coelner/gedankensplitter
1
0
Fork 0
Code Pull Requests Releases Activity
4789723fb9
gedankensplitter/linux_hardening.md
coelner 4789723fb9 working
2022-06-09 21:51:54 +02:00

2.4 KiB
Raw Blame History

keywords
IT
filesystem integritiy
authentic filesystem

secureboot

Most of the distributions are delievered with a microsoft-signed SHIM bootloader, which should allow the boot with active secureboot without deleting OEM keys. the SHIM bootloader gets controlled with mokutil.

  • systemctl reboot --firmware
  • bootctl
  • efibootmgr -v
  • mokutil --sb-state
  • mokutil --list-enrolled
  • mokutil --enable-validation

ubuntu

ubuntu provides a update-secureboot-policy script to generate and enroll a secureboot mok, but this needs an already active secureboot with MS keys and this needs to be active through booting the installer

cryptsetup luks

crypsetup luksDump /dev/sdaX cryptsetup luksChangeKey /dev/sdaX cryptsetup luksErase

ressource: http://jk.ozlabs.org/docs/sbkeysync-maintaing-uefi-key-databases/

lkrg - linux kernel runtime guard

archlinux can build with AUR, debian/ubuntu can use the *.deb precompiled package. It should be available for x64, arm64 and arm

data integrity aka bitrot

General kernel awareness: https://github.com/torvalds/linux/blob/master/Documentation/block/data-integrity.rst the solution so far to omit endusers hardware limitations (like ECC RAM grml) https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/device-mapper/dm-integrity.rst So it should be more or less equal to use integrity with or without encryption:

the used strcuture to get this done: block device -> dm-integrity -> mdadm/lvm2 (RAID1) -> btrfs block device -> dm-integrity -> cryptsetup(mdadm/lvm2 (RAID1)) -> btrfs

  • cryptsetup benchmark
  • GPT formatted block devices to get recognized properly under windows
  • complete header backup
  • block device sector size
  • blcok device support for SCT/ERC

related issues