- Training
- Training Live Events
- Training Without Travel
- SANS Courses
- Certified Instructors
- Career Roadmap
- Training Calendars
- SANS @Home
- SANS OnDemand
- Community SANS
- SANS Mentor Program
- SANS Onsite
- SANS SelfStudy
- SANS Partnership Series
- SANS Workshop Series
- Webcasts
- Work Study
- Events Archive
- DoD 8570
- Voucher Credit Program
- group discounts
- Certification
- Resources
- Vendor
- Portal
- Storm Center
- College
- Developer
- About
the most trusted source for computer security training, certification and research
Linux Kernel Hardening
- Abstract
- While not inherently insecure, the standard Linux kernel lacks advanced features to prevent or contain certain types of malicious attacks. This paper explores two approaches to hardening the standard Linux kernel: address space (memory) protection and advanced access control. Additions to the kernel which place restrictions on an application's address space make it possible to prevent many types of buffer overflows attacks. The addition of an access control system can remove many, if not all of the privileges assigned to the traditional superuser account. After brief overviews of three methods of address space protection and three advanced access control systems, this paper outlines the installation and configuration of a Grsecurity-enhanced kernel. The Grsecurity kernel patch provides both address space protection and an advanced access control system. Linux kernel hardening is an effective strategy for preventing many forms of attacks and providing enhanced host-level security, however the approach described in this paper should not be expected to prevent all attacks against Linux hosts.