To ensure all processes can be audited, even those which start prior to the audit daemon,
check that all boot entries in /boot/loader/entries/*.conf have audit=1
included in its options.
To ensure that new kernels and boot entries continue to enable audit,
add audit=1 to /etc/kernel/cmdline.
Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.
To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
check that all boot entries in /boot/loader/entries/*.conf have audit_backlog_limit=8192
included in its options.
To ensure that new kernels and boot entries continue to extend the audit log events queue,
add audit_backlog_limit=8192 to /etc/kernel/cmdline.
audit_backlog_limit sets the queue length for audit events awaiting transfer to the audit daemon. Until the audit daemon is up and running, all log messages are stored in this queue. If the queue is overrun during boot process, the action defined by audit failure flag is taken.
Ensure that zIPL boot entries fully adheres to Boot Loader Specification (BLS) by checking that /etc/zipl.conf doesn't contain image = .
Amazon Linux 2023 adheres to Boot Loader Specification (BLS) and is the prefered method of configuration.
Make sure that /boot/bootmap is up to date.
Every time a boot entry or zIPL configuration is changed /boot/bootmap needs to
be updated to reflect the changes.
Run zipl command to generate an updated /boot/bootmap.
The file /boot/bootmap contains all boot data, keeping it up to date is crucial to boot correct kernel and options.
To ensure SELinux is not disabled at boot time,
check that no boot entry in /boot/loader/entries/*.conf has selinux=0
included in its options.
Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.
To ensure that the kernel is configured to zero out memory before
allocation, check that all boot entries in
/boot/loader/entries/*.conf have init_on_alloc=1
included in its options.
To ensure that new kernels and boot entries continue to zero out memory
before allocation, add init_on_alloc=1 to /etc/kernel/cmdline.
When the kernel configuration option init_on_alloc is enabled, all page allocator and slab allocator memory will be zeroed when allocated, eliminating many kinds of "uninitialized heap memory" flaws, effectively preventing data leaks.
To enable the randomization of the page allocator in the kernel, check that
all boot entries in /boot/loader/entries/*.conf have
page_alloc.shuffle=1 included in its options.
To enable randomization of the page allocator also for newly installed
kernels, add page_alloc.shuffle=1 to /etc/kernel/cmdline.
The CONFIG_SHUFFLE_PAGE_ALLOCATOR config option is primarily focused on improving the average utilization of a direct-mapped memory-side-cache. Aside of this performance effect, it also reduces predictability of page allocations in situations when the bad actor can crash the system and somehow leverage knowledge of (page) allocation order right after a fresh reboot, or can control the timing between a hot-pluggable memory node (as in NUMA node) and applications allocating memory ouf of that node. The page_alloc.shuffle=1 kernel command line parameter then forces this functionality irrespectively of memory cache architecture.
To enable poisoning of free pages,
check that all boot entries in /boot/loader/entries/*.conf have page_poison=1
included in its options.
To ensure that new kernels and boot entries continue to enable page poisoning,
add page_poison=1 to /etc/kernel/cmdline.
Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.
To enable poisoning of SLUB/SLAB objects,
check that all boot entries in /boot/loader/entries/*.conf have slub_debug=P
included in its options.
To ensure that new kernels and boot entries continue to enable poisoning of SLUB/SLAB objects,
add slub_debug=P to /etc/kernel/cmdline.
Poisoning writes an arbitrary value to freed objects, so any modification or reference to that object after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.
systemd's debug-shell service is intended to
diagnose systemd related boot issues with various systemctl
commands. Once enabled and following a system reboot, the root shell
will be available on tty9 which is access by pressing
CTRL-ALT-F9. The debug-shell service should only be used
for systemd related issues and should otherwise be disabled.
By default, the debug-shell systemd service is already disabled.
Ensure the debug-shell is not enabled by the systemd.debug-shel=1
boot paramenter option.
Check that not boot entries in /boot/loader/entries/*.conf have
systemd.debug-shell=1 included in its options.
To ensure that new kernels and boot entries don't enable the debug-shell, check
that systemd.debug-shell=1 is not present in /etc/kernel/cmdline.
This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.
To disable use of virtual syscalls,
check that all boot entries in /boot/loader/entries/*.conf have vsyscall=none
included in its options.
To ensure that new kernels and boot entries continue to disable virtual syscalls,
add vsyscall=none to /etc/kernel/cmdline.
Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer.