Linux kernel security and how to improve it

Every system is as strong as its weakest link. In the case of an operating system like Linux, one weakness in the kernel could result in a security breach. This article covers the Linux kernel features and how they work.

Kernel features

Live kernel patching

As the kernel is similar to other software, it receives updates to improve it. Now and then a security weakness is discovered in one of the subsystems of the Linux kernel. This means that Linux distributions have to create a patch, rebuild the related software packages, and distribute it. The downside is that installing a new kernel package, will not resolve the issue. After all, you are still running the same kernel that you did before applying the updates. This is what kernel patches or livepatches solve.

A kernel patch is a specialized hook into the kernel that can alter running components. This includes changing system calls and memory allocations. It is like you are applying service and repair on a driving car. The tooling and the kernel itself have to take care that the system itself does not crash while the changes are applied. This technique has been implemented in several products with names like livepatch, kpatch, kGraft, and ksplice. See the overview of which Linux distributions are currently supported.

Configuration with sysctl

To view or configure security-related parameters of the kernel, there is the /etc/sysctl.conf file. This file stores the parameters and is read during boot time. However, we can also determine the configuration during run-time, by using the sysctl tool.

To display all available kernel parameters:

sysctl -a

This will give an extensive list of configuration settings to adjust. Also, the Linux kernel security parameters are between these items. Think of items like randomization of process IDs, up to what kind of network packets should be dropped to prevent some spoofing attacks. As can be expected, adjusting any of these parameters can actually improve the way a system is running, but also have a serious negative impact. Before adjusting any parameter, read the related documentation carefully.

Network parameters

Depending on the role of the machine, any system nowadays is connected via the network. When the system needs to be a web server, dealing with many concurrent connections, the network related parameters are interesting to tune. This instructs the kernel to enhance this part and for example reserve more memory, or use a more aggressive stance to drop old connections.

Automated scan

While we could go into each and every kernel parameter, we prefer automation. Tools like Lynis also check for kernel parameters. It already has several predefined key pairs to look for and provide advice. These are configured in the scan profile and can be adjusted or extended, depending on your needs. When Lynis finds a key and it has the same value in the running configuration, it will show “OK”, else it will mark the setting as being different. Depending on the key and the function of the machine, the system administrator should carefully determine if these kernel parameters should be adjusted. If so, also the configuration file /etc/sysctl.conf should be updated, to make sure the same value is active after rebooting the system.


Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution.

Mastodon icon