figured i’d spin up a Void Linux community here since the one on lemmy.ml is kinda hard to reach for folks on other instances.

this space is for anyone using (or curious about) Void. ask questions, share tips, show off your setups, or just vibe.

not too many rules, just:

  • keep it Void-related
  • don’t be a jerk
  • no dumb distro fights

that’s it.

drop a post, say hey, share your rice, whatever.

  • fishynoob@infosec.pubEnglish
    1·
    8 days ago

    Is there a hardened version of void? I’m interested in hardened distributions and like that Void has a musl build, but is there any dialogue from the devs or the community in using void as a hardened server OS?

    • occultist8128@infosec.pubOPMEnglish
      1·
      7 days ago

      void already comes with a pretty solid, hardened kernel setup by default. some of the security features it has out of the box include full ASLR, NX protection, protected symlinks and hardlinks, randomization for kernel heap and SLAB freelists, stack protection with GCC, and a bunch of other things like restricting access to /dev/mem, enforcing read-only kernel and module data, and more. the default bootloader setup also includes things like slub_debug, page_poison, and secure memory allocation. but the default void settings aren’t hardened at 100%, because otherwise you would be using OpenBSD lol.

      there’s also a script called hardening.sh in the void-packages repo. i’ve seen some folks trying to bring Whonix-style features (i think its name is PlagueOS) or grsecurity/PaX-like standards to Void too, but that’s a pretty big undertaking.

      this is the output of checksec --kernel on my machine

       checksec --kernel
* Kernel protection information:

  Description - List the status of kernel protection mechanisms. Rather than
  inspect kernel mechanisms that may aid in the prevention of exploitation of
  userspace processes, this option lists the status of kernel configuration
  options that harden the kernel itself against attack.

  Kernel config:
/proc/config.gz

  Vanilla Kernel ASLR:                    Full
  NX protection:                          Skipped
  Protected symlinks:                     Enabled
  Protected hardlinks:                    Enabled
  Protected fifos:                        Disabled
  Protected regular:                      Disabled
  Ipv4 reverse path filtering:            Disabled
  Kernel heap randomization:              Enabled
  GCC stack protector support:            Enabled
  GCC stack protector strong:             Enabled
  SLAB freelist randomization:            Enabled
  Virtually-mapped kernel stack:          Enabled
  Restrict /dev/mem access:               Enabled
  Restrict I/O access to /dev/mem:        Enabled
  Exec Shield:                            Unsupported
  YAMA:                                   Active

  Hardened Usercopy:                      Enabled
  Harden str/mem functions:               Enabled

* X86 only:
  Address space layout randomization:     Enabled

* SELinux:                                No SELinux

  SELinux infomation available here:
    http://selinuxproject.org/
      • fishynoob@infosec.pubEnglish
        1·
        7 days ago

        Thank you for the comment. Definitely looks like there’s some interest in hardening Void, with that said most of the kernel protections that I see from your checksec output exist on my Debian system too. I will try it out in a VM then.