How to check if kernel lockdown mode is active in Linux

Introduction

In this lab, you will learn how to check if kernel lockdown mode is active in Linux. Kernel lockdown is a security feature that restricts certain kernel capabilities to enhance system security.

You will achieve this by examining the kernel's lockdown status through the /proc filesystem using the cat command, verifying lockdown-related messages in the kernel ring buffer with dmesg, and inspecting security settings within the /sys/kernel/security directory. These steps will provide a comprehensive understanding of the current lockdown state of your Linux system.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL linux(("Linux")) -.-> linux/BasicFileOperationsGroup(["Basic File Operations"]) linux(("Linux")) -.-> linux/TextProcessingGroup(["Text Processing"]) linux/BasicFileOperationsGroup -.-> linux/ls("Content Listing") linux/BasicFileOperationsGroup -.-> linux/cat("File Concatenating") linux/TextProcessingGroup -.-> linux/grep("Pattern Searching") subgraph Lab Skills linux/ls -.-> lab-558794{{"How to check if kernel lockdown mode is active in Linux"}} linux/cat -.-> lab-558794{{"How to check if kernel lockdown mode is active in Linux"}} linux/grep -.-> lab-558794{{"How to check if kernel lockdown mode is active in Linux"}} end

Check lockdown status with cat /proc/sys/kernel/lockdown

In this step, we will check the current lockdown status of the Linux kernel. Kernel lockdown is a security feature that restricts certain kernel capabilities to enhance security, especially on systems where physical access is a concern.

The lockdown status is exposed through the /proc filesystem, specifically at /proc/sys/kernel/lockdown. The /proc filesystem is a virtual filesystem that provides information about processes and other system information.

To check the lockdown status, we will use the cat command. The cat command is used to display the content of files.

Open your terminal if it's not already open. You can find the Xfce Terminal icon on the left side of your desktop.

Now, type the following command into the terminal and press Enter:

cat /proc/sys/kernel/lockdown

You will see output similar to this:

[none] integrity confidentiality

The output indicates the current lockdown mode in square brackets ([none] in this example) and the available lockdown modes.

none: The kernel is not in lockdown mode.
integrity: Restricts features that could allow user-space to modify the running kernel.
confidentiality: Restricts features that could allow user-space to extract confidential information from the kernel.

The specific output might vary depending on the kernel configuration, but the structure will be similar. Understanding the lockdown status is important for assessing the security posture of a Linux system.

Click Continue to proceed to the next step.

Verify lockdown in dmesg

In addition to checking the /proc filesystem, kernel messages related to lockdown status changes are often logged in the kernel ring buffer. We can view these messages using the dmesg command.

The dmesg command is used to examine or control the kernel ring buffer. It displays messages produced by the kernel during boot-up and runtime.

To see if there are any messages related to kernel lockdown, we can pipe the output of dmesg to grep and search for the term "lockdown". Piping (|) sends the output of one command as the input to another command.

Type the following command into your terminal and press Enter:

dmesg | grep lockdown

You might see output similar to this:

[    0.000000] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-... root=UUID=... ro ... lockdown=none
[    0.000000] Kernel lockdown: Lockdown is disabled.

This output shows kernel messages that contain the word "lockdown". It can confirm the lockdown status set during boot or any changes that occurred later. The exact messages will depend on how the system was booted and configured.

If you don't see any output, it might mean there were no specific kernel messages about lockdown logged in the buffer, or the messages have been overwritten if the buffer is full. However, checking dmesg is a common practice to verify kernel-level events.

Click Continue to move on to the next step.

Inspect security settings in /sys/kernel/security

In this final step, we will explore the /sys/kernel/security directory. The /sys filesystem is another virtual filesystem that provides an interface to kernel data structures. The /sys/kernel/security directory specifically contains information and controls related to the Linux Security Modules (LSMs) loaded by the kernel.

LSMs are frameworks that allow the kernel to support a variety of security models. Examples include SELinux, AppArmor, and others.

Let's list the contents of this directory using the ls command. The ls command lists directory contents.

Type the following command into your terminal and press Enter:

ls /sys/kernel/security/

You will see output similar to this, depending on the loaded LSMs:

apparmor  lockdown  lsm  selinux

This output shows the subdirectories within /sys/kernel/security. Each subdirectory often corresponds to a loaded LSM or a security feature like lockdown.

You can further inspect the contents of these subdirectories using ls and cat. For example, to see the contents of the lockdown directory within /sys/kernel/security, you could use:

ls /sys/kernel/security/lockdown/

And to view the content of a file within that directory, for instance, the lockdown file itself (which might contain similar information to /proc/sys/kernel/lockdown), you could use:

cat /sys/kernel/security/lockdown

Exploring the /sys/kernel/security directory provides deeper insight into the active security modules and their configurations on your system.

You have now learned how to check the kernel lockdown status using different methods and explored the kernel security interface in the /sys filesystem.

Click Continue to complete the lab.

Summary

In this lab, we learned how to check the kernel lockdown status in Linux. We used the cat /proc/sys/kernel/lockdown command to view the current lockdown mode and available modes, such as none, integrity, and confidentiality. Understanding these modes is crucial for assessing system security.

We also explored how to verify lockdown-related messages in the kernel ring buffer using the dmesg command, which provides insights into kernel events and status changes, including those related to lockdown activation or deactivation. Finally, we examined security settings within the /sys/kernel/security directory, which offers a more detailed view of various security modules and their configurations, including lockdown-specific settings.