You don’t mention any specific distro, but I’m guessing it’s pretty similar across distros. And since Arch tends to have good documentation, I’ve focused mostly on Arch. (I use Arch BTW. Fight me. :wink:)
The differences are that a different set of configuration options were selected when building the Kernel. All differences in configuration were selected with security in mind.
It takes some special memory management steps to mitigate buffer overflow and stack overflow kind of vulnerabilities that might exist in other programs on the system.
It locks down access to some information about specific kernel processes to prevent malicious programs from accessing those kernel processes. (And the wiki page says specifically that this doesn’t really help much unless you compile your own kernel, but yeah.)
Locks down “BPF” which, honestly, I don’t know much about. Has something to do with firewalls?
Prevents one application from getting internal data about another application (like happens with programs like strace or gdb.)
Hides other users’ processes from your current user.
Prevents loading of unsigned kernel modules.
Turns off a feature that lets you replace a running kernel with a newer kernel version without restarting the whole computer.
Enables “Kernel lockdown mode” which "strengthens the boundary between what the root user can access and kernel space.
Enables “LKRG” which is kindof an “intrusion detection system for the Linux kernel.”
Disables the emergency shell that can otherwise be used to debug and recover when your system fails to boot. (But could also be used to do evil things if an adversary has physical access to the computer, I think?)
So, all fairly technical stuff, but just locks stuff down and locks down things to improve overall security at the expense of some functionality. Some applications just straight won’t work with a hardened kernel. (skypeforlinux-stable-bin is an example of a program that the Arch page listed above gives that just won’t work.)
Locks down “BPF” which, honestly, I don’t know much about. Has something to do with firewalls?
BPF (more importantly it’s successor, eBPF) allows (very specific, automatically verified) programs to run in kernel space, triggered by various events. Mostly used for networking stuff.
You don’t mention any specific distro, but I’m guessing it’s pretty similar across distros. And since Arch tends to have good documentation, I’ve focused mostly on Arch. (I use Arch BTW. Fight me. :wink:)
The differences are that a different set of configuration options were selected when building the Kernel. All differences in configuration were selected with security in mind.
Here is a full list with lots of details but just vaguely (in roughly the same order as they are on the Arch page):
So, all fairly technical stuff, but just locks stuff down and locks down things to improve overall security at the expense of some functionality. Some applications just straight won’t work with a hardened kernel. (skypeforlinux-stable-bin is an example of a program that the Arch page listed above gives that just won’t work.)
BPF (more importantly it’s successor, eBPF) allows (very specific, automatically verified) programs to run in kernel space, triggered by various events. Mostly used for networking stuff.
I’m running self compiled hardened kernel and I enabled kernel lockdown mode. Before that it was disabled. Maybe Arch team disabled it.