HxHippy

Kernel Security Hardening

Kernel parameters and configurations for enhanced security.

Last updated: 2025-01-15

Kernel Hardening Guide

Kernel-level security provides the foundation for system defense.

Sysctl Security Parameters

Memory Protection

# /etc/sysctl.d/99-kernel-hardening.conf

# Restrict kernel pointer exposure
kernel.kptr_restrict = 2

# Restrict dmesg access
kernel.dmesg_restrict = 1

# Restrict access to performance events
kernel.perf_event_paranoid = 3

# Enable ASLR (Address Space Layout Randomization)
kernel.randomize_va_space = 2

# Restrict ptrace scope
kernel.yama.ptrace_scope = 2

# Disable SysRq key
kernel.sysrq = 0

# Core dump restrictions
fs.suid_dumpable = 0

Network Stack Hardening

# IPv4 Security
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_rfc1337 = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1

# IPv6 Security
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0

File System Protection

# Protect hardlinks and symlinks
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.protected_fifos = 2
fs.protected_regular = 2

Apply and Verify

# Apply all settings
sudo sysctl --system

# Verify specific setting
sysctl kernel.randomize_va_space

# List all current values
sysctl -a | grep kernel.

GRUB Security

Boot Parameters

# /etc/default/grub
GRUB_CMDLINE_LINUX="security=apparmor apparmor=1 audit=1 page_poison=1 slab_nomerge init_on_alloc=1 init_on_free=1 vsyscall=none"

# Disable unused modules at boot
GRUB_CMDLINE_LINUX="... ipv6.disable=1 bluetooth.disable=1"

# Update GRUB
sudo update-grub

Password Protect GRUB

# Generate password hash
grub-mkpasswd-pbkdf2

# Add to /etc/grub.d/40_custom
set superusers="admin"
password_pbkdf2 admin grub.pbkdf2.sha512.10000.[hash]

sudo update-grub

Kernel Module Security

# Disable unused modules
# /etc/modprobe.d/blacklist-security.conf

# Disable uncommon protocols
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true

# Disable uncommon filesystems
install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true

# Disable USB storage if not needed
install usb-storage /bin/true

Security Parameters Table

Parameter Value Purpose
kernel.kptr_restrict 2 Hide kernel pointers
kernel.randomize_va_space 2 Full ASLR
net.ipv4.tcp_syncookies 1 SYN flood protection
fs.suid_dumpable 0 No SUID core dumps
kernel.yama.ptrace_scope 2 Restrict ptrace
advanced System Hardening Updated 2025-01-15
  • kernel
  • sysctl
  • security
  • hardening
  • linux kernel