Kernel Hardening: Protect Linux user accounts against brute force attacks
Scope of the Project and Relation to Qubes/Kicksecure
- Commenters note the title is misleadingly narrow; the project offers broader hardening beyond brute-force protection.
- In Qubes OS, many users indirectly use Kicksecure via Whonix, but some argue Qubes’ main protection is hardware virtualization, with Kicksecure being secondary.
Kexec, Root, and Defense-in-Depth
- Some argue disabling
kexecis pointless because only root can use it, and limiting root is akin to creeping DRM. - Others see value in disabling
kexecas one layer in defense-in-depth, especially in combination with SELinux, limited/dev/mem//dev/kmem, disabled/proc/kcore, and module restrictions. - Counterpoint: truly preventing root from re-enabling
kexecor patching the kernel requires extensive MAC policies and compile-time choices; otherwise root can still modify kernel memory.
Secure Boot, Signed Modules, and User Freedom
- One side supports only allowing signed kernel modules (optionally, via secure boot) for stronger integrity.
- Critics worry this evolves into non-optional lockdown (Android, TPM, gaming anti-cheat examples) and undermines user control over their own hardware.
- Some note hardened setups disable module loading after boot; others object that preventing users from loading their own ring 0 code is unacceptable.
Role of Root, sudo, and suid
- A strong minority argues the existence and broad power of root is “bad security” and should be minimized or split into narrower roles (network-admin, software-install, etc.).
- Proposed model: remove or neuter root, avoid suid binaries, and use privileged services or capabilities-based binaries instead.
- Pushback: administrators must be able to fully control their systems; turning Linux into iOS-like locked-down systems is widely rejected.
- Some suggest carefully configured
sudoplus SELinux already achieves fine-grained control without removing root.
SELinux: Power vs Usability
- SELinux is cited as a mature way to restrict even root (e.g., blocking module load,
kexec). - Opinions split: some say it works well in practice; others see it as complex, poorly documented, and something people mainly try to “get out of the way.”
Browser Sandboxing and Application Isolation
- Multiple approaches discussed: separate user accounts, AppArmor, Firejail, flatpak/bubblewrap, containers (docker/podman), Qubes-style VMs, or remote browsers.
- Consensus: many tools exist to protect the system from the browser; fully protecting the browser’s data from other user processes is harder without system-wide sandboxing.