I am too lazy to research it and still wondering. Can someone give me a basic explanation of it?
You don’t mention any specific distro, but I’m guessing it’s pretty similar across distros. And since Arch tends to have good documentation, I’ve focused mostly on Arch. (I use Arch BTW. Fight me. :wink:)
The differences are that a different set of configuration options were selected when building the Kernel. All differences in configuration were selected with security in mind.
Here is a full list with lots of details but just vaguely (in roughly the same order as they are on the Arch page):
- It takes some special memory management steps to mitigate buffer overflow and stack overflow kind of vulnerabilities that might exist in other programs on the system.
- It locks down access to some information about specific kernel processes to prevent malicious programs from accessing those kernel processes. (And the wiki page says specifically that this doesn’t really help much unless you compile your own kernel, but yeah.)
- Locks down “BPF” which, honestly, I don’t know much about. Has something to do with firewalls?
- Prevents one application from getting internal data about another application (like happens with programs like strace or gdb.)
- Hides other users’ processes from your current user.
- Prevents loading of unsigned kernel modules.
- Turns off a feature that lets you replace a running kernel with a newer kernel version without restarting the whole computer.
- Enables “Kernel lockdown mode” which "strengthens the boundary between what the root user can access and kernel space.
- Enables “LKRG” which is kindof an “intrusion detection system for the Linux kernel.”
- Disables the emergency shell that can otherwise be used to debug and recover when your system fails to boot. (But could also be used to do evil things if an adversary has physical access to the computer, I think?)
So, all fairly technical stuff, but just locks stuff down and locks down things to improve overall security at the expense of some functionality. Some applications just straight won’t work with a hardened kernel. (skypeforlinux-stable-bin is an example of a program that the Arch page listed above gives that just won’t work.)
- Locks down “BPF” which, honestly, I don’t know much about. Has something to do with firewalls?
BPF (more importantly it’s successor, eBPF) allows (very specific, automatically verified) programs to run in kernel space, triggered by various events. Mostly used for networking stuff.
I’m running self compiled hardened kernel and I enabled kernel lockdown mode. Before that it was disabled. Maybe Arch team disabled it.
Basically, you want to improve the security of Linux, by reducing the attack surface and adding authentication wherever possible? There’s a bunch of practices involved - using a custom hardened kernel focused on security, as well as enabling strong firewall config and disk encryption. I’ve never tried hardening before, so I don’t know if I’m missing anything.
Honestly, you could use OpenBSD here, as it comes hardened out of the box, and it seems be the preferred choice for a security-first computing. But if platform is a constraint, then you may try your luck with
linux-hardened.I wouldn’t recommend OpenBSD as it is fairly obscure compared to Linux. I’ve yet to see a real world example of how it is somehow better
They developed new system calls (pledge and unveil) which restrict they system calls and file access of programs (here’s a good writeup by Andreas Kling after he added support in SerenityOS: https://awesomekling.github.io/pledge-and-unveil-in-SerenityOS/). As an example, the Firefox port for OpenBSD uses them to heavily restrict what random websites can do or get from your system.
Just one example since you’ve somehow yet to see any.
https://isopenbsdsecu.re/
I don’t think much changed since then, but would love to be proven wrong.+1, but OpenBSD can enforce security (Linux have landlock, *san, ACL, MAC but cannot enforce them, while OpenBSD doesn’t but can enforce pledge and unveil and even for some ports like chromium and firefox)
https://madaidans-insecurities.github.io/
But see Chimera Linux.
I heard of Chimera multiple times now, but everytime I look into it it doesn’t seem to be more interesting and useful than say Alpine.
Do you have any write-ups about the security advantages of Chimera Linux?I mean Chimera is using FreeBSD userland, and they expressed why GNU coreutils used by most distro have “problem”. Since we are talking about BSD. (OpenBSD’s userland is less in feature and it is cleaner)
(so that’s bring an advantage in security lol)
While coreutils may seem lightweight enough to not cause any issues already, there are some specific reasons the system uses a BSD-derived userland. The primary one is probably that the code of the BSD versions is overall much cleaner and easier to read. There are no cursed components such as gnulib, the codebase is leaner, and more aligned with the project’s goals.
Forgot to link a comment on that website: https://marc.info/?l=openbsd-misc&m=158908598913596&w=2
Did you read it? The author is clearly biased against OpenBSD.
As an example, he dedicates quite a lot to talk about “ROP gadgets removal” (which is an ineffective mitigation employed by OpenBSD), however he also states:
Anyway, removing ROP gadgets the way OpenBSD is doing it doesn’t add a large amount of complexity, doesn’t harm performances nor debuggability, so why not, but it doesn’t make exploitation significantly harder, at all.
When you consider the fact that some mitigations which were considered overkill were proven significant with time (for example, OpenBSD was completely unaffected by Spectre v1 and similar exploits since they disabled hyperthreading), statements like these make it clear to me that the author is biased.
Edit: This is not to say the website is deceptive, it’s just that it doesn’t provide a good analysis or comparison of the security of different systems IMO.
It just has security checks and randomization that makes it harder to compromise. The trade off is usually performance.
The Linux kernel varies between mainstream distros. For instance, I believe that Fedora goes for a more hardened configuration while Debian targets stability
If you want to learn more with some hands one experience try Gentoo
My question would be “how do hardening kargs differ from a hardened kernel”?
Kargs can be dynamically applied and work easily on immutable distros. Tbh a monolithic unhardened kernel is my biggest problem with immutable Distros, as changing that is quite drastic.
It really depends on what flags the hardened kernel has. You might get the same result with args or you may get something totally different.
If you want to learn more try Gentoo
I don’t think that project is maintained anymore, but at one point in time it used to add patches that were part of the Kernel Self Protection project. I believe those changes are now largely part of the mainline kernel.
I.e. it’s not different anymore.
EDIT: Looks like it’s still maintained.
It is maintained.
I stand corrected. Looks like it is.
I am too lazy to research it and still wondering.
The arch wiki wrote about linux-hardened. You can repeat what they say like a machine.
You cannot trust us doing researches for you.
i like to see questions like this when it’s something i’ve never heard about (new to linux), and then come and read an eli5. it’s an easy way for us noobs to collect information and there are always people who enjoy explaining this stuff.
Their words shows that they purely depend on people to quote information for them and they are not going to do researches.
The same as “anything-hardened” OS is. WTF. Next question.
Windows-hardened?
“Windows-hardened” is SteamOS at this point.
Uncle hard?
