Cybreach Consulting Prendre RDV
Back to articles
Vulnerabilities

Linux hardening: permissions, SSH, AppArmor and kernel protections

Linux system hardening aims to reduce the attack surface by disabling unnecessary features, strengthening default configurations, and enabling available protections. Hardening references like the CIS Linux Benchmark or the ANSSI guide provide exhaustive control checklists. The Lynis tool enables automated initial auditing.

File permissions and ownership

Misconfigured permissions allow unprivileged users to read or modify sensitive files. Critical points to check: files with no owner (find / -nouser -o -nogroup), world-writable files (find / -perm -0002 -not -type l), service configuration files readable by all (private keys, configuration files with passwords), home directories without access restrictions.

Critical permissions audit

# Fichiers world-writable (hors /tmp et /dev)
find / -perm -0002 -type f -not -path '/tmp/*' -not -path '/dev/*' 2>/dev/null

# Fichiers sans propriétaire
find / -nouser -o -nogroup 2>/dev/null

# Permissions sur les clés SSH
stat ~/.ssh/id_rsa  # Doit être 600 ou 400
stat ~/.ssh/authorized_keys  # Doit être 600

Default umask

Umask determines the default permissions of created files and directories. A umask of 022 (often the default) creates files with permissions 644 (read for all) and directories with 755 (traverse for all). For a server, a umask of 027 is more restrictive (files at 640, directories at 750: no access for others). Umask is configured in /etc/profile, /etc/bash.bashrc, or /etc/login.defs.

SSH configuration

SSH is generally the main remote access point of a Linux server. Its default configuration includes several options to restrict.

Secure sshd_config configuration

# /etc/ssh/sshd_config
PermitRootLogin no              # Interdire la connexion SSH en tant que root
PasswordAuthentication no       # Forcer l'authentification par clé
PubkeyAuthentication yes
PermitEmptyPasswords no
MaxAuthTries 3                  # Limiter les tentatives d'authentification
LoginGraceTime 30               # 30 secondes pour s'authentifier
X11Forwarding no                # Désactiver le forwarding X11 si inutile
AllowTcpForwarding no           # Désactiver si le tunneling n'est pas nécessaire
AllowUsers deployuser adminuser # Restreindre aux utilisateurs autorisés

AppArmor and SELinux

AppArmor (Ubuntu/Debian) and SELinux (RHEL/CentOS) are mandatory access control (MAC) systems that restrict actions processes can perform, independent of UNIX permissions. A compromised web service can't access /etc/shadow if AppArmor forbids it. These systems are often disabled or in permissive mode (logging only) because their configuration is perceived as complex. Profiles provided by distributions cover most common services.

Compilation protections

Compilation protections reduce the exploitability of buffer overflows and memory corruption. ASLR (Address Space Layout Randomization): randomises memory addressing, making precise address targeting difficult. Stack canaries: value placed before the return pointer, detects stack overflows. PIE (Position Independent Executable): enables ASLR for the main executable. RELRO: protects library sections from writing. NX/DEP: makes data areas non-executable.

Checking a binary's protections

# checksec : outil d'audit des protections de compilation
checksec --file=/usr/sbin/nginx

# Vérifier ASLR au niveau noyau :
cat /proc/sys/kernel/randomize_va_space
# 0 = désactivé, 1 = partiel, 2 = complet (recommandé)

# Activer ASLR si désactivé :
sysctl -w kernel.randomize_va_space=2

Access to /dev/mem and dmesg

/dev/mem gives direct access to physical memory. Unrestricted access allows a user with appropriate rights to read or modify any area of physical memory, including the kernel. Restricting dmesg (kernel logs) prevents unprivileged users from seeing hardware and kernel information that aids exploitation.

Restricting dmesg and removable media

# /etc/sysctl.conf
kernel.dmesg_restrict = 1      # Restreindre dmesg aux root
kernel.kptr_restrict = 2       # Masquer les adresses du noyau
dev.tty.ldisc_autoload = 0     # Désactiver le chargement auto de drivers TTY

A question after reading?

Want to assess or harden your Linux systems? Send a message.

Or book a 30-minute scoping call directly

Book a call