vatson112 , 4 months ago

I will describe settings that are not so easy to google and a few new thoughts.

kptr restrict:

wiki.archlinux.org/title/security

lwn.net/Articles/420403/

Kexec:

You may google about mechanics, but basically, it is just a mechanism to ‘reexec’ your kernel to something different, usually another kernel, but you can boot netboot.xyz, for example.

But now imagine that it will boot a kernel that will dump the output of all your traffic, or will dump all your keyboard keypresses (keylogger).

These are unlikely scenarios. But I prefer to disable this feature since I don’t use it anyway.

Also, about keyloggers. Any program inside your X session may grab all your keyboard events. Literally last week I wrote a keylogger in rust in 70 lines of code. Therefore, use Wayland.

Ebpf JIT:

There I misleaded you.

There is some new information about JIT and security. See youtu.be/kvt4wdXEuRU?si=3imn8PAEbvgjWTU3

According to the update, you need to set bpf_jit_harden=2 and unprivileged_bpf_disabled=1. (Even unprivileged ebpf may crash your kernel. For some unknown reason, this is not recognized as a problem.)

Randomize virtual memory address:

techtarget.com/…/address-space-layout-randomizati….

systemd

If you use systemd your can use systemd-analyze tool to harden your units settings.

Also, I remember the tool you can use.

There are some security certifications - most used are pcidss or stig. There are guidelines to improve security.

You can use openscap with a profile (pcidss or stig or both) and it will check if your system satisfies these guidelines.

This may give you some thoughts.