Kernel Hardening Guide
Kernel-level security provides the foundation for system defense.
Sysctl Security Parameters
Memory Protection
# /etc/sysctl.d/99-kernel-hardening.conf
# Restrict kernel pointer exposure
kernel.kptr_restrict = 2
# Restrict dmesg access
kernel.dmesg_restrict = 1
# Restrict access to performance events
kernel.perf_event_paranoid = 3
# Enable ASLR (Address Space Layout Randomization)
kernel.randomize_va_space = 2
# Restrict ptrace scope
kernel.yama.ptrace_scope = 2
# Disable SysRq key
kernel.sysrq = 0
# Core dump restrictions
fs.suid_dumpable = 0Network Stack Hardening
# IPv4 Security
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_rfc1337 = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
# IPv6 Security
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0File System Protection
# Protect hardlinks and symlinks
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.protected_fifos = 2
fs.protected_regular = 2Apply and Verify
# Apply all settings
sudo sysctl --system
# Verify specific setting
sysctl kernel.randomize_va_space
# List all current values
sysctl -a | grep kernel.GRUB Security
Boot Parameters
# /etc/default/grub
GRUB_CMDLINE_LINUX="security=apparmor apparmor=1 audit=1 page_poison=1 slab_nomerge init_on_alloc=1 init_on_free=1 vsyscall=none"
# Disable unused modules at boot
GRUB_CMDLINE_LINUX="... ipv6.disable=1 bluetooth.disable=1"
# Update GRUB
sudo update-grubPassword Protect GRUB
# Generate password hash
grub-mkpasswd-pbkdf2
# Add to /etc/grub.d/40_custom
set superusers="admin"
password_pbkdf2 admin grub.pbkdf2.sha512.10000.[hash]
sudo update-grubKernel Module Security
# Disable unused modules
# /etc/modprobe.d/blacklist-security.conf
# Disable uncommon protocols
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
# Disable uncommon filesystems
install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true
# Disable USB storage if not needed
install usb-storage /bin/trueSecurity Parameters Table
| Parameter | Value | Purpose |
|---|---|---|
| kernel.kptr_restrict | 2 | Hide kernel pointers |
| kernel.randomize_va_space | 2 | Full ASLR |
| net.ipv4.tcp_syncookies | 1 | SYN flood protection |
| fs.suid_dumpable | 0 | No SUID core dumps |
| kernel.yama.ptrace_scope | 2 | Restrict ptrace |
- kernel
- sysctl
- security
- hardening
- linux kernel