13.Lock StylizedMotherboard

Kernel security is a key determinant of overall system security. After all, the Linux kernel is the foundation of the OS and the core interface between a computer’s hardware and its processes.  Luckily, Linux now supports a range of effective open-source extensions and external tools engineered to boost kernel security. From the threats you should be aware of to the initiatives and technologies designed to reinforce and enhance the security of the Linux kernel, here's what you need to know.


The Open-Source Security Advantage

Enterprise IT environments are becoming increasingly reliant on open-source technologies, but companies too often fail to approach those technologies with the same attention to security as they do with commercial and closed-source alternatives. Of course, open-source technologies are traditionally more secure than IT products that have been commercially developed. The Linux OS, for example, is known for its high level of security and has been exposed to far fewer bugs than its closed-source counterparts. This can largely be attributed to the nature of open-source development - higher levels of transparency and user scrutiny than proprietary development results in the rapid identification and elimination of potential security vulnerabilities in open-source code. 

The Impact of OpenSFF

Launched in August 2020, the Open Source Security Foundation (OpenSSF) was created with the sole intention of improving the security of open-source software (OSS). A combination of The Linux Foundation’s Core Infrastructure Initiative, Github’s Open-Source Security Coalition and the Joint Open-Source Software Initiative, OpenSSF is  a cross-industry collaboration that intends to continuously work to improve OSS security. OpenSSF has lofty goals and is already producing real-world results. Along with the accessible courses open to software developers (the Secure Software Development Fundamentals), they have also launched scoring systems that auto-generate reports into security and criticality. The launch of a security metrics dashboard is still in its early stages but seems to be a very promising addition that should help boost kernel security. Overall, OpenSSF is one of the most significant steps forward in terms of improving OSS security.

What Are Some Common Linux Kernel Attacks?

From kernel data attacks that change the way that an OS functions to malware attacks that remain a serious, persistent threat, Linux kernel attacks are as dangerous and disruptive as ever. Let’s take a closer look at some of the main threats to the Linux kernel.

Rootkits & Kernel Data Attacks

Threat actors wishing to breach open-source security systems will commonly alter the in-memory kernel data so they can manipulate and change the way that the OS behaves. Doing this means that they don't have to worry about inputting any form of malicious code. This type of exploit is known as a kernel data attack and, although somewhat rare, these attacks could quickly become as disruptive as more traditional kernel rootkits - a particularly damaging type of malware that is able to hide from both antivirus software and the human eye. Rootkits work by modifying files (and in some cases replacing them entirely). While other OSes suffer from rootkit insertion to a much greater extent than Linux, Linux users can be just as susceptible to data theft, the intrusion of remote access, or even recruitment into a botnet. The transparency of open-source kernel security technologies is becoming less of a determining factor of security as those systems grow. For example, just a few years ago Linux kernel code consisted of only two million lines. Now, that number is closer to 28 million

Malware and Open-Source Technologies

In the early days of the Internet, malware was used primarily as a form of digital vandalism. The purposes of malware have evolved and expanded as cybercriminals have become increasingly sophisticated in both their motives and their tactics. Now, their goals and methods of attack vary greatly and, as a result, open-source kernel security technologies have to work harder to detect malware and rootkits and to avoid exposure to different types of DDoS attacks, as well as the myriad of other ways that threat actors can breach modern digital environments. For the most part, cyber criminals' main goal is now financial gain, although there are still those with ideological reasons for attacking organizations. 

Implementing Linux Kernel Security with Open-Source Technologies

The most common method of enhancing kernel security is the use of a software layer that sits within the OS itself. With hardware at the heart of the technology, the kernel is the next layer, and regulates all authentication instructions and governs access control. The kernel cannot then be tampered with or changed, and by using open-source kernel security technologies, transparency becomes a key aspect of improving security. As the world grows increasingly reliance on digital technologies, open-source kernel security technologies must be built with this transparency at their heart. The growing number of automation tools that can monitor Linux systems and identify errors is only making open-source kernels safer and easier to use, while exponentially improving digital security.

The LSM framework allows for various security checks via the use of newly introduced kernel extensions. These extensions are not loadable kernel modules, however. Instead, they are selected during the build-time process but can be overridden when it comes to boot-time. Mandatory Access Control (MAC) extensions are one of the more comprehensive security policies for Linux, and there is a range of options to look at more closely throughout build-time. Some of the most well-known examples, such as SELinux and AppArmor, do have limited functionality, though. For more in-depth layering and protection, extensions can be built directly from the LSM framework. This gives users the opportunity to make specific changes that they may not have access to with larger MAC extensions. You can find out more about LSMs and how to extend their capabilities on the Linux man-pages project. These protection systems must be enabled at all times to ensure a safe Linux environment.

