10:15 p.m.
Add `slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on
randomize_kstack_offset=on vsyscall=none ` as default kernel command line arguments. This
can help prevent local exploits by making it harder to exploit the kernel. I do not think
there will be any breakage, I have been using these for a long time. The performance
impact is minimal, a few of these can improve performance.
This can help increase the security of Fedora, while also not causing any other problems.
Many users do not know what kernel command line arguments are, so doing this will help
them with the security of their system. This does not address every problem, or even most
of them, but every little bit matters.
1:50 p.m.
Hello,
On Wednesday, May 18, 2022 11:15:16 PM EDT Hellosway Here via devel wrote:
Add `slab_nomerge init_on_alloc=1 init_on_free=1
page_alloc.shuffle=1
pti=on randomize_kstack_offset=on vsyscall=none ` as default kernel
command line arguments. This can help prevent local exploits by making it
harder to exploit the kernel. I do not think there will be any breakage, I
have been using these for a long time. The performance impact is minimal,
a few of these can improve performance.
I spent quite some time studying these to make some recommendations for the
RHEL 9 SCAP Security Guide. The init_on_free is not cacheline friendly. It
will impact performance. But I have to ask, since the SCAP Security Guide +
openscap can manage the kernel settings, do we need to turn them on by
default? And wouldn't you want to have certain sysctls also set? For example,
you might want to turn off user name spaces.
The problem is that there really isn't a one size fits all. Turning off user
namespaces will make some people unhappy. Turning off vsyscalls will make
some people unhappy. Because these all are configurable, should this be part
of an overall security hardening plan? And managed by a tool that can check
that everything is still how you think it should be? And maybe with a GUI
tool that let's you tailor the policy to your needs?
Best Regards,
-Steve
This can help increase the security of Fedora, while also not causing
any
other problems. Many users do not know what kernel command line arguments
are, so doing this will help them with the security of their system. This
does not address every problem, or even most of them, but every little bit
matters.
7:06 p.m.
This thread was accidentally reposted, please reply to this one
https://lists.fedorahosted.org/archives/list/devel@lists.fedoraproject.or...
.
I think it would be useful is there was a centralized CLI and GUI intyerface for these,
but it doesn't exist yet. You have to open multiple configuration files, which most
users will not do.
8:36 p.m.
On 5/23/22 14:50, Steve Grubb wrote:
Hello,
On Wednesday, May 18, 2022 11:15:16 PM EDT Hellosway Here via devel wrote:
> Add `slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1
> pti=on randomize_kstack_offset=on vsyscall=none ` as default kernel
> command line arguments. This can help prevent local exploits by making it
> harder to exploit the kernel. I do not think there will be any breakage, I
> have been using these for a long time. The performance impact is minimal,
> a few of these can improve performance.
I spent quite some time studying these to make some recommendations for the
RHEL 9 SCAP Security Guide. The init_on_free is not cacheline friendly. It
will impact performance. But I have to ask, since the SCAP Security Guide +
openscap can manage the kernel settings, do we need to turn them on by
default? And wouldn't you want to have certain sysctls also set? For example,
you might want to turn off user name spaces.
I honestly have no idea how to use openscap, and my attempts to use it
did not go very well. I would much rather have the system be secure
by default.
The problem is that there really isn't a one size fits all.
Turning off user
namespaces will make some people unhappy. Turning off vsyscalls will make
some people unhappy. Because these all are configurable, should this be part
of an overall security hardening plan? And managed by a tool that can check
that everything is still how you think it should be? And maybe with a GUI
tool that let's you tailor the policy to your needs?
A GUI tool would be great.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
3:45 a.m.
W dniu 19.05.2022 o 05:15, Hellosway Here via devel pisze:
Add `slab_nomerge init_on_alloc=1 init_on_free=1
page_alloc.shuffle=1
pti=on randomize_kstack_offset=on vsyscall=none ` as default kernel
command line arguments.
Some of them are a matter of kernel configuration options. Which is
better option than adding yet another set of variables to kernel command
line.
702
days inactive
707
days old
4 comments
5 participants
participants (5)
-
Demi Marie Obenour -
Glorious Hellosway -
Hellosway Here
-
Marcin Juszkiewicz -
Steve Grubb