Although the Linux kernel is already fairly secure by design, there are still a few ways to lock it down even more. It's simple to do, once you know what to look for. Tweaking the kernel can help prevent certain network attacks and certain types of information leaks. (But fear not – you don't have to recompile a whole new kernel to take advantage of this.)

With process isolation, our aim is to prevent malicious users from performing either a vertical or a horizontal privilege escalation. By isolating processes from each other, we can help prevent someone from taking control of either a root user process or a process that belongs to some other user. Either of these types of privilege escalation could help an attacker either take control of a system or access sensitive information.

In this chapter