diff options
author | intrigeri <intrigeri@boum.org> | 2017-07-21 05:48:53 +0000 |
---|---|---|
committer | intrigeri <intrigeri@boum.org> | 2017-07-21 05:48:53 +0000 |
commit | 3ce9598de6fd4f76646c17a355213311418bbfc5 (patch) | |
tree | 5549c1c6e09935671ac79a59e8c848bd6bc310cb | |
parent | f95ad1f91c6d4f57fd31f2f6586510caa28893df (diff) |
Disable kexec, to make our attack surface a bit smaller.wip/feature/12732-linux-4.11
-rw-r--r-- | config/chroot_local-includes/etc/sysctl.d/kexec.conf | 1 | ||||
-rw-r--r-- | wiki/src/contribute/design/kernel_hardening.mdwn | 4 |
2 files changed, 5 insertions, 0 deletions
diff --git a/config/chroot_local-includes/etc/sysctl.d/kexec.conf b/config/chroot_local-includes/etc/sysctl.d/kexec.conf new file mode 100644 index 0000000..edfb725 --- /dev/null +++ b/config/chroot_local-includes/etc/sysctl.d/kexec.conf @@ -0,0 +1 @@ +kernel.kexec_load_disabled = 1 diff --git a/wiki/src/contribute/design/kernel_hardening.mdwn b/wiki/src/contribute/design/kernel_hardening.mdwn index 5be145b..3e19bc2 100644 --- a/wiki/src/contribute/design/kernel_hardening.mdwn +++ b/wiki/src/contribute/design/kernel_hardening.mdwn @@ -97,3 +97,7 @@ kernel address map from some external source. This is not hard, but certainly not all malware has such functionality. For this reason, we also make sure to purge `/boot/System.map`. + +### `kernel.kexec_load_disabled = 1` + +kexec is dangerous: it enables replacement of the running kernel. |