Re: [Tails-dev] Linux kernel hardening checker

Delete this message

Reply to this message
Author: boyska
Date:  
To: tails-dev
Subject: Re: [Tails-dev] Linux kernel hardening checker
On 06/10/23 18:31, David A. Wheeler wrote:
> FYI:
>
> I've learned of a "Linux kernel hardening checker":
> https://github.com/a13xp0p0v/kernel-hardening-checker


thanks for this!

> It might be interesting to run & see if there are missing hardening

measures that
> should be applied in Tails.


I run it into a regular Tails, using
sysctl -a > sysctl.txt
kernel-hardening-checker -s sysctl.txt
It gives us 4 suggestions:
- user.max_user_namespaces should be 0. I think we disagree on this.
- dev.tty.legacy_tiocsti should be 0. we don't have this option
- fs.protected_fifos should be 2 instead of 1. sounds good.
- kernel.yama.ptrace_scope should be 3 instead of 1. sounds good.

When it comes to
kernel-hardening-checker -m show_fail -l /proc/cmdline -c
/boot/config-6.1.0-12-amd64 | grep cmdline

there are some more cmdline options we could consider using. I haven't
investigated those, though.

bye,

--
boyska