Your system exactly how you want it to be, which will be extremely useful, especially when we come to more secure compilation The best distribution to use as a base for your hardened operating system would be Gentoo Linux, as it allows you to configure Large number of vulnerabilities, including a few high severity ones. Within LibreSSL's first year, it mitigated a Superior programming practices and eradicatesĪ lot of attack surface. LibreSSL is a fork of OpenSSL by the OpenBSD team that applies These abhorrent security practices are what led to the dreaded Heartbleed vulnerability. For example, it still maintains OS/2 and VMS support -Īncient operating systems that are multiple decades old. Tremendous amounts of totally unnecessary attack surface and follows poor security practices. Preferably use a distribution that utilises LibreSSL by default rather than Particularly its hardened memory allocator, heavily inspired by GrapheneOS' hardened_malloc. musl also has invested in decent exploit mitigations, Symptomatic of underlying security issues. While counting CVEs by itself is often an inaccurate statistic, in this case, it represents an overarching issue and is Over a hundred vulnerabilities in glibc have been publicly disclosed, compared to the Such as glibc are overly complex and prone to vulnerabilities. musl is heavily focused on minimality, which results in very small attack surface, whereas other C libraries Sandboxing utilities like bubblewrap, as documented below. While a common argument in favour of systemd is its ability to sandbox system services, this can be replicated on other init systems through An init system should not need many lines of code to function properly. More things than necessary and goes beyond what an init system should do. Systemd contains a lot of unnecessary attack surface and inserts aĬonsiderable amount of complexity into the most privileged user space component it attempts to do far Use a distribution with an init system other than systemd. There are many factors that go into choosing a good Linux distribution.Īvoid distributions that freeze packages, as they are often quite behind on security updates. Distribution-specific hardening 20.1 HTTPS package manager mirrors Entropy 18.1 Additional entropy sourcesĢ0. IPv6 privacy extensions 16.1 NetworkManagerġ8. Identifiers 10.1 Hostnames and usernamesġ1. LTSĢ.3 Boot parameters 2.3.1 Kernel self-protectionĢ.5 Kernel attack surface reduction 2.5.1 Boot parametersĤ.2 Common sandbox escapes 4.2.1 PulseAudioĨ.5 Increasing the number of hashing roundsġ0. Words beginning with "$" sign indicate a variable that may differ between users as to suit theirĬontents 1. Whether or not this is applicable to you depends on your personal threatĪll commands listed in this guide will require root privileges. The attack surface presented by a specific program may be too large to be acceptable. At its core, hardening is reducing the ways in which your system can be attacked. Security concerns, but this is not out of disdain. Certain software is recommended against in this guide due to This guide is also not meant to attack a particular group of people or software. This guide is not intended to be followed exactly - readers must examine their own threat model and decide which Not performance, usability or anything else. This guide is focused purely on security and privacy. This guide attempts to be distribution-agnostic and is not tied to any specific one.ĭISCLAIMER: Do not attempt to apply anything in this article if you do not know exactly what you are doing. How to harden Linux as much as possible for security and privacy. However, there are steps you can take to improve it. Linux Hardening Guide | Madaidan's Insecurities □ Linux Hardening Guide
0 Comments
Leave a Reply. |