Reducing Kernel Symbols on File System by Disabling CONFIG_VMLINUX_MAP and CONFIG_DEBUG_KERNEL #110
Labels
good_first_issue
Good task for new contributors
new_check
A new check of the Linux kernel security parameters
Comments
|
Hi @wryMitts, Thanks for the idea. I think shipping the debug info separately is a good compromise. So disabling CONFIG_VMLINUX_MAP and leaving CONFIG_DEBUG_KERNEL enabled provide this compromise. |
|
Hi @a13xp0p0v That is a fair compromise. It may also be a good idea to also mention somewhere that the build files should not be on the same machine where kernel security is required, as build files can reveal sensitive information too. Surely some users might build their kernels on the same machine they run the kernels, which negates security. |
a13xp0p0v
added
new_feature
a13xp0p0v
added
new_check
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CONFIG_VMLINUX_MAP generates a system.map file, which contains debugging symbols, and other information that may leak information about the kernel. It is automatically generated with the kernel, and it is delivered in Debian packages for the kernel when built with the dpkg-deb mode of the kernel build system.
Kicksecure OS has an automatic script to delete this file when a kernel is installed.
https://forums.whonix.org/t/kernel-hardening-security-misc/7296/84
https://gitlab.tails.boum.org/tails/tails/-/issues/10951
https://en.wikipedia.org/wiki/System.map
The CONFIG_DEBUG_KERNEL option generates a similar, large debug file that can be installed along the kernel. It is not installed by default, although it is automatically created on the build system. It will cause similar damage to the a system.map file. Disabling this optional also speeds up kernel build time extensively, and reduces disk usage on the build system.
https://wiki.ubuntu.com/Debug%20Symbol%20Packages
The text was updated successfully, but these errors were encountered: