.org/index.php/security#Sandboxing_applications