welcome to !voidlinux@infosec.pub
figured i'd spin up a Void Linux community here since the one on lemmy.ml is kinda hard to reach for folks on other instances.
this space is for anyone using (or curious about) Void. ask questions, share tips, show off your setups, or just vibe.
not too many rules, just:
that’s it.
drop a post, say hey, share your rice, whatever.
You're viewing a single thread.
Is there a hardened version of void? I'm interested in hardened distributions and like that Void has a musl build, but is there any dialogue from the devs or the community in using void as a hardened server OS?
void already comes with a pretty solid, hardened kernel setup by default. some of the security features it has out of the box include full ASLR, NX protection, protected symlinks and hardlinks, randomization for kernel heap and SLAB freelists, stack protection with GCC, and a bunch of other things like restricting access to /dev/mem, enforcing read-only kernel and module data, and more. the default bootloader setup also includes things like slub_debug, page_poison, and secure memory allocation. but the default void settings aren't hardened at 100%, because otherwise you would be using OpenBSD lol.
there's also a script called hardening.sh in the void-packages repo. i've seen some folks trying to bring Whonix-style features (i think its name is PlagueOS) or grsecurity/PaX-like standards to Void too, but that’s a pretty big undertaking.
this is the output of checksec --kernel on my machine
undefined
○ checksec --kernel
* Kernel protection information:
Description - List the status of kernel protection mechanisms. Rather than
inspect kernel mechanisms that may aid in the prevention of exploitation of
userspace processes, this option lists the status of kernel configuration
options that harden the kernel itself against attack.
Kernel config:
/proc/config.gz
Vanilla Kernel ASLR: Full
NX protection: Skipped
Protected symlinks: Enabled
Protected hardlinks: Enabled
Protected fifos: Disabled
Protected regular: Disabled
Ipv4 reverse path filtering: Disabled
Kernel heap randomization: Enabled
GCC stack protector support: Enabled
GCC stack protector strong: Enabled
SLAB freelist randomization: Enabled
Virtually-mapped kernel stack: Enabled
Restrict /dev/mem access: Enabled
Restrict I/O access to /dev/mem: Enabled
Exec Shield: Unsupported
YAMA: Active
Hardened Usercopy: Enabled
Harden str/mem functions: Enabled
* X86 only:
Address space layout randomization: Enabled
* SELinux: No SELinux
SELinux infomation available here:
http://selinuxproject.org/
Thank you for the comment. Definitely looks like there's some interest in hardening Void, with that said most of the kernel protections that I see from your checksec output exist on my Debian system too. I will try it out in a VM then.
no problem!