Hardening LEDE / ANSSI

For Developers
1

Dear all,

Pardon my ignorance, but I would like to learn more about LEDE.
These are newbee questions, this is just for learning.

I used a reference document from French National Security Agency ANSSI:


(please note I am not from ANSSI).

  1. Syscrtl.conf
    Page 20, R23: /etc/sysctl.conf recommendations
    "Y" indicates that LEDE supports these settings by default:
    "N" indicates no support in LEDE.

Please advice if this would be useful to apply recommended settings in LEDE

# Désactivation des SysReq
kernel.sysrq = 0 #N
# Pas de core dump des exécutables setuid
fs.suid_dumpable = 0 #Y
# Interdiction de déréférencer des liens vers des fichiers dont
# l’utilisateur courant n’est pas le propriétaire
# Peut empêcher certains programmes de fonctionner correctement
fs.protected_symlinks = 1 #N
fs.protected_hardlinks = 1 #N
# Activation de l’ASLR
kernel.randomize_va_space = 2 #Y
# Interdiction de mapper de la mémoire dans les adresses basses (0)
vm.mmap_min_addr = 65536 #N
# Espace de choix plus grand pour les valeurs de PID
kernel.pid_max = 65536 #Y
# Obfuscation des adresses mémoire kernel
kernel.kptr_restrict = 1 #N
# Restriction d’accès au buffer dmesg
kernel.dmesg_restrict = 1 #N
# Restreint l’utilisation du sous système perf
kernel.perf_event_paranoid = 2 #N
kernel.perf_event_max_sample_rate = 1 #N
kernel.perf_cpu_time_max_percent = 1 #N

In LEDE, symlinks and hardlinks are not protected, is this normal?

  1. IPv6 and module loading
    Using /etc/rc.local I disabled ipv6 and kernel module loading after Kernel boots up:
    sysctl -w kernel.modules_disabled=1
    sysctl -w net.ipv6.conf.all.disable_ipv6=1
    exit 0

Is it the right place?

  1. Compilation options
    Is LEDE compilation hardened (I suppose YES)?

  2. Do you recommend other security features?
    Are you planning a grsec kernel (would it be of any interest)?

  3. Serial console password
    CONFIG_BUSYBOX_CONFIG_LOGIN=y
    Is serial console protected by password?

  4. Are there plans to run services with some kind of isolation?

Kind regards,
French Fries

2

I cannot answer all your questions - but the appropriate place for 2) is /etc/sysctl.conf or /etc/sysctl.d/.

  1. Hardening options, per default:
  • GCC format security
  • Userspace stack-smashing protection: regular
  • Kernelspace stack-smashing protection: regular
  • Enable buffer-overflows detection: conservative
  • Enable RELRO protection: full

Hope that helps.

3

  1. Nope. Would be cool to have that. Hmm, will see if I can get this accepted.

  2. currently most daemons run as non-root users that lack access to shell

    root@lede:/# cat /etc/passwd
    root:x:0:0:root:/root:/bin/ash
    daemon::1:1:daemon:/var:/bin/false
    ftp:    :55:55:ftp:/home/ftp:/bin/false
    network::101:101:network:/var:/bin/false
    nobody:    :65534:65534:nobody:/var:/bin/false
    dnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/false

4

Thank you for the clarification.

If you read French, another nice document is: https://www.ssi.gouv.fr/uploads/IMG/pdf/NP_Politique_pare_feu_NoteTech.pdf
which stands for "Firewalling technical note".

In LEDE, I can use logging on an interface;
/etc/config/firewall
with option log '1'
and then send logging remotely using rsyslogd.

How to log a precise rule within Luci or manually?
How to log rejected packets?