«Automation and Informatization of the fuel and energy complex»

Hardening of the "Alt" operational system kernel. Tools. Techniques

UDC: 004.056.5
DOI: -

Authors:

¹ National University of Oil and Gas "Gubkin University", Moscow, Russia

Keywords: kernel hardening, Alt OS, information security, fuel and energy complex (FEC), NX/XD, modprobe, sysctl, auditd, AltHa, FSTEC, Linux

Annotation:

The authors of the authors present a detailed methodology for hardening the kernel of the "Alt" operational system (OS), developed to ensure the information security of critically important facilities of the fuel and energy complex (FEC). The methodology is aimed at minimizing the risks of cyber threats, such as buffer overflow, privilege escalation, malicious modules introduction and denial of service (DoS) attacks, taking into account the requirements of the Order No. 235 of the FSTEC of Russia. The vulnerabilities of the Linux kernel (version 6.1.127) used in the Alt Server 10 OS are considered, and a comprehensive approach is proposed, which includes updating the kernel to the version 6.1.127-un-def-alt1, analysis and disabling of unnecessary modules, activation of NX/XD protection, restriction of access to kernel logs, auditing configuration, real-time monitoring and g AltHa submodules configuration. The sysctl, modprobe, auditd, Lynis and AltHa tools used in the FEC infrastructure are used. The practical implementation was carried out in a virtual environment with testing of performance and resistance to attacks. The results prove the fact of 90…95 % of the vulnerabilities elimination, identified by the Lynis audit, when a CPU load is less than 5 % for most operations. The limitations of the methodology, such as module analysis complexity, expertise necessity and the resource intensity of the audit, are compensated by AltHa submodules configuration.

Bibliography:

1. Security and Privacy Controls for Information Systems and Organizations: NIST Special Publication 800-53. – Rev. 5. – National Institute of Standards and Technology, 2020. – XXV, 465 p. – URL: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
2. Ob utverzhdenii Trebovaniy k sozdaniyu sistem bezopasnosti znachimykh ob"ektov kriticheskoy informatsionnoy infrastruktury Rossiyskoy Federatsii i obespecheniyu ikh funktsionirovaniya: prikaz FSTEK Rossii ot 21 dek. 2017 g. № 235 (s izmeneniyami i dopolneniyami ot 27 marta 2019 g., 20 apr. 2023 g.). – URL: https://base.garant.ru/71886248/
3. Uymin A.G. Praktikum. Demonstratsionnyy ekzamen bazovogo urovnya. Setevoe i sistemnoe administrirovanie: uchebnoe posobie dlya vuzov. – SPb.: Lan', 2024. – 116 s. – (Vysshee obrazovanie).
4. Center for Internet Security (CIS). Benchmark for Linux: v3.0.0. – 2023. – URL: https://www.cisecurity.org/cis-benchmarks
5. Kerrisk M. The Linux Programming Interface: A Linux and UNIX System Programming Handbook. – San Francisco: No Starch Press, 2010. – 1550 p.
6. Bazal't SPO. Dokumentatsiya ALT Linux. – URL: https://www.basealt.ru/
7. MITRE CVE. CVE-2024-1086. – URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1086
8. NIST NVD. NVD Vulnerability Search. – URL: https://nvd.nist.gov/vuln/search/statistics?form_type=Advanced
9. Linux Audit Framework. AUDITD(8): Guide. – URL: https://man7.org/linux/man-pages/man8/auditd.8.html
10. Love R. Linux Kernel Development. – 3rd ed. – Boston: Addison-Wesley, 2010. – 468 p.
11. ALT Linux. Dokumentatsiya po AltHa. – URL: https://www.altlinux.org/AltHa
12. Lazorin D.S., Pravikov D.I. Zashchishchennost' kiberfizicheskoy sistemy na osnove tsifrovogo dvoynika cherez otsenku kachestva upravleniya // Avtomatizatsiya i informatizatsiya TEK. – 2024. – № 2(607). – S. 43–47.