From 20e1c9771c22a04b3a41c8dac7e0c952d151bb8e Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Wed, 12 Oct 2022 21:49:23 +0300 Subject: [PATCH] Improve the README --- README.md | 45 +++++++++++++++++++++++++++++---------------- 1 file changed, 29 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 9ecd348..a5c0cae 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,11 @@ I also created the [__Linux Kernel Defence Map__][4], which is a graphical repre relationships between security hardening features and the corresponding vulnerability classes or exploitation techniques. +__Attention!__ Changing Linux kernel security parameters may also affect system performance +and functionality of userspace software. So for choosing these parameters consider +the threat model of your Linux-based information system and perform thorough testing +of its typical workload. + ## Supported microarchitectures - X86_64 @@ -315,6 +320,13 @@ The version format is: __[major_number].[kernel_version].[kernel_patchlevel]__ ## Questions and answers +__Q:__ How all these kernel parameters influence the Linux kernel security? + +__A:__ To answer this question, you can use the `kconfig-hardened-check` [sources of recommendations][24] +and the [Linux Kernel Defence Map][4] with its references. + +
+ __Q:__ How disabling `CONFIG_USER_NS` cuts the attack surface? It's needed for containers! __A:__ Yes, the `CONFIG_USER_NS` option provides some isolation between the userspace programs, @@ -330,13 +342,6 @@ The rationale:
-__Q:__ Why `CONFIG_GCC_PLUGINS` is automatically disabled during the kernel compilation? - -__A:__ It means that your gcc doesn't support plugins. For example, if you have `gcc-7` on Ubuntu, -try to install `gcc-7-plugin-dev` package, it should help. - -
- __Q:__ KSPP and CLIP OS recommend `CONFIG_PANIC_ON_OOPS=y`. Why doesn't this tool do the same? __A:__ I personally don't support this recommendation because: @@ -349,6 +354,16 @@ In other cases, the kernel panics, which is similar to `CONFIG_PANIC_ON_OOPS=y`.
+__Q:__ Why enabling `CONFIG_STATIC_USERMODEHELPER` breaks various things in my GNU/Linux system? +Do I really need that feature? + +__A:__ Linux kernel usermode helpers can be used for privilege escalation in kernel exploits +([example 1][9], [example 2][10]). `CONFIG_STATIC_USERMODEHELPER` prevents that method. But it +requires the corresponding support in the userspace: see the [example implementation][11] by +Tycho Andersen [@tych0][12]. + +
+ __Q:__ What about performance impact of these security hardening options? __A:__ Ike Devolder [@BlackIkeEagle][7] made some performance tests and described the results in [this article][8]. @@ -363,20 +378,17 @@ You can use it for the `mainline` or `stable` tree from [kernel.org][20] or for
-__Q:__ Why enabling `CONFIG_STATIC_USERMODEHELPER` breaks various things in my GNU/Linux system? -Do I really need that feature? +__Q:__ Does my kernel have all those mitigations of Transient Execution Vulnerabilities in my hardware? -__A:__ Linux kernel usermode helpers can be used for privilege escalation in kernel exploits -([example 1][9], [example 2][10]). `CONFIG_STATIC_USERMODEHELPER` prevents that method. But it -requires the corresponding support in the userspace: see the [example implementation][11] by -Tycho Andersen [@tych0][12]. +__A:__ Checking the kernel config is not enough to answer this question. +I highly recommend using [spectre-meltdown-checker][13] tool maintained by Stéphane Lesimple [@speed47][14].
-__Q:__ Does my kernel have all those mitigations of Transient Execution Vulnerabilities in my hardware? +__Q:__ Why the `CONFIG_GCC_PLUGINS` option is automatically disabled during the kernel compilation? -__A:__ Checking the kernel config is not enough to answer this question. -I highly recommend using [spectre-meltdown-checker][13] tool maintained by Stéphane Lesimple [@speed47][14]. +__A:__ It means that your gcc doesn't support plugins. For example, if you have `gcc-7` on Ubuntu, +try to install `gcc-7-plugin-dev` package, it should help. [1]: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings @@ -402,3 +414,4 @@ I highly recommend using [spectre-meltdown-checker][13] tool maintained by Stép [21]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/66 [22]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/56 [23]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues?q=label%3Akernel_maintainer_feedback +[24]: https://github.com/a13xp0p0v/kconfig-hardened-check#motivation -- 2.31.1