Linux kernel security and how to improve it
Linux kernel security
Every system is as strong as its weakest link. In the case of an operating system a weakness in the kernel often means a total compromise. Therefore we focus in this article on Linux kernel security, what we can do and where to look for.
Configuration of the kernel
To view or configure security related parameters of the kernel, there is the /etc/sysctl.conf file. This file stores the parameters and is read during boot time. However we can also determine the configuration during run-time, by using the sysctl tool.
To display all available kernel parameters:
This will give an extensive list of configuration settings to adjust. Also the Linux kernel security parameters are between these items. Think of items like randomization of process IDs, up to what kind of network packets should be dropped to prevent some spoofing attacks. As can be expected, adjusting any of these parameters can actually improve the way a system is running, but also have a serious negative impact. Before adjusting any parameter, read the related documentation carefully.
Depending on the role of the machine, any system nowadays is connected via the network. When the system needs to be a web server, dealing with many concurrent connections, the network related parameters are interesting to tune. This instructs the kernel to enhance this part and for example reserve more memory, or use a more aggressive stance to drop old connections.
Lynis and kernel auditing
While we could go into each and every kernel parameter, we prefer automation. Our tool Lynis does also check for kernel parameters. It already has several predefined key pairs to look for and provide advice. These are configured in the scan profile and can be adjusted or extended, depending on your needs. When Lynis finds a key and it has the same value in the running configuration, it will show “OK”, else it will mark the setting as being different. Depending on the key and the function of the machine, the system administrator should carefully determine if these kernel parameters should be adjusted. If so, also the configuration file /etc/sysctl.conf should be updated, to make sure the same value is active after rebooting the system.