< Security Handbook

Security Handbook/Kernel security

Security Handbook
Pre-installation concerns
Bootloader security
Logging
Mounting partitions
User and group limitations
File permissions
PAM
TCP wrappers
Kernel security
Network security
Securing services
Chrooting and virtual servers
Firewalls
Intrusion detection
Staying up-to-date

This section is on securing the system's kernel.

Removing functionality

The basic rule when configuring the kernel is to remove everything that you do not need. This will not only create a small kernel but also remove the vulnerabilities that may lie inside drivers and other features.

Also consider turning off loadable module support (CONFIG_MODULES=n). Even though it is possible to add root kits without this features, it does make it harder for normal attackers to install root kits via kernel modules. For further information see the dedicated kernel modules page.

An alternative to turning the loadable modules off completely is forcing the kernel to load only digitally signed modules. See the dedicated page.

Kerneli

Kerneli is a patch that adds encryption to the existing kernel. By patching your kernel you will get new options such as cryptographic ciphers, digest algorithms and cryptographic loop filters.

Warning
The kerneli patch is currently not in a stable version for the latest kernel, so be careful when using it.

See also

  • Kernel Modules — object files that contain code to extend the kernel of an operating system.
  • Signed kernel module support — allows further hardening of the system by disallowing unsigned kernel modules, or kernel modules signed with the wrong key, to be loaded.

External resources

TCP wrappers|class=btn btn-default|title=Previous part Home|class=btn btn-default Securing services |class=btn btn-default|title=Next part
This article is issued from Gentoo. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.