welcome to !voidlinux@infosec.pub

void already comes with a pretty solid, hardened kernel setup by default. some of the security features it has out of the box include full ASLR, NX protection, protected symlinks and hardlinks, randomization for kernel heap and SLAB freelists, stack protection with GCC, and a bunch of other things like restricting access to /dev/mem, enforcing read-only kernel and module data, and more. the default bootloader setup also includes things like slub_debug, page_poison, and secure memory allocation. but the default void settings aren't hardened at 100%, because otherwise you would be using OpenBSD lol.

there's also a script called hardening.sh in the void-packages repo. i've seen some folks trying to bring Whonix-style features (i think its name is PlagueOS) or grsecurity/PaX-like standards to Void too, but that’s a pretty big undertaking.

this is the output of checksec --kernel on my machine

    
○ checksec --kernel
* Kernel protection information:

  Description - List the status of kernel protection mechanisms. Rather than
  inspect kernel mechanisms that may aid in the prevention of exploitation of
  userspace processes, this option lists the status of kernel configuration
  options that harden the kernel itself against attack.

  Kernel config:
/proc/config.gz

  Vanilla Kernel ASLR:                    Full
  NX protection:                          Skipped
  Protected symlinks:                     Enabled
  Protected hardlinks:                    Enabled
  Protected fifos:                        Disabled
  Protected regular:                      Disabled
  Ipv4 reverse path filtering:            Disabled
  Kernel heap randomization:              Enabled
  GCC stack protector support:            Enabled
  GCC stack protector strong:             Enabled
  SLAB freelist randomization:            Enabled
  Virtually-mapped kernel stack:          Enabled
  Restrict /dev/mem access:               Enabled
  Restrict I/O access to /dev/mem:        Enabled
  Exec Shield:                            Unsupported
  YAMA:                                   Active

  Hardened Usercopy:                      Enabled
  Harden str/mem functions:               Enabled

* X86 only:
  Address space layout randomization:     Enabled

* SELinux:                                No SELinux

  SELinux infomation available here:
    http://selinuxproject.org/

4 comments

Is there a hardened version of void? I'm interested in hardened distributions and like that Void has a musl build, but is there any dialogue from the devs or the community in using void as a hardened server OS?
- void already comes with a pretty solid, hardened kernel setup by default. some of the security features it has out of the box include full ASLR, NX protection, protected symlinks and hardlinks, randomization for kernel heap and SLAB freelists, stack protection with GCC, and a bunch of other things like restricting access to /dev/mem, enforcing read-only kernel and module data, and more. the default bootloader setup also includes things like slub_debug, page_poison, and secure memory allocation. but the default void settings aren't hardened at 100%, because otherwise you would be using OpenBSD lol.
  there's also a script called hardening.sh in the void-packages repo. i've seen some folks trying to bring Whonix-style features (i think its name is PlagueOS) or grsecurity/PaX-like standards to Void too, but that’s a pretty big undertaking.
  this is the output of checksec --kernel on my machine
  
  ○ checksec --kernel * Kernel protection information: Description - List the status of kernel protection mechanisms. Rather than inspect kernel mechanisms that may aid in the prevention of exploitation of userspace processes, this option lists the status of kernel configuration options that harden the kernel itself against attack. Kernel config: /proc/config.gz Vanilla Kernel ASLR: Full NX protection: Skipped Protected symlinks: Enabled Protected hardlinks: Enabled Protected fifos: Disabled Protected regular: Disabled Ipv4 reverse path filtering: Disabled Kernel heap randomization: Enabled GCC stack protector support: Enabled GCC stack protector strong: Enabled SLAB freelist randomization: Enabled Virtually-mapped kernel stack: Enabled Restrict /dev/mem access: Enabled Restrict I/O access to /dev/mem: Enabled Exec Shield: Unsupported YAMA: Active Hardened Usercopy: Enabled Harden str/mem functions: Enabled * X86 only: Address space layout randomization: Enabled * SELinux: No SELinux SELinux infomation available here: http://selinuxproject.org/
  
  Thank you for the comment. Definitely looks like there's some interest in hardening Void, with that said most of the kernel protections that I see from your checksec output exist on my Debian system too. I will try it out in a VM then.