Hardening LEDE / ANSSI

Dear all,

Pardon my ignorance, but I would like to learn more about LEDE.
These are newbee questions, this is just for learning.

I used a reference document from French National Security Agency ANSSI:

(please note I am not from ANSSI).

  1. Syscrtl.conf
    Page 20, R23: /etc/sysctl.conf recommendations
    "Y" indicates that LEDE supports these settings by default:
    "N" indicates no support in LEDE.

Please advice if this would be useful to apply recommended settings in LEDE

# Désactivation des SysReq
kernel.sysrq = 0 #N
# Pas de core dump des exécutables setuid
fs.suid_dumpable = 0 #Y
# Interdiction de déréférencer des liens vers des fichiers dont
# l’utilisateur courant n’est pas le propriétaire
# Peut empêcher certains programmes de fonctionner correctement
fs.protected_symlinks = 1 #N
fs.protected_hardlinks = 1 #N
# Activation de l’ASLR
kernel.randomize_va_space = 2 #Y
# Interdiction de mapper de la mémoire dans les adresses basses (0)
vm.mmap_min_addr = 65536 #N
# Espace de choix plus grand pour les valeurs de PID
kernel.pid_max = 65536 #Y
# Obfuscation des adresses mémoire kernel
kernel.kptr_restrict = 1 #N
# Restriction d’accès au buffer dmesg
kernel.dmesg_restrict = 1 #N
# Restreint l’utilisation du sous système perf
kernel.perf_event_paranoid = 2 #N
kernel.perf_event_max_sample_rate = 1 #N
kernel.perf_cpu_time_max_percent = 1 #N

In LEDE, symlinks and hardlinks are not protected, is this normal?

  1. IPv6 and module loading
    Using /etc/rc.local I disabled ipv6 and kernel module loading after Kernel boots up:
    sysctl -w kernel.modules_disabled=1
    sysctl -w net.ipv6.conf.all.disable_ipv6=1
    exit 0

Is it the right place?

  1. Compilation options
    Is LEDE compilation hardened (I suppose YES)?

  2. Do you recommend other security features?
    Are you planning a grsec kernel (would it be of any interest)?

  3. Serial console password
    Is serial console protected by password?

  4. Are there plans to run services with some kind of isolation?

Kind regards,
French Fries

I cannot answer all your questions - but the appropriate place for 2) is /etc/sysctl.conf or /etc/sysctl.d/.

  1. Hardening options, per default:
  • GCC format security
  • Userspace stack-smashing protection: regular
  • Kernelspace stack-smashing protection: regular
  • Enable buffer-overflows detection: conservative
  • Enable RELRO protection: full

Hope that helps.

  1. Nope. Would be cool to have that. Hmm, will see if I can get this accepted.

  2. currently most daemons run as non-root users that lack access to shell

    root@lede:/# cat /etc/passwd

Thank you for the clarification.

If you read French, another nice document is: https://www.ssi.gouv.fr/uploads/IMG/pdf/NP_Politique_pare_feu_NoteTech.pdf
which stands for "Firewalling technical note".

In LEDE, I can use logging on an interface;
with option log '1'
and then send logging remotely using rsyslogd.

How to log a precise rule within Luci or manually?
How to log rejected packets?