Introducing Linux Kernel Lockdown

Lockdown is a relatively new security feature designed specifically for the Linux kernel. Part of the Linux kernel 5.4 branch, it is a feature that must be activated. Its default mode is off, simply because it can negatively affect existing systems. However, the primary function of lockdown is to prevent root account interactions with kernel code. By strengthening this divide, Lockdown counters potentially dangerous interactions that have been possible since the launch of the Linux OS. Once lockdown has been activated, there will be limitations on kernel functionality, but these will make it significantly more difficult for root accounts that have been compromised to affect the rest of the OS. This will even affect root users, so it's not a small step. Two lockdown modes are supported:

  • Integrity: This mode disables the kernel features that will allow userland modifications to kernel code.
  • Confidentiality: This mode disables the ability to use the kernel features that allow for the extraction of confidential information.

Additional external patches can also be added to the lockdown LSM.

Additional Security Features 

It is highly advisable that organizations allow for the enabling of UEFI Secure Boot in either 'full' or 'boot' mode - especially on x86-64 systems. This will require cryptographically signed kernels and firmware, but it means that unsigned drivers cannot be loaded for hardware. This can dramatically reduce an attack surface by making it much more challenging for threat actors to insert malicious kernel modules into a system. It can also reduce the risk of unsigned rootkits remaining in place after a reboot.

It's worth noting that not all Linux distros will have Secure Boot integration and that manual intervention may be necessary at times, particularly during upgrades. 

Introducing the Linux Auditing System (AuditD)

Developed and maintained by RedHat, AuditD is designed for Linux access monitoring and accounting. It's an excellent and robust tool that integrates very tightly with the kernel, monitoring for particular system calls. By operating at the kernel level, this allows admins to access any of the system operations that they need to. Everything can be monitored, including files and network traffic. By operating at such a granular level, the detail that AuditD offers is outstanding, and it is as useful a tool as they come. However, it does suffer from a lack of Syslog. So while it doesn't have to rely on any externals, this does mean that you have to manage all of the audit logging using only the tools available on the AuditD dashboard itself. As a result, log collection, archiving and remote logging can become a lot more challenging. 

Malware/Rootkit Scanners

Finding rootkits is always a challenge, but there is now a wide range of rootkit scanners that make it much easier to detect and then remove rootkits. There are plenty of options available, too, with some of the biggest tech names, such as Intel (McAfee) and Norton, offering their own rootkit scanners. Smaller names are also delivering a rapid output of rootkit scanning products, making rootkit discovery and removal significantly faster and easier. If you are planning to implement a malware/rootkit scanner, it's worth bearing in mind that they are often designed with a different end-user in mind. Many are tailored to more experienced users, while others will offer more basic functionality for non-technical users. Make sure to have a clear idea of the types of features you need, and do your research on each of the existing options. The following are all highly regarded:

Automated Source Code Analysis

Automated source code analysis (SCA) software is more informative than traditional vulnerability scanning software, as it checks for license and policy compliance and security threats, as well as any version updates. If the goal is a higher quality end product, automated source code analysis software is a worthwhile investment. It is very helpful in detecting flaws and even highlighting specific solutions for application code errors. Without the need for test cases and dramatically cutting down on test time, SCA software is the common-sense alternative to manually evaluating every single line of code. These solutions are dependable and cost-effective and are particularly valuable for organizations facing repeated cases of reduced quality, compliance issues, or overlooked flaws. 

Although not definitive, the advent of an automated technology that reads and analyses source codes line by line is the next stage in the evolution in open-source kernel security technologies. These technologies can quickly and easily identify and then repair potential vulnerabilities across a range of open-source systems and technologies. Hackers looking to attack an open-source technology will often target buffer overflows, memory allocation bugs - or any vulnerability they are able to find. Coding issues are all too easy to miss when in-house teams are the only option, making automation key to enhanced security measures across the digital space.

In Summary

By utilizing the very best open-source kernel security technologies, Linux admins can ensure that their systems are secure from attacks and branches. With the rapid innovation occurring in the realm of open-source security combined with responsible administration, admins, users and data can be kept safer than ever.