Kernel-Hardening

Important

Read content of files before proceeding, certains features are disabled.

Table of contents

• Description
• Blacklist Modules
• GRUB Parameters
• Kernel Parameters
• Installation Script
• Kconfigs
• Compile Kernel
• Kernel Installation
• Security Audit
• Resources

Description

Kernel kconfigs files with hardening in mind.

Blacklist Modules (+100)

• Driver
• Filesystem
• Graphics
• Input devices
• Network
• Storage

These kernel modules blacklisted are stored in conf/blacklist.conf

GRUB Parameters (25)

• Debugging and Diagnostics
• Randomness
• Security features
• Vulnerability mitigation

These GRUB paramaters are stored in conf/grub.txt

Kernel Parameters (+50)

• FileSystem
• Kernel
• Network

These kernel parameters are present in conf/sysctl.conf

Installation Script

• Add GRUB entries
• Copy blacklist.conf
• Copy sysctl.conf

# Backup your files before running
git clone https://github.com/MikeHorn-git/Kernel-Hardening.git
cd Kernel-Hardening/scripts
chmod +x install.sh
./install.sh

Kconfigs

kconfigs
├── fragment-X86_64
├── gentoo
│   └── config
└── vanilla
    └── config

Fragment

Kernel-hardening-checker tool that generates a Kconfig fragment with the security hardening options for the selected microarchitecture following the README

kernel-hardening-checker -g X86_64 > fragment-X86_64

Gentoo

Kernel sources lightly patched by Gentoo kernel team.

Vanilla

Official kernel sources released here.

Compile Kernel

Gentoo

Prepare

# Install gentoo kernel
sudo emerge -av gentoo-sources

# Use eselect to change symlinks
sudo eselect kernel list
sudo eselect kernel set 1 # Use the correct number from kernel list command

# Take custom .config
cd /usr/src/linux
wget https://raw.githubusercontent.com/MikeHorn-git/Kernel-Hardening/main/kconfigs/gentoo/config
mv config .config

Modify

When the kernel source is newer than the .config file.

sudo make oldconfig

To manually modify config.

sudo make nconfig

Compile

# Compile & Install
sudo make -j$(nproc)
sudo make modules_install
sudo make install

Arch

Prepare

export KVERSION=6.13.6
wget https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-"$KVERSION".tar.xz
tar -xf linux-"$KVERSION".tar.xz
cd linux-"$KVERSION"
wget https://raw.githubusercontent.com/MikeHorn-git/Kernel-Hardening/main/kconfigs/vanilla/config
mv config .config

Modify

When the kernel source is newer than the .config file.

sudo make oldconfig

To manually modify config.

sudo make nconfig

Compile

# Change to your version
export KVERSION=6.13.6
sudo cp arch/x86/boot/bzImage /boot/vmlinuz-"$KVERSION"

# Compile & Install
sudo make -j$(nproc)
sudo make modules_install
sudo make install

# Create initramfs image (choose one based on your distribution)
sudo dracut --kver "$KVERSION" /boot/initramfs-"$KVERSION".img
sudo mkinitcpio -k "$KVERSION" -g /boot/initramfs-"$KVERSION".img
sudo update-initramfs -c -k "$KVERSION"

# Update GRUB (choose one based on your distribution)
sudo grub-mkconfig -o /boot/grub/grub.cfg

Security Audit

Kernel-Hardening-Checker

kernel-hardening-checker -c kconfigs/gentoo/config
kernel-hardening-checker -c kconfigs/vanilla/config

Spectre-meltdown-checker

Vulnerability/mitigation checker for Linux & BSD. 'For Linux systems, the tool will detect mitigations, including backported non-vanilla patches, regardless of the advertised kernel version number and the distribution.' Source

sudo ./spectre-meltdown-checker.sh

Resources

• Anssi [Guide]
• ClipOS [Guide]
• Kernel.org [Guide]
• Kernel-Hardening-Checker [Tool]
• Kernel_Self_Protection_Project [Guide]
• Kicksecure [Guide]
• Linux-Hardened [Implementation]
• lwn.net [Logo]
• Madaidans [Guide]
• spectre-meltdown-checker [Tool]