Linux Kernel and Security Configuration: sysctl, PAM, and Access Control
Securing a Linux system requires a multi-layered approach that starts at the kernel and extends through the authentication system to access controls and storage mounting. This guide provides a detailed reference for the most critical security configuration components in a modern Linux environment.
1. Kernel Parameters with sysctl
The sysctl command and the /etc/sysctl.conf file (along with files in /etc/sysctl.d/) are the primary tools for configuring Linux kernel parameters at runtime. Many of these parameters have significant security implications.
Using a sysctl Config Generator
While you can manually edit configuration files, a sysctl config generator can help ensure you don't miss critical hardening settings. Common parameters to configure include:
- Network Hardening: Disabling IP forwarding (
net.ipv4.ip_forward = 0), ignoring ICMP redirects (net.ipv4.conf.all.accept_redirects = 0), and enabling TCP SYN cookie protection (net.ipv4.tcp_syncookies = 1). - Memory Protection: Enabling ASLR (Address Space Layout Randomization) via
kernel.randomize_va_space = 2. - Restricting Information Leakage: Restricting access to kernel logs (
kernel.dmesg_restrict = 1) and the kernel symbol table (kernel.kptr_restrict = 2).
Linux Kernel Parameter Reference Table
| Parameter | Recommended Value | Description |
|---|---|---|
net.ipv4.tcp_syncookies |
1 |
Protects against SYN flood attacks. |
net.ipv4.conf.all.rp_filter |
1 |
Enables reverse path filtering to prevent IP spoofing. |
kernel.randomize_va_space |
2 |
Full ASLR to prevent buffer overflow exploits. |
fs.protected_fifos |
2 |
Prevents unauthorized writes to FIFOs in world-writable directories. |
2. Pluggable Authentication Modules (PAM)
PAM provides a flexible way to manage authentication for various services without modifying the services themselves. Configuring PAM correctly is essential for enforcing strong password policies and multi-factor authentication.
PAM Config Generator Considerations
A PAM config generator typically focuses on the files in /etc/pam.d/. Key modules to include for security are:
- pam_cracklib.so / pam_pwquality.so: Enforces password complexity requirements (length, character types).
- pam_tally2.so / pam_faillock.so: Locks accounts after a certain number of failed login attempts to prevent brute-force attacks.
- pam_unix.so: The standard module for checking passwords against
/etc/shadow.
Example configuration for password quality:
password requisite pam_pwquality.so retry=3 minlen=12 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root
3. Mandatory Access Control: SELinux and AppArmor
Unlike standard Discretionary Access Control (DAC) based on users and groups, Mandatory Access Control (MAC) allows administrators to define fine-grained security policies for every process and file on the system.
SELinux Policy Generator vs. AppArmor Profile Generator
- SELinux (Security-Enhanced Linux): Uses a labeling system for every object (process, file, port). It is powerful but has a steep learning curve. An SELinux policy generator (like
audit2allow) is often needed to handle complex denials. - AppArmor: Uses path-based profiles. It is generally considered easier to configure than SELinux. An AppArmor profile generator (like
aa-genprof) can help create profiles by monitoring application behavior.
SELinux vs. AppArmor Comparison
| Feature | SELinux | AppArmor |
|---|---|---|
| Control Type | Label-based | Path-based |
| Complexity | High | Medium |
| Default in | RHEL, CentOS, Fedora | Ubuntu, Debian, openSUSE |
| Flexibility | Extremely high | High |
| Learning Curve | Steep | Moderate |
4. Secure Storage Mounting with /etc/fstab
The /etc/fstab file defines how storage devices are mounted. Using the correct mount options can prevent many types of attacks, such as executing malicious binaries from temporary directories.
/etc/fstab Generator Security Flags
When using an /etc/fstab generator, ensure you include these security flags for non-system partitions (like /tmp, /var, or external drives):
nodev: Prevents the interpretation of block or character special devices on the filesystem.nosuid: Disables the set-user-identifier or set-group-identifier bits.noexec: Prevents the execution of binaries on the filesystem.
Example secure entry for /tmp:
UUID=... /tmp tmpfs rw,nosuid,nodev,noexec 0 0
FAQ: Linux Security Configuration
Q: Should I use SELinux or AppArmor?
A: It usually depends on your distribution. Use what is natively supported and enabled by default (SELinux for RHEL-based, AppArmor for Debian-based) as they will have the most comprehensive pre-configured policies.
Q: Why is net.ipv4.ip_forward disabled by default?
A: Enabling IP forwarding allows your system to act as a router, which can be a security risk if not explicitly intended and properly firewalled.
Q: What happens if I misconfigure PAM?
A: A misconfigured PAM can lock everyone (including root) out of the system. Always keep an active root shell open when testing PAM changes, or have a recovery plan (like booting from a Live CD).
Q: How can I verify my sysctl settings are applied?
A: Use the command sysctl -a to view all current kernel parameters and their values. You can also check specific parameters, e.g., sysctl net.ipv4.tcp_syncookies.