Hello,
On Wednesday, May 18, 2022 11:15:16 PM EDT Hellosway Here via devel wrote:
Add `slab_nomerge init_on_alloc=1 init_on_free=1
page_alloc.shuffle=1
pti=on randomize_kstack_offset=on vsyscall=none ` as default kernel
command line arguments. This can help prevent local exploits by making it
harder to exploit the kernel. I do not think there will be any breakage, I
have been using these for a long time. The performance impact is minimal,
a few of these can improve performance.
I spent quite some time studying these to make some recommendations for the
RHEL 9 SCAP Security Guide. The init_on_free is not cacheline friendly. It
will impact performance. But I have to ask, since the SCAP Security Guide +
openscap can manage the kernel settings, do we need to turn them on by
default? And wouldn't you want to have certain sysctls also set? For example,
you might want to turn off user name spaces.
The problem is that there really isn't a one size fits all. Turning off user
namespaces will make some people unhappy. Turning off vsyscalls will make
some people unhappy. Because these all are configurable, should this be part
of an overall security hardening plan? And managed by a tool that can check
that everything is still how you think it should be? And maybe with a GUI
tool that let's you tailor the policy to your needs?
Best Regards,
-Steve
This can help increase the security of Fedora, while also not causing
any
other problems. Many users do not know what kernel command line arguments
are, so doing this will help them with the security of their system. This
does not address every problem, or even most of them, but every little bit
matters.