October 2025 · 8 min read

Hardening the NullSec Kernel

A pentesting distro running a stock kernel is ironic. Here's every kernel hardening option we enable and why.

Memory protections

• CONFIG_RANDOMIZE_BASE=y — KASLR: randomize kernel load address
• CONFIG_RANDOMIZE_MEMORY=y — randomize physical memory mapping
• CONFIG_STACKPROTECTOR_STRONG=y — stack canaries on all functions with arrays
• CONFIG_HARDENED_USERCOPY=y — bounds-check copies to/from userspace
• CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y — zero-fill allocations

Access control

• CONFIG_SECURITY_LOCKDOWN_LSM=y — prevent even root from modifying kernel
• CONFIG_BPF_JIT_ALWAYS_ON=y + CONFIG_BPF_UNPRIV_DEFAULT_OFF=y — restrict BPF
• CONFIG_MODULES_SIG_FORCE=y — only signed kernel modules can load

Network hardening

• CONFIG_SYN_COOKIES=y — SYN flood protection
• Disabled CONFIG_IP_FORWARD by default (pentesting boxes shouldn't route)
• Sysctl tweaks: rp_filter, log_martians, ICMP rate limiting

Testing

We run the kernel-hardening-checker in CI. Our score: 85/100 (the remaining 15 points are options that break pentesting tools).

Filesystem and integrity hardening

Beyond memory and network protections, we harden the filesystem layer. These options prevent common privilege escalation vectors that target SUID binaries and writable mount points:

• CONFIG_EXT4_FS_SECURITY=y — enables POSIX ACL and security label support for fine-grained permissions
• CONFIG_IMA=y — Integrity Measurement Architecture: hashes every executed binary and compares against a signed policy
• CONFIG_EVM=y — Extended Verification Module: protects security-sensitive file metadata from tampering
• CONFIG_SECURITY_YAMA=y — restricts ptrace so unprivileged processes can only trace their own children, blocking a major post-exploitation technique

We also mount /tmp and /dev/shm with noexec,nosuid,nodev flags by default. Combined with IMA, this means even if an attacker drops a binary into /tmp, it cannot execute.

Boot chain security

A hardened kernel means nothing if the bootloader is compromised. NullSec's boot chain is locked down end-to-end:

• Secure Boot — UEFI Secure Boot is supported but not required (many pentest labs use legacy BIOS)
• Signed kernel & initramfs — the kernel image and initramfs are signed with our build key; GRUB verifies signatures before loading
• Locked GRUB — the GRUB menu is password-protected to prevent single-user mode access
• dm-verity — the root filesystem on the live ISO uses dm-verity for block-level integrity verification

This makes NullSec significantly harder to tamper with than stock Kali or Parrot, where an attacker with physical access can modify the boot chain trivially.

Runtime exploit mitigations

We enable every userspace exploit mitigation the kernel supports:

# /etc/sysctl.d/99-nullsec-hardening.conf

# ASLR at maximum strength (stack, heap, mmap, vdso)
kernel.randomize_va_space = 2

# Restrict dmesg to root (prevents info leaks)
kernel.dmesg_restrict = 1

# Restrict kernel pointer display
kernel.kptr_restrict = 2

# Disable kexec (prevents hot-loading a malicious kernel)
kernel.kexec_load_disabled = 1

# Restrict performance events (prevents side-channel attacks)
kernel.perf_event_paranoid = 3

# Disable unprivileged user namespaces (blocks container escapes)
kernel.unprivileged_userns_clone = 0

Each sysctl has a corresponding CI test that verifies the value after boot. If a kernel update resets any of these, our nightly pipeline catches it within hours.

The 15-point gap

Our kernel-hardening-checker score is 85/100. The remaining 15 points come from options we intentionally leave disabled:

• CONFIG_STATIC_USERMODEHELPER=y — would break tool installations that need modprobe helpers
• CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y with lockdown=confidentiality — blocks eBPF tracing tools like bpftrace that pentesters rely on
• CONFIG_TRIM_UNUSED_KSYMS=y — breaks out-of-tree WiFi drivers needed for wireless pentesting
• CONFIG_CFI_CLANG=y — requires the entire kernel and all modules to be compiled with Clang, which conflicts with some driver build systems

Each exception is documented in /usr/share/nullsec/kernel-exceptions.md with a risk assessment and mitigation plan. Security is about informed tradeoffs, not checkbox compliance.

Verifying your installation

Every NullSec install includes a verification script:

# Run the full hardening audit
nullsec-audit --kernel --sysctl --mounts --boot

# Example output:
# [PASS] KASLR enabled
# [PASS] Stack protector: strong
# [PASS] BPF restricted to root
# [PASS] /tmp mounted noexec
# [PASS] Signed modules enforced
# [WARN] lockdown=integrity (not confidentiality)
# Score: 47/50 checks passed

We recommend running this after every kernel update. The script is also available as a Lateralus pipeline for integration into your own security workflows.