Zarhus OS: Base OS – Yocto/ Security: Reduce kernel attack surface

To enhance system security, reducing the kernel attack surface is crucial. This involves applying specific configurations that prevent the system from booting from unused filesystems and disable any kernel debugging support. These measures help to minimize potential vulnerabilities within the kernel environment.

Features:

• Secure kernel configuration which don’t have:
  • debugfs
  • unused filesystems
  • /proc/config.gz exposed
  • ftrace support
  • other debug switches like CONFIG_MAGIC_SYSRQ, CONFIG_BUG, CONFIG_*_DEBUG etc.
• Protective kernel configuration with:
  • CONFIG_CMDLINE_BOOL – enables the kernel command line to be hardcoded directly into the kernel
  • CONFIG_DEBUG_STACKOVERFLOW – enables messages to be printed if free stack space drops below a certain limit

Inputs

• What types of filesystems are required at the target image eg.:
  • network filesystems
  • base filesystem eg. ext4
  • support for specific filesystem
  • What kind of kernel modules are required at the target image

Deliverables

• Report showing the differences between the base and changed Linux kernel with reduced attack surface (generic, Copyright 3mdeb, MIT license)

Documentation:

• Zarhus – Your Digital Chess Knight

For pricing, please contact us by clicking the button below.