Kernel hardering part 1

And then, kernel.exec-shield was born.

Exec Shield is a project that got started at Red Hat, Inc in late 2002 with the aim of reducing the risk of worm or other automated remote attacks on Linux systems. The first result of the project was a security patch for the Linux kernel that adds an NX bit to x86 CPUs. While the Exec Shield project has had many other components, some people refer to this first patch as Exec Shield.

This could be set as a kernel command line parameter or the
sysctl. It has the following values and effects:

– a value of 0 completely disables ExecShield and Address Space Layout Randomization
– a value of 1 enables them ONLY if the application bits for these protections are set to “enable”
– a value of 2 enables them by default, except if the application bits are set to “disable”
– a value of 3 enables them always, whatever the application bits

So we need something like that in sysctl.conf and run sysctl -p:

Change levels if it causes trouble.

 

/proc and dmesg restrictions

Restricting process output. Useful for evil users but still not enough:

hidepid accepts three different values:

  • hidepid=0 (default): This is the default setting and gives you the default behaviour.
  • hidepid=1: With this option an normal user would not see other processes but their own about ps, top etc, but he is still able to see process IDs in /proc
  • hidepid=2: Users are only able too see their own processes (like with hidepid=1), but also the other process IDs are hidden for them in /proc

edit fstab to look something like that:

dmesg restricting:

edit sysctl.conf and just add

Hide kernel symbol addresses

TCP/IP stack hardening