Dear all,
Pardon my ignorance, but I would like to learn more about LEDE.
These are newbee questions, this is just for learning.
I used a reference document from French National Security Agency ANSSI:
(please note I am not from ANSSI).
- Syscrtl.conf
Page 20, R23: /etc/sysctl.conf recommendations
"Y" indicates that LEDE supports these settings by default:
"N" indicates no support in LEDE.
Please advice if this would be useful to apply recommended settings in LEDE
# Désactivation des SysReq
kernel.sysrq = 0 #N
# Pas de core dump des exécutables setuid
fs.suid_dumpable = 0 #Y
# Interdiction de déréférencer des liens vers des fichiers dont
# l’utilisateur courant n’est pas le propriétaire
# Peut empêcher certains programmes de fonctionner correctement
fs.protected_symlinks = 1 #N
fs.protected_hardlinks = 1 #N
# Activation de l’ASLR
kernel.randomize_va_space = 2 #Y
# Interdiction de mapper de la mémoire dans les adresses basses (0)
vm.mmap_min_addr = 65536 #N
# Espace de choix plus grand pour les valeurs de PID
kernel.pid_max = 65536 #Y
# Obfuscation des adresses mémoire kernel
kernel.kptr_restrict = 1 #N
# Restriction d’accès au buffer dmesg
kernel.dmesg_restrict = 1 #N
# Restreint l’utilisation du sous système perf
kernel.perf_event_paranoid = 2 #N
kernel.perf_event_max_sample_rate = 1 #N
kernel.perf_cpu_time_max_percent = 1 #N
In LEDE, symlinks and hardlinks are not protected, is this normal?
- IPv6 and module loading
Using /etc/rc.local I disabled ipv6 and kernel module loading after Kernel boots up:
sysctl -w kernel.modules_disabled=1
sysctl -w net.ipv6.conf.all.disable_ipv6=1
exit 0
Is it the right place?
-
Compilation options
Is LEDE compilation hardened (I suppose YES)? -
Do you recommend other security features?
Are you planning a grsec kernel (would it be of any interest)? -
Serial console password
CONFIG_BUSYBOX_CONFIG_LOGIN=y
Is serial console protected by password? -
Are there plans to run services with some kind of isolation?
Kind regards,
French Fries