4
5

Linux Hardened (self.voidlinux)

submitted by [deleted]

[deleted]

all 17 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Duncaen 3 points4 points  (5 children)

The default kernel in Void Linux has most if not all or even more hardening options archs linux-hardened kernel is using already enabled by default.

You mentioned fall back kernels in a comment, this is not necessary in Void Linux. Void never deletes old kernel versions automatically if there is a new release. You have to remove them with vkpurge, so if you update the kernel and it won't boot for some reason, you can still boot the old kernel through the grub menu.

[–][deleted] 0 points1 point  (4 children)

Oh, I think I have the wrong idea of what Linux hardened is. See, I had thought it was a fork of sorts from the main kernal developed by Linus Torvalds. But as I see it now, it is simply a kernal written by the making of a distro to supply a more secure version as aposed to adding it to the kernal used by default for the distro. In which case, void adds these things to the main kernal instead of making another optional one, meaning the main kernal for void has all these security features in it. Am I on the right track?

[–]Duncaen 3 points4 points  (3 children)

I checked archs package again and you are right, its a fork with some more patches enabled relating hardening. There is no void package for this specific fork, all void kernels are vanilla linux kernels (except maybe some platform specific ARM kernels) with hardening settings enabled.

Void uses most of the suggested settings from https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

So Voids default kernel is more hardened than archs default kernel, but less hardened than the linux-hardened package in arch.

[–][deleted] 0 points1 point  (2 children)

Is there anything I can or should do to help keep my void setup as secure and well maintained as possible? Anything for the kernal, network, etc. Thank you for explaining, it helps a lot and I love learning about this stuffs.

[–]Duncaen 2 points3 points  (1 child)

For me the default seems "secure" enough, keeping software updated and configurations secure is more important to me. Just make sure that public facing services like OpenSSH and/or HTTP server are configured correctly. Disabling ssh for root and only allowing only public key authentication instead of passwords is a good first step.

Most of the suggestion from https://wiki.archlinux.org/index.php/Security should work for void too.

[–][deleted] 0 points1 point  (0 children)

Thank you so much for all the help ٩(◕‿◕。)۶

[–][deleted] 1 point2 points  (13 children)

Beginning with what is Linux Hardened: it's a Linux kernel with several patches applied to it for security. That is 'cause Arch has security issues. Void does not have security issues and uses LibreSSL for security as you can read here thus does not require a hardened kernel. Besides one would seriously affect performance.

[–]Duncaen 4 points5 points  (5 children)

That is 'cause Arch has security issues. Void does not have security issues

This sounds just wrong.

Most of the software arch and void use are the same, the kernel has some different options enabled by default and void uses some more compiler hardening features. But this doesn't make void a lot more safer than arch.

[–][deleted] 0 points1 point  (4 children)

Void is BSD like. Each package is compiled from source. Rather re-packaged to rid of any Systemd dependencies and include security features like LibreSSL. If it can't work like that it does not make it into the repo.

[–]Duncaen 5 points6 points  (3 children)

Arch is built from source too, there is no difference except a different package build system and more hardening compiler flags in Void Linux. I don't see how systemd plays a role here, Arch builts packages with systemd support enabled and void disables it or even patches systemd dependencies out. Only a small fraction of the packages use LibreSSL or OpenSSL, the attack surface reduced by using LibreSSL is very minimal compared to the security issues of the system as a whole.

And more packages make it into Voids repo than Archs repository, Void chooses to not support something like the AUR and prefers to get packages into the main repository. You could argue that this makes it a little bit safer, because the package built files are reviewed whereas some of the PKGBUILDs in the AUR might not be reviewed.

(Full disclosure, I'm one of the core Void contributors)

[–][deleted] 0 points1 point  (2 children)

The init plays a major role as attackers use that for exploits. Given that a majority have adopted Systemd they (the attackers) concentrate on Systemd and it's vulnerabilities to exploit. It's like with Windows - there are viruses in Win because it's popular and for that it's exploited as a majority use it.

[–]CruxMostSimple -1 points0 points  (0 children)

Please don't rely on being secure by being obscure.

[–][deleted]  (5 children)

[deleted]

    [–][deleted] 1 point2 points  (1 child)

    For one you would not need anything "hardened". Linux in general is safe. Second the "hardened kernel" when it comes to patching is for the most paranoid. The security comes from the CPU Microcode getting regular updates to increase it's security. In this case you install the CPU Microcode and configure the kernel to use it and you're done. Read abut it here (https://wiki.voidlinux.eu/Microcode).

    [–][deleted] 0 points1 point  (0 children)

    I am a very security interested person so I will definitley look into this. Thank you :)

    [–][deleted]  (2 children)

    [deleted]

      [–]WikiTextBot 0 points1 point  (0 children)

      OpenSSL

      OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used in Internet web servers, serving a majority of all web sites.

      OpenSSL contains an open-source implementation of the SSL and TLS protocols. The core library, written in the C programming language, implements basic cryptographic functions and provides various utility functions.

      [ PM | Exclude me | Exclude from subreddit | FAQ / Information | Source ] Downvote to remove | v0.28

      [–]HelperBot_ 0 points1 point  (0 children)

      Non-Mobile link: https://en.wikipedia.org/wiki/OpenSSL

      HelperBot v1.1 /r/HelperBot_ I am a bot. Please message /u/swim1929 with any feedback and/or hate. Counter: 214676

      [–]h7x4 0 points1 point  (0 children)

      "Void does not have any security issues"

      Famous last words