Linux Advanced Hardening With the Capability Bounding Set

Author: Vivek Gite Last updated: February 22, 2011 12 comments

The last time I wrote about basic “Linux Server Hardening Security” tips. In this post I will write about the /proc/sys/kernel/cap-bound file which act as a powerful Linux hardening tool. This file holds the value of the kernel capability bounding set (expressed as a signed decimal number). This set is ANDed against the capabilities permitted to a process during exec. You can make changes to this file (bit value of cap-bound) and you can restrict many capabilities of process and put restrictions on root related process too. Using capability you can enable or disable Linux kernel modules loading, firewall, routing, raw sockets, locking of memory segments, restrictions on changing file ownership, restrictions on read and search of files and directories, sending signals to processes owned by others, modification of immutable and append-only file attributes, use of chroot(), rebooting the system, conman sys admin tasks such as mount, quotas, swapping and much more.

How Do I See Default or Current Capability Values?

Type the following command:
$ cat /proc/sys/kernel/cap-bound
Sample outputs:

-257

How Do I Set New Capability Values?

Use the echo command as follows:

echo 0xHexValue > /proc/sys/kernel/cap-bound

The bounding set is expressed as a bitmask so you can use hexnumber or use bash shell left bit bitwise shifts ARITHMETIC EVALUATION operators. A word of warning – be very careful when making changes to the bounding set. You may end up locking the system due to wrong values.

Example: Stop Loading Modules (Drivers) After System Has Booted

The CAP_SYS_MODULE allows to insert and remove kernel modules without limit. The capability number is 16 for CAP_SYS_MODULE. So you can use bash shell left bit bitwise shifts as follows to disable loading of drivers as follows (you must be root user):

echo 0xFFFEFFFF > /proc/sys/kernel/cap-bound

Now try to load or unload modules:
# modprobe ide_cd
Sample outputs:

FATAL: Error inserting ide_cd (/lib/modules/2.6.18-194.3.1.el5/kernel/drivers/ide/ide-cd.ko): Operation not permitted

OR try to remove module:
# modprobe -r cdrom
Sample outputs:

FATAL: Error removing cdrom (/lib/modules/2.6.18-194.3.1.el5/kernel/drivers/cdrom/cdrom.ko): Operation not permitted

How Do I Make Changes To Capability Permanently?

To make changes to /proc filesystem permanently, add them to /etc/sysctl.conf file:
# vi /etc/sysctl.conf
Append the following line:

# Do not load or remove any kernel drivers
# Clear bit # 16
echo 0xFFFEFFFF > /proc/sys/kernel/cap-bound

Save and close the file. Load changes:
# sysctl -p

How Do I Find Out List Of All Supported Capabilities?

To get an overview of Linux capabilities and its numbers see /usr/src/linux/include/linux/capability.h file, enter:
$ vi /usr/src/linux/include/linux/capability.h
OR use the grep command to find out numbers quickly:

grep '#define CAP' /usr/src/linux/include/linux/capability.h

Sample outputs:

#define CAP_CHOWN            0
#define CAP_DAC_OVERRIDE     1
#define CAP_DAC_READ_SEARCH  2
#define CAP_FOWNER           3
#define CAP_FSETID           4
#define CAP_KILL             5
#define CAP_SETGID           6
#define CAP_SETUID           7
#define CAP_SETPCAP          8
#define CAP_LINUX_IMMUTABLE  9
#define CAP_NET_BIND_SERVICE 10
#define CAP_NET_BROADCAST    11
#define CAP_NET_ADMIN        12
#define CAP_NET_RAW          13
#define CAP_IPC_LOCK         14
#define CAP_IPC_OWNER        15
#define CAP_SYS_MODULE       16
#define CAP_SYS_RAWIO        17
#define CAP_SYS_CHROOT       18
#define CAP_SYS_PTRACE       19
#define CAP_SYS_PACCT        20
#define CAP_SYS_ADMIN        21
#define CAP_SYS_BOOT         22
#define CAP_SYS_NICE         23
#define CAP_SYS_RESOURCE     24
#define CAP_SYS_TIME         25
#define CAP_SYS_TTY_CONFIG   26
#define CAP_MKNOD            27
#define CAP_LEASE            28
#define CAP_AUDIT_WRITE      29
#define CAP_AUDIT_CONTROL    30
#define CAP_SETFCAP	     31
#define CAP_MAC_OVERRIDE     32
#define CAP_MAC_ADMIN        33
#define CAP_LAST_CAP         CAP_MAC_ADMIN
#define CAP_TO_INDEX(x)     ((x) >> 5)        /* 1 << 5 == bits in __u32 */
#define CAP_TO_MASK(x)      (1 << ((x) & 31)) /* mask for indexed __u32 */
#define CAP_FOR_EACH_U32(__capi)  \
#define CAP_INIT_INH_SET    CAP_EMPTY_SET
#define CAP_BOP_ALL(c, a, b, OP)                                    \
#define CAP_UOP_ALL(c, a, OP)                                       \

