Linux is a very good operating system but sometimes it is not safe enough because bad hackers can find ways to break inside your computer even if you have a strong password. Many people think that if you are the root user you can do everything and nothing can stop you, but this is actually a bad thing if a hacker gets your root power because they can change the core brain of the computer which we call the kernel. If the hacker can change the kernel, they can hide their bad programs and you will never see them even if you use security scanners. That is why we need to use kernel command-line lockdown to stop anyone, even the root user, from making changes to the running kernel so your computer stays safe. In this guide, I will show you how to do this very easily on your Linux machine by changing some boot parameters in your grub loader so you can have a much more stronger system against advanced attacks.
To understand why we do this, we must know about how Linux boots and how the kernel works with its memory. When your computer starts, it loads the kernel into the memory and this kernel has all the power to talk to your hardware like your CPU, your RAM, and your hard drive. But because the kernel is very big, it sometimes has small mistakes in the code called bugs, and hackers love to find these bugs to make the computer do bad things. If we lock down the kernel, we are telling the computer to shut down many dangerous doors that normally are open for developers or for old programs. We do not need these old doors open anymore because we want our system to be like a strong castle with no weak windows. Some people worry that this will make the computer slow, but it only makes it like one percent slower which you cannot even feel when you are playing games or browsing the internet, so it is definitely worth it for the security you get.
Before we write the commands, we need to talk about the special options we are going to add to the kernel because you must know what they do to your system. The first option is called lockdown equals integrity, and this is the most important one because it stops anyone from modifying the kernel while it is running. Normally, the root user can use tools to write directly to the physical memory or load new code into the kernel without any signature, but with this option turned on, the kernel will say no to these actions even if you use sudo. This means no one can use kexec to boot into a fake kernel, and no one can write to special files like slash dev slash mem to steal secrets from your RAM. It is like putting a big heavy lock on the engine of your car so nobody can change the parts while you are driving down the highway.
The second option we use is module dot sig enforce equals one, which is very closely related to the lockdown option. In Linux, we have modules which are like extra drivers for your mouse, keyboard, or graphics card that get loaded when you need them. But if a hacker wants to control your computer, they can write a bad module that acts like a spyware and load it into your kernel. By setting this option to one, we tell the Linux kernel that it must only load modules that have a valid security signature from your operating system developer. If a module does not have this signature, the kernel will just refuse to load it, so the hacker cannot run their bad driver on your system at all.
Next, we have three very important parameters for managing the memory of your computer which are slab underbar nomerge, init underbar on underbar alloc equals one, and init underbar on underbar free equals one. The memory of your computer is divided into small boxes called slabs, and normally Linux will merge these boxes together if they look similar to save space in your RAM. But hackers can use this merging behavior to do an attack where they overflow one box and corrupt the box next to it to take control. When we use slab underbar nomerge, we tell Linux to never merge these memory boxes so they stay separated and safe. The other two options, init underbar on underbar alloc and init on free, are for cleaning up the memory because when you delete a file or close a program, Linux does not actually erase the data, it just says that space is free for others to use. This is dangerous because other programs can read that free space and find your passwords, so we tell the kernel to write zeros over the memory when we get it and when we throw it away, which stops an attack called heap spraying.
We also have some other options like randomize underbar kstack underbar offset equals on, which makes the kernel stack change its position in memory randomly every time a program asks for a system call. This is very good because hackers need to know exactly where things are in the memory to make their exploits work, and if the memory is constantly moving around, their exploit will fail and crash instead of hacking you. We also set vsyscall equals none to disable very old system calls that modern computers do not use anymore but still have security risks. We also turn off debugfs because debugging files can give too much information about your hardware and memory to a hacker who is trying to find a way in. Lastly, we set oops equals panic so that if the kernel makes a small mistake, it will immediately stop and reboot instead of trying to carry on with corrupted memory which could let a hacker take over.
Now we will write the step by step tutorial so you can apply these settings on your own computer without making mistakes.
Step 1. First, you need to open your terminal application on your Linux system. You must have administrator privileges because we are going to change how the system boots, so make sure you know your sudo password.
Step 2. We will use a tool called grubby which is very good because it allows us to update the kernel arguments for all installed kernels at the same time without needing to edit scary text files manually. Type this command into your terminal and then press enter:
sudo grubby --update-kernel=ALL --args="lockdown=integrity module.sig_enforce=1 slab_nomerge init_on_alloc=1 init_on_free=1 randomize_kstack_offset=on vsyscall=none debugfs=off oops=panic"Step 3. After you run the grubby command, you need to update your grub configuration file so that the bootloader knows about these changes when you turn on your computer next time. To do this on systems like Fedora or CentOS, you must run this command:
sudo grub2-mkconfig -o /boot/grub2/grub.cfgStep 4. Before you restart your computer, you should check if the arguments were actually added to the configuration correctly so you do not have any problems when booting up. You can check this by running the grubby info command and looking for the args line:
sudo grubby --info=DEFAULT | grep argsStep 5. If you see all the parameters we typed earlier in the output of the grep command, then everything is correct and you can now reboot your computer to apply the security settings. You can do this by typing:
sudo rebootStep 6. After your computer boots back up, we must verify that the new security protections are actually active and working inside the kernel. Open your terminal again and run these three verification commands to make sure.
First, check the running kernel command line parameters with this command:
cat /proc/cmdlineYou should see all the arguments like lockdown equals integrity and others in the text that shows up.
Second, check if the lockdown status is active by reading the security file:
cat /sys/kernel/security/lockdownThe output of this command must show the word integrity inside square brackets like this: [integrity]. If you see this, it means the kernel is successfully locked down against modification.
Third, check if the module signature enforcement is active by typing:
cat /sys/module/module/parameters/sig_enforceThis command should output the letter Y which means Yes, only signed modules can be loaded now.
In conclusion, locking down your Linux kernel using these command-line parameters is a very smart thing to do if you want to protect your computer from advanced threats and hackers who try to steal your data. It stops unauthorized changes to the running system, cleans up your memory so secrets do not leak, and turns off old dangerous features that you do not need. It might make your computer a tiny bit slower but it is so small that you will not notice it, and the safety you get is much more important.