Why Kernel Hardening Matters
The Linux kernel is the foundation of your entire system security stack. Kernel parameters controlled through sysctl determine how your system handles network traffic, memory management, process isolation, and security boundaries. Default kernel settings prioritize compatibility over security β they allow IP forwarding, accept ICMP redirects, and keep ASLR at a basic level.
Organizations like CIS (Center for Internet Security), DISA (Defense Information Systems Agency), and the NSA publish kernel hardening benchmarks that specify recommended values for dozens of sysctl parameters. Manually checking each parameter against these benchmarks is time-consuming and error-prone.
dargslan-kernel-check automates kernel parameter auditing. It checks 20+ security-relevant sysctl settings, compares live values against recommended baselines, detects differences between running configuration and saved settings, and calculates an overall hardening score.
Install dargslan-kernel-check
pip install dargslan-kernel-checkZero dependencies. Reads directly from /proc/sys/ for live values and /etc/sysctl.conf + /etc/sysctl.d/ for saved configurations.
CLI Usage
# Full hardening report with score
dargslan-kernel report
# Quick security score (0-100)
dargslan-kernel score
# All security parameters with compliance status
dargslan-kernel params
# Live vs saved configuration differences
dargslan-kernel diffs
# Issues and recommendations
dargslan-kernel issues
# JSON output
dargslan-kernel jsonPython API
from dargslan_kernel_check import KernelCheck
kc = KernelCheck()
# Security hardening score
score = kc.get_score()
print(f"Kernel Hardening Score: {score}/100")
# Check all security parameters
for param in kc.check_all_params():
status = "OK" if param["compliant"] else "FAIL"
print(f"[{status}] {param[\"param\"]}: {param[\"current\"]} (rec: {param[\"recommended\"]})")
# Compare live vs saved settings
diffs = kc.compare_live_vs_saved()
for d in diffs:
print(f"DRIFT: {d[\"param\"]}: live={d[\"live\"]}, saved={d[\"saved\"]}")
# Full audit
issues = kc.audit()
for i in issues:
print(f"[{i[\"severity\"]}] {i[\"message\"]}")Critical Kernel Parameters Explained
The audit checks these essential security parameters:
- kernel.randomize_va_space = 2 β Full ASLR. Randomizes stack, heap, mmap, and VDSO positions. This makes memory corruption exploits significantly harder.
- net.ipv4.tcp_syncookies = 1 β SYN flood protection. Without this, an attacker can exhaust your connection table with half-open connections.
- net.ipv4.ip_forward = 0 β Disable IP forwarding unless the machine is a router. Forwarding allows traffic to pass through your system to other networks.
- net.ipv4.conf.all.accept_redirects = 0 β Reject ICMP redirects. Attackers use redirects to reroute traffic through malicious gateways.
- kernel.dmesg_restrict = 1 β Restrict kernel log access to root. Kernel messages can leak sensitive information about system configuration.
- kernel.kptr_restrict = 2 β Hide kernel pointers. Kernel address exposure helps attackers develop kernel exploits.
- fs.suid_dumpable = 0 β Prevent SUID process core dumps. Core dumps of SUID binaries could contain sensitive data.
CI/CD Integration
import sys
from dargslan_kernel_check import KernelCheck
kc = KernelCheck()
score = kc.get_score()
if score < 70:
print(f"FAIL: Kernel hardening score {score}/100 (minimum: 70)")
for i in kc.audit():
if i["severity"] in ("critical", "high"):
print(f" [{i[\"severity\"]}] {i[\"message\"]}")
sys.exit(1)
else:
print(f"PASS: Kernel hardening score {score}/100")Download the Kernel Hardening Cheat Sheet
Get our Kernel Hardening Cheat Sheet β covering all critical sysctl parameters, recommended values, and configuration file locations.
Related Tools
Browse all security Python tools at dargslan.com. Our Linux security eBooks provide comprehensive kernel hardening guides.