The capabilities man page also offers good overview of Linux capabilities:
$ man 7 capabilities

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 12 comments so far... add one ↓

Category	List of Unix and Linux commands
Disk space analyzers	ncdu • pydf
File Management	cat
Firewall	Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04
Network Utilities	NetHogs • dig • host • ip • nmap
OpenVPN	CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04
Package Manager	apk • apt
Processes Management	bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time
Searching	grep • whereis • which
User Information	groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w
WireGuard VPN	Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04

12 comments… add one

Stefano Feb 23, 2011 @ 13:35

why should I limit capabilities in this way? Couldn’t an attacker simply modify /proc/sys/kernel/cap-bound again?

Reply Link
- 🐧 nixCraft Feb 23, 2011 @ 13:41
  
  Noop, someone need to physically reboot the server using reboot button or KVM or IP using reboot. Once capabilities set it cannot be removed using root account. It lock downs many features of kernel.
  
  HTH
  
  Reply Link
  - Erik Mar 11, 2011 @ 21:08
    
    So then what is the proper way to modify one of these ‘capabilities’ after it is set?
    
    Reply Link
Jason Feb 24, 2011 @ 3:12

According to capabilities man page, it seems that this only works for kernel before 2.6.25.

Reply Link
- 🐧 nixCraft Feb 25, 2011 @ 9:44
  
  Yes newer kernel (RHEL 6) using /proc/sys/kernel/modules_disabled and other SELinux patches (they are already in newer kernel and RHEL 6 too) See one, two.
  
  Reply Link
ikkhares Feb 27, 2011 @ 13:23

I believe it’s worth pointing out, that capabilities must be carefully studied before deployment, because without more hardening layers (e.g. defenses against arbitrary code execution, MAC, etc.) they can leave the system more vulnerable then before, on a related note just remember Microsoft’s recent virus scanner problems.

See:
http://forums.grsecurity.net/viewtopic.php?f=7&t=2522
http://www.sevagas.com/?POSIX-file-capabilities-the-dark
http://www.h-online.com/security/news/item/Microsoft-s-virus-scanner-causes-security-problem-1196731.html

Reply Link
parth monga Feb 27, 2011 @ 14:29

HI vivek
Can you please gimme a lilltle out of the bound explanation to use capabilities(cap)
I dint get this concept of hardening a linux box .

Reply Link
sudarshan Mar 29, 2011 @ 6:24

Hardening the linux box.. as a concept. I am really unable to understand the use. Can you please brief me about the DOs and Donts here.

Reply Link
Farik Apr 9, 2011 @ 15:12

best tutorials i have found on internet about Capability Bounding Set

Reply Link
Manjunath Doddam May 1, 2011 @ 5:10

Very useful article

Reply Link
vishal Aug 8, 2011 @ 14:50

hey i am getting following error:
/proc/sys/kernel/cap-bound: No such file or directory
on ubuntu 11.04

help me out …

Reply Link
paulv Feb 6, 2014 @ 19:31

This is the first time i’ve ever somebody putting shell-commands in the /etc/sysctl.conf file.

Use rc.local or use sysctl.conf in the correct way (and please edit the mistake).

Reply Link