[arch-devops] Linux lockdown mode deployed
Hi All, I've deployed a new Linux hardening setting on all our VPS'es which is available since 5.4. Which makes it harder for root to modify the running kernel by shielding off some functionality for userland. [1] No application should rely on this features so everything should still work as normal. Currently it is deployed as tmpfiles.d file which is suboptimal but adding it to our bootloader seems to be hard since we currently already enable btrfs via lineinfile. Maybe the grub configuration should live in our ansible repository? [1] https://git.archlinux.org/infrastructure.git/commit/?id=2c7538040f6353633adf... Greetings, Jelle
Em dezembro 23, 2019 11:49 Jelle van der Waa escreveu:
Hi All,
I've deployed a new Linux hardening setting on all our VPS'es which is available since 5.4. Which makes it harder for root to modify the running kernel by shielding off some functionality for userland. [1]
No application should rely on this features so everything should still work as normal.
Currently it is deployed as tmpfiles.d file which is suboptimal but adding it to our bootloader seems to be hard since we currently already enable btrfs via lineinfile. Maybe the grub configuration should live in our ansible repository?
[1] https://git.archlinux.org/infrastructure.git/commit/?id=2c7538040f6353633adf...
Greetings,
Jelle
+1 for having grub configuration on ansible.
On Mon, Dec 23, 2019, 16:55 Giancarlo Razzolini via arch-devops < arch-devops@lists.archlinux.org> wrote:
Em dezembro 23, 2019 11:49 Jelle van der Waa escreveu:
Hi All,
I've deployed a new Linux hardening setting on all our VPS'es which is available since 5.4. Which makes it harder for root to modify the running kernel by shielding off some functionality for userland. [1]
No application should rely on this features so everything should still work as normal.
Currently it is deployed as tmpfiles.d file which is suboptimal but adding it to our bootloader seems to be hard since we currently already enable btrfs via lineinfile. Maybe the grub configuration should live in our ansible repository?
[1] https://git.archlinux.org/infrastructure.git/commit/?id=2c7538040f6353633adf...
Greetings,
Jelle
+1 for having grub configuration on ansible.
Yeah, maybe we can find a better solution for this. Thanks, Jelle.
participants (3)
-
Giancarlo Razzolini
-
Jelle van der Waa
-
Sven-Hendrik Haase