The downside of the flexible and feature-rich environment that Linux offers is the many attack surfaces that it exposes. Embedded Linux devices are an attractive target for botnets and other cyberattacks.
Linux has numerous in-built security features. But silicon vendors usually supply their developer Linux environment or BSP with all features, developer tools and ‘root’ privileges enabled. This gives the developer maximum functionality, but it means reconfiguration and hardening must be done before a product can be deployed.
Configuring Linux requires finding the balance between the right level of security while enabling the features that the application needs. We’ve hardened the Linux systems in many premium consumer products that are deployed in their millions by major operators. Our configuration work includes:
- Disabling all unused network services
- Disabling the kernel developer features
- Applying the principle of least privilege and ensuring all processes run with minimum user privileges and access in order to function
- Removing unnecessary tools and programmes from the filesystem and disabling debug such as ptrace
- Limiting access by adding containerisation such as Docker, LXC, and runc & crun OCI compliant runtimes to sandbox components, especially when running third-party applications or for network-facing components
- Adding intruder detection when appropriate
- And a lot more…