Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <67cf8b802fe868ba63b28d49f8d836e179df833a.camel@spotco.us>
Date: Sun, 19 Sep 2021 16:44:40 -0400
From: Tad <tad@...tco.us>
To: kernel-hardening@...ts.openwall.com
Cc: linux-hardening@...r.kernel.org
Subject: Self introduction

Hello!
My name is Tad.

I have a few personal projects for the past five or so years for making
available kernel hardening features to more users.

My main project is DivestOS, which provides more secure images for older/legacy
Android devices.
I harden all device kernels via the following:
 * My automatic CVE checker/patcher program [1]. It is able to apply many dozen
   to many hundred CVE patches to trees. It is backed by an extensive versioned
   list [2] of CVE patches that I origianlly maintained by hand. In the past
   year or so I pull in using a scraper I made for the CIP scripts [3].
 * My hardenDefconfig function [4], inspired by the KSPP recommendations and
   later Popov's kconfig-hardened-check. It simply enables and disables various
   options.
 * My hardenBootArgs function [5], currently just enables slub_debug=FZP for
   devices.
 * Some misc tweaks [6], currently for disabling slub/slab merging.
 * And lastly some sysctl tweaks [7].

I also maintain another project for providing some extra security to modern
distros, without recompilation.
It is called Brace [8] and compatible with Arch/Fedora/Debian/OpenSUSE.
In the kernel relations, it is mostly just sysctl [9] changes and kernel
commandline [10] changes.

Lastly some background:
Micay inspired me to work on this area back in mid-2015, after he helped me port
his Android PaX patchset to the OnePlus One phone [11].

Sharing for any comments.
Also most of you are likely working on mainline, not ancient kernels, so maybe
you'll find this interesting.

Best regards,
Tad.

[1] https://gitlab.com/divested-mobile/cve_checker
[2] https://gitlab.com/divested-mobile/kernel_patches/-/blob/master/Kernel_CVE_Patch_List.txt
[3] https://gitlab.com/cip-project/cip-kernel/cip-kernel-sec
[4] https://gitlab.com/divested-mobile/divestos-build/-/blob/e7dd0af4/Scripts/Common/Functions.sh#L657
[5] https://gitlab.com/divested-mobile/divestos-build/-/blob/e7dd0af4/Scripts/Common/Functions.sh#L493
[6] https://gitlab.com/divested-mobile/divestos-build/-/blob/e7dd0af4/Scripts/Common/Post.sh#L28
[7] https://gitlab.com/divested-mobile/divestos-build/-/blob/e7dd0af4/Patches/LineageOS-18.1/android_system_core/0001-Harden.patch
[8] https://gitlab.com/divested/brace
[9] https://gitlab.com/divested/brace/-/blob/1e4975c9/brace/usr/lib/sysctl.d/60-restrict.conf
[10] https://gitlab.com/divested/brace/-/blob/1e4975c9/brace/usr/bin/brace-supplemental-changes#L33
[11] https://divestos.org/images/screenshots/CopperheadOS-bacon.png

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.