Linux Configuration Needed To Enable Tamper Guard Protections

Applies To

Halcyon Linux Agent running on:

• Ubuntu 22.04, 24.04
• Debian 11
• Oracle Linux (latest supported versions)

Overview

Tamper Protection relies on the Linux Security Module (LSM) framework. For it to function correctly, the bpf LSM must be explicitly enabled in the kernel boot parameters. This ensures that Tamper Guard can hook into the kernel's security infrastructure and protect Halcyon Linux from unauthorized stop or uninstall.

Action

Enable the bpf LSM in the kernel boot parameters:

Debian and Ubuntu

1. Edit grubconfiguration:
   sudo nano /etc/default/grub
    
2. Modify Kernel Parameters by locating the line starting with GRUB_CMDLINE_LINUX and appending the following:
   lsm=$(cat /sys/kernel/security/lsm),bpf
   
   Example:
   GRUB_CMDLINE_LINUX="quiet splash lsm=$(cat /sys/kernel/security/lsm),bpf"
   NOTE: Some Ubuntu distributions append a semicolon to the GRUB_CMDLINE_LINUX line. Remove this semicolon.
    
3. Update grub:
   sudo grub-mkconfig | sudo tee /boot/grub/grub.cfg
    
4. Reboot the system to apply changes.

Oracle Linux

1. Update Kernel Arguments using grub to append the required LSM parameters:
   sudo grubby --update-kernel ALL --args "lsm=$(cat /sys/kernel/security/lsm),bpf,integrity"
    
2. Reboot the system to apply changes.
    
3. After rebooting, confirm bpf LSM is active:
   cat /sys/kernel/security/lsm