Plague Kernel
Intro
Most security researchers gloss over the monolithic kernel that continually supports more and more architecture and rarely if ever purges support for the legacy. It’s unfortunate, however “it just works” is the argument to be made.
In the kernel space, usability trumps security. Linux security projects in particular should place more of an emphasis on the kernel, one that borders fixation.
Kernel security has been largely ignored. It contains classes of vulnerabilities, and the solutions are quick-fix patches that don’t address the trend at large.
Plague Kernel
Project Description:
Kernel hardening project pulling from a mix of sources such as Whonix, KSPP, & CLIPOS.
Why should you run the custom Plague kernel? Currently, it is the most comprehensive kernel configuration that hones in on cutting attack surface by reducing legacy modules, firmware, and hardware support, along with applying hardening configurations from a number of different sources listed above.
The developer goes as far to provide size as a point of comparison, highlighting the custom Plague LTS kernel with the one used by Whonix. The comparison shows that the size of the kernel has been cut by 45%.
Importing the Plague Kernel
Given that the main developer already highlighted instructions in the project’s README for self-compilation, I will provide instructions on importing the pre-compiled kernel to other distributions. The following commands can be pasted to the terminal. These commands successfully import the kernel on Debian-based hosts such as Parrot, Kicksecure, or Whonix. RHEL/Fedora would follow similar steps.
# Remount boot partition as read-only
mount -o remount,rw /boot
# Define KVER_LATEST (latest kernel version)
KVER_LATEST=$(curl --tlsv1.2 --proto =https https://0xacab.org/optout/plagueos/-/raw/master/installer_scripts/env.cfg?inline=false | grep 'KVER=' | cut -d'"' -f2)
# Pull down latest vmlinuz file (/boot)
wget https://0xacab.org/optout/plagueos/-/raw/master/base_configs/boot/vmlinuz-$KVER_LATEST
# Pull down latest kernel archive (/lib/modules/)
wget https://0xacab.org/optout/plagueos/-/raw/master/linux-hardened/$KVER_LATEST.tar.xz
# Staging
tar -xvf $KVER_LATEST.tar.xz -C /lib/modules/
mv vmlinuz-$KVER_LATEST /boot/
# Build initramfs
sudo update-initramfs -c -k $KVER_LATEST
# Reconfigure grub
/usr/sbin/update-grub
# Reboot
Following a system reboot, the host should default to running the Plague kernel.
This can be verified by running uname -r from terminal.