draftHardening Linux Kernel
The Linux kernel is at the heart of every Linux system. With its extensive configuration
options, it comes to no surprise that specific settings can be enabled to further harden
your system.
In this guide, we focus on Linux kernel configuration entries that support additional
hardening of your system, as well as the configuration through the syctl
settings.
1Default vanilla kernel hardening
Profile matching all standard (vanilla-kernel) hardening rules
sysctl net.ipv4.ip_forward must be 0sysctl net.ipv4.ip_forward must be 0echo 0 > /proc/sys/net/ipv4/ip_forwardsysctl net.ipv4.tcp_syncookies must be 1sysctl net.ipv4.tcp_syncookies must be 1echo 1 > /proc/sys/net/ipv4/tcp_syncookiessysctl net.ipv6.conf.all.forwarding must be 0sysctl net.ipv6.conf.all.forwarding must be 0echo 0 > /proc/sys/net/ipv6/conf/all/forwardingsysctl net.ipv6.conf.default.forwarding must be 0sysctl net.ipv6.conf.default.forwarding must be 0echo 0 > /proc/sys/net/ipv6/conf/default/forwardingkernel config CONFIG_SYN_COOKIES must be ykernel config CONFIG_SYN_COOKIES must be yfile /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7file /etc/pam.d/common-password must have a line that matches minlen=6file /etc/pam.d/common-password must have a line that matches minlen=6file /etc/pam.d/common-password must have a line that matches remember=file /etc/pam.d/common-password must have a line that matches remember=file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0file /etc/login.defs must have a line that matches ^FAIL_DELAYfile /etc/login.defs must have a line that matches ^FAIL_DELAYfile /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*nofile /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*nofile /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*nofile /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*nofile /etc/login.defs must have a line that matches ^UID_MIN.*1000file /etc/login.defs must have a line that matches ^UID_MIN.*1000file /etc/login.defs must have a line that matches ^UID_MAX.*60000file /etc/login.defs must have a line that matches ^UID_MAX.*60000file /etc/login.defs must have a line that matches ^GID_MIN.*1000file /etc/login.defs must have a line that matches ^GID_MIN.*1000file /etc/login.defs must have a line that matches ^GID_MAX.*60000file /etc/login.defs must have a line that matches ^GID_MAX.*60000sysctl kernel.sysrq must be 0sysctl kernel.sysrq must be 0echo 0 > /proc/sys/kernel/sysrqfile /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=desfile /etc/default/passwd may not have a line that matches ^CRYPT_FILES=desfile /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*setfile /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*setfile /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yesfile /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yesfile /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yesfile /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yesfile /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpdfile /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpdfile /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yesfile /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yesfile /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpdfile /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpdfile /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yesfile /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yesfile /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yesfile /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes