{"id":20822002,"url":"https://github.com/mikehorn-git/kernel-hardening","last_synced_at":"2025-04-10T01:34:25.674Z","repository":{"id":213991090,"uuid":"735430909","full_name":"MikeHorn-git/Kernel-Hardening","owner":"MikeHorn-git","description":"Harden your Linux Kernel","archived":false,"fork":false,"pushed_at":"2025-03-11T23:03:46.000Z","size":189,"stargazers_count":3,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-24T03:12:09.528Z","etag":null,"topics":["dotfiles","hardening","kconfig","kernel","linux"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MikeHorn-git.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-12-24T22:51:24.000Z","updated_at":"2025-03-11T23:04:13.000Z","dependencies_parsed_at":"2024-03-03T13:29:11.213Z","dependency_job_id":"576767b6-f42f-4069-9046-437a09503cca","html_url":"https://github.com/MikeHorn-git/Kernel-Hardening","commit_stats":null,"previous_names":["mikehorn-git/kernel-hardening"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MikeHorn-git%2FKernel-Hardening","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MikeHorn-git%2FKernel-Hardening/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MikeHorn-git%2FKernel-Hardening/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MikeHorn-git%2FKernel-Hardening/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MikeHorn-git","download_url":"https://codeload.github.com/MikeHorn-git/Kernel-Hardening/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248140921,"owners_count":21054369,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dotfiles","hardening","kconfig","kernel","linux"],"created_at":"2024-11-17T22:13:41.691Z","updated_at":"2025-04-10T01:34:25.658Z","avatar_url":"https://github.com/MikeHorn-git.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Kernel-Hardening\n\n\u003e [!IMPORTANT]\n\u003e Read content of files before proceeding, certains features are disabled.\n\n![logo](https://github.com/MikeHorn-git/Kernel-Hardening/assets/123373126/e4fca8a7-782a-42a7-863e-431a94660313)\n\n## Table of contents\n\n* [Description](https://github.com/MikeHorn-git/Kernel-Hardening#description)\n* [Blacklist Modules](https://github.com/MikeHorn-git/Kernel-Hardening#blacklist-modules-100)\n* [GRUB Parameters](https://github.com/MikeHorn-git/Kernel-Hardening#grub-parameters-25)\n* [Kernel Parameters](https://github.com/MikeHorn-git/Kernel-Hardening#kernel-parameters-50)\n* [Installation Script](https://github.com/MikeHorn-git/Kernel-Hardening#installation-script)\n* [Kconfigs](https://github.com/MikeHorn-git/Kernel-Hardening#kconfigs)\n* [Compile Kernel](https://github.com/MikeHorn-git/Kernel-Hardening#compile-kernel)\n* [Kernel Installation](https://github.com/MikeHorn-git/Kernel-Hardening#kernel-installation)\n* [Security Audit](https://github.com/MikeHorn-git/Kernel-Hardening#security-audit)\n* [Resources](https://github.com/MikeHorn-git/Kernel-Hardening#resources)\n\n## Description\n\nKernel kconfigs files with hardening in mind.\n\n## Blacklist Modules (+100)\n\n* Driver\n* Filesystem\n* Graphics\n* Input devices\n* Network\n* Storage\n\nThese kernel modules blacklisted are stored in conf/blacklist.conf\n\n## GRUB Parameters (25)\n\n* Debugging and Diagnostics\n* Randomness\n* Security features\n* Vulnerability mitigation\n\nThese GRUB paramaters are stored in conf/grub.txt\n\n## Kernel Parameters (+50)\n\n* FileSystem\n* Kernel\n* Network\n\nThese kernel parameters are present in conf/sysctl.conf\n\n## Installation Script\n\n* Add GRUB entries\n* Copy blacklist.conf\n* Copy sysctl.conf\n\n```bash\n# Backup your files before running\ngit clone https://github.com/MikeHorn-git/Kernel-Hardening.git\ncd Kernel-Hardening/scripts\nchmod +x install.sh\n./install.sh\n```\n\n## Kconfigs\n\n```bash\nkconfigs\n├── fragment-X86_64\n├── gentoo\n│   └── config\n└── vanilla\n    └── config\n```\n\n### Fragment\n\nKernel-hardening-checker tool that generates a Kconfig fragment with the security hardening options\nfor the selected microarchitecture following the [README](https://github.com/a13xp0p0v/kernel-hardening-checker#generating-a-kconfig-fragment-with-the-security-hardening-options)\n\n```bash\nkernel-hardening-checker -g X86_64 \u003e fragment-X86_64\n```\n\n### Gentoo\n\nKernel sources lightly patched by [Gentoo kernel team](https://packages.gentoo.org/packages/sys-kernel/gentoo-sources).\n\n### Vanilla\n\nOfficial kernel sources released [here](https://www.kernel.org/).\n\n## Compile Kernel\n\n### Gentoo\n\n#### Prepare\n\n```bash\n# Install gentoo kernel\nsudo emerge -av gentoo-sources\n\n# Use eselect to change symlinks\nsudo eselect kernel list\nsudo eselect kernel set 1 # Use the correct number from kernel list command\n\n# Take custom .config\ncd /usr/src/linux\nwget https://raw.githubusercontent.com/MikeHorn-git/Kernel-Hardening/main/kconfigs/gentoo/config\nmv config .config\n```\n\n#### Modify\n\nWhen the kernel source is newer than the .config file.\n\n```bash\nsudo make oldconfig\n```\n\nTo manually modify config.\n\n```bash\nsudo make nconfig\n```\n\n#### Compile\n\n```bash\n# Compile \u0026 Install\nsudo make -j$(nproc)\nsudo make modules_install\nsudo make install\n```\n\n### Arch\n\n#### Prepare\n\n```bash\nexport KVERSION=6.13.6\nwget https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-\"$KVERSION\".tar.xz\ntar -xf linux-\"$KVERSION\".tar.xz\ncd linux-\"$KVERSION\"\nwget https://raw.githubusercontent.com/MikeHorn-git/Kernel-Hardening/main/kconfigs/vanilla/config\nmv config .config\n```\n\n#### Modify\n\nWhen the kernel source is newer than the .config file.\n\n```bash\nsudo make oldconfig\n```\n\nTo manually modify config.\n\n```bash\nsudo make nconfig\n```\n\n#### Compile\n\n```bash\n# Change to your version\nexport KVERSION=6.13.6\nsudo cp arch/x86/boot/bzImage /boot/vmlinuz-\"$KVERSION\"\n\n# Compile \u0026 Install\nsudo make -j$(nproc)\nsudo make modules_install\nsudo make install\n\n# Create initramfs image (choose one based on your distribution)\nsudo dracut --kver \"$KVERSION\" /boot/initramfs-\"$KVERSION\".img\nsudo mkinitcpio -k \"$KVERSION\" -g /boot/initramfs-\"$KVERSION\".img\nsudo update-initramfs -c -k \"$KVERSION\"\n\n# Update GRUB (choose one based on your distribution)\nsudo grub-mkconfig -o /boot/grub/grub.cfg\n```\n\n## Security Audit\n\n### Kernel-Hardening-Checker\n\n```bash\nkernel-hardening-checker -c kconfigs/gentoo/config\nkernel-hardening-checker -c kconfigs/vanilla/config\n```\n\n### Spectre-meltdown-checker\n\nVulnerability/mitigation checker for Linux \u0026 BSD.\n'For Linux systems, the tool will detect mitigations, including backported non-vanilla patches,\nregardless of the advertised kernel version number and the distribution.' [Source](https://github.com/speed47/spectre-meltdown-checker)\n\n```bash\nsudo ./spectre-meltdown-checker.sh\n```\n\n## Resources\n\n* [Anssi](https://cyber.gouv.fr/publications/recommandations-de-securite-relatives-un-systeme-gnulinux) [Guide]\n* [ClipOS](https://docs.clip-os.org/clipos/kernel.html#configuration) [Guide]\n* [Kernel.org](https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html) [Guide]\n* [Kernel-Hardening-Checker](https://github.com/a13xp0p0v/kernel-hardening-checker) [Tool]\n* [Kernel_Self_Protection_Project](https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings) [Guide]\n* [Kicksecure](https://github.com/Kicksecure) [Guide]\n* [Linux-Hardened](https://github.com/anthraxx/linux-hardened) [Implementation]\n* [lwn.net](https://lwn.net/) [Logo]\n* [Madaidans](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel) [Guide]\n* [spectre-meltdown-checker](https://github.com/speed47/spectre-meltdown-checker) [Tool]\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmikehorn-git%2Fkernel-hardening","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmikehorn-git%2Fkernel-hardening","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmikehorn-git%2Fkernel-hardening/lists"}