Re: Request For Insights On Kernel Security Hardening Practices In Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I think its worthwhile to note that the spreadsheet is AFAIK out of date because I checked for example: CONFIG_INIT_ON_ALLOC_DEFAULT_ON and CONFIG_RANDOM_KMALLOC_CACHES running an updated F40 and both are enabled.


So, I'm guessing no one ran 'dnf update' before recording the results, or they are 6+ months old and should probably be updated. That can be done either with 'dnf update' or by installing/upgrading to F41.

And speaking as a community member I think 1.1 is pretty easy to answer "yes".


Along the same vein I think reading the discussions around frame pointers over the past year can provide an idea about how the fedora community tries to find balance when determining performance/features/security/etc tradeoffs.
















________________________________
From: Yinhao Hu <huyinhaodd@xxxxxxxxx>
Sent: Friday, December 13, 2024 12:11 AM
To: kernel@xxxxxxxxxxxxxxxxxxxxxxx <kernel@xxxxxxxxxxxxxxxxxxxxxxx>
Cc: dzm91@xxxxxxxxxxx <dzm91@xxxxxxxxxxx>; dddddd@xxxxxxxxxxx <dddddd@xxxxxxxxxxx>
Subject: Request For Insights On Kernel Security Hardening Practices In Fedora

Dear All,

We are academic researchers from Huazhong University of Science and
Technology, China. To foster a healthier Linux kernel community and
enhance the overall security of Linux distributions, we are conducting a
study on kernel security hardening deployments across various Linux
distributions.

In our research, we analyzed kernel config files and the /proc
filesystem by installing and running multiple distribution ISO images.
This allowed us to enumerate the default deployment of kernel defense
mechanisms at runtime.

So far, we have cataloged over 50 kernel security hardening features and
documented inconsistencies in their deployment across different
distributions. The results of our analysis are accessible via the
following link:
https://docs.google.com/spreadsheets/d/17QRr04pqK1K4-VoHXW2-9KgPd4uV8Q4I-NNkV9CN8nM/edit?usp=sharing.

Given Fedora’s reputation for exceptional performance and rich features,
we conducted a detailed investigation into its kernel security hardening
strategies. To further deepen our understanding, we would greatly
appreciate your input on the following questions:

1. Effectiveness of Kernel Security Hardening

    1.1 Do you consider deploying kernel security hardening features to
be an effective strategy for ensuring operating system security?

2. Configuration Strategy for Default Kernel Security Hardening Options

    2.1 What are the primary criteria for selecting kernel security
hardening options in your distribution?

    2.2 How are configurable security hardening features (e.g.,
unprivileged_bpf_disabled) typically set (e.g., 0, 1, or 2), and what
are the main considerations involved?

    2.3 How do you balance the trade-off between side-effects (e.g.,
performance overhead) and the enhanced security introduced by kernel
security hardening?

    2.4 Does the tolerance for performance overhead vary across
different application scenarios?

    2.5 Are there other negative factors, such as compatibility issues,
that are considered when enabling security hardening features?

3. Customized Configurations

    3.1 Do you provide different kernel security hardening
configurations tailored to specific user groups?

4. Best Practices and Recommendations

    4.1 Are there any best practices or recommendations you can share
regarding kernel security hardening?

    4.2 Are there relevant documents or materials available for reference?

The purpose of these questions is to gain a deeper understanding of your
security protection strategies. Your insights would be immensely
valuable to our study.

Thank you for taking the time to review our questions. We look forward
to your response.

Best regards,
Yinhao Hu, PhD candidate
huyinhaodd@xxxxxxxxx
Huazhong University of Science and Technology
--
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
-- 
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux