Warning

Use it at your own risk for your own needs. Read content of files before proceeding, certains features are disabled.

Table of contents

• Description
• Kconfig
• Blacklist Modules
• GRUB Parameters
• Kernel Parameters
• Installation Script
• Compile Kernel yourself
• Test
• Kernel Installation
• Security Benchmarks
• Kernel Fuzzing
• Credits

Description

Configure, build, install, benchmark, tweak and fuzzing the Linux Kernel with a secure approach. This can be used for harden your OS or for Linux Kernel security research.

Kconfig

.config My custom Kconfig file, following best practices. Build your kconfig file with tui based kconfig editor provided by Linux Kernel source code :

# Inside the Linux kernel source code root path
make menuconfig

.Kernel-Hardening-Checker Kconfig file from kernel-hardening-checker. Generate with :

# Take your targeted architecture
kernel-hardening-checker -g X86_64 | tee .Kernel-Hardening-Checker

These Kconfig files are stored in Kconfigs/

Blacklist Modules (+100)

• Driver
• Filesystem
• Graphics
• Input devices
• Network
• Storage

These kernel modules blacklisted are stored in conf/blacklist.conf

GRUB Parameters (25)

• Debugging and Diagnostics
• Randomness
• Security features
• Vulnerability mitigation

These GRUB paramaters are stored in conf/grub.txt

Kernel Parameters (+50)

• FileSystem
• Kernel
• Network

These kernel parameters are present in conf/sysctl.conf

Installation Script

# Backup your files before running
git clone https://github.com/MikeHorn-git/Kernel-Hardening.git
cd Kernel-Hardening/scripts
chmod +x install.sh
./install.sh

• Add GRUB entries
• Copy blacklist.conf
• Copy sysctl.conf

Compile Kernel yourself

wget https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.9.1.tar.xz
tar -xf linux-6.9.1.tar.xz
cd linux-6.9.1
wget https://raw.githubusercontent.com/MikeHorn-git/Kernel-Hardening/main/Kconfigs/.config
wget https://raw.githubusercontent.com/MikeHorn-git/Kernel-Hardening/main/scripts/build.sh
chmod +x build.sh
./build.sh

• All [Clean | Oldconfig | Build]
• Build
• Clean : mrproper & clean
• Config : default X86-64 .config
• Configbuild
• Oldconfig
• Oldconfigbuild
• Rebuild : Clean and Build

It's higlhy recommended to run oldconfig when the kernel source is newer than the .config file.

Test

TBD

Kernel Installation

# Change to your version
KVERSION=6.9.1
sudo cp arch/x86/boot/bzImage /boot/vmlinuz-"$KVERSION"
# Install modules
sudo make modules_install

# Create initramfs image (choose one based on your distribution)
sudo dracut --kver 6.9.1 /boot/initramfs-"$KVERSION".img
sudo mkinitcpio -k 6.9.1 -g /boot/initramfs-"$KVERSION".img
sudo update-initramfs -c -k "$KVERSION"

# Update GRUB (choose one based on your distribution)
sudo grub-mkconfig -o /boot/grub/grub.cfg

Security Benchmarks

Kernel-Hardening-Checker

# Take the config file for your linux distros
./bin/kernel-hardening-checker -c kernel_hardening_checker/config_files/distros/Archlinux-hardened.config -l /proc/cmdline -s kernel_hardening_checker/config_files/distros/example_sysctls.txt

Spectre-meltdown-checker

# [Bonus] For a more completed approach for linux system hardening
sudo ./spectre-meltdown-checker.sh

Kernel Fuzzing

TBD

Credits

• Anssi [Guide]
• ClipOS [Guide]
• Kernel.org [Guide]
• Kernel-Hardening-Checker [Tool]
• Kernel_Self_Protection_Project [Guide]
• Kicksecure [Guide]
• Linux-Hardened [Implementation]
• lwn.net [Logo]
• Madaidans [Guide]
• spectre-meltdown-checker [Tool]