Can we please add the linux-hardened kernel to the repos?

I ran CISOfy’s lynis tool on the following kernels from the repos

  • 5.10.53-1-MANJARO
  • 5.12.19-1-MANJARO

They both scored 63.

Then I compiled the 5.12.19-hardened1-1-hardened-cacule kernel from the AUR & ran the test again. It got a 65.

Just changing the kernel increased the score of a clean install by 2 points.

I realise that this is just One metric from One test and we cannot deduce conclusions here.
But it is worth considering & looking into further.

The issue of unofficial kernels has been discussed [here].
The general consensus was that unofficial kernels would increase instability.

Feature request FAQ states that if a package is available in the AUR then the request might be declined - however, given the fact that compiling kernels is a resource & time-intensive task, that unofficial kernels increase instability anyway, and the tangible benefits of the hardened kernel; I believe that this should be considered seriously.

1 Like

What do these number mean?

I assume the higher the number, the more secure it is. But on which areas does it matter?

I am not allowed to post links? So you’ll have to search for CISOfy/lynis on GitHub.

I ran the default audit ./lynis audit system which considers a whole bunch of things, including boot system, memory & services, file permissions, and of course, kernel hardnening; to name a few.

If the test was localised to the kernel then the difference would be even greater.


Alright, I’ve pasted the kernel-hardening output from the audit in a gist. It was easier to persevere the formatting there.

lynis audit of 5.12.19-1-MANJARO

lynis audit of 5.12.19-hardened1-1-hardened-cacule

It seems there are only 4 differences - lines 31, 33, 36, & 38.

I’m only a student at this point & I am learning as I go along. Hopefully, you’ll be able to make more sense of that than I can (at this point).

All of theses 4 Kernel options can be set at runtime. But at least unprivileged_bpf_disabled can’t changed back without reboot.

If you want these as your default add them to a sysctl config file or add them to your kernel command line. Use the expected value form your output.
If you just want these options there is no need for the linux-hardened.