Linux Kernel Defence Map – Security Hardening Concepts
a year ago
- #Security
- #Linux
- #Kernel
- Linux kernel security is complex, involving vulnerability classes, exploitation techniques, bug detection mechanisms, and defense technologies.
- Defense technologies in Linux kernel can be mainline, out-of-tree (some commercial), or hardware-dependent.
- The Linux Kernel Defence Map provides a graphical representation of security relationships, aiding navigation of documentation and kernel sources.
- The map focuses on kernel security hardening, not attack surface reduction, userspace security, or Linux Security Modules (LSM) policies.
- The map is available on GitHub, Codeberg, and GitFlic, written in DOT language, and licensed under GPL-3.0.
- GraphViz is used to generate the map with the command: `dot -Tsvg linux-kernel-defence-map.dot -o linux-kernel-defence-map.svg`.
- Many security hardening options in Linux kernel are not enabled by major distros, requiring manual configuration.
- The kernel-hardening-checker tool helps verify security hardening options automatically.
- References include works by Kees Cook, Shawn C, MSRC, Matt Miller, Abhilash Raj, and Stéphane Lesimple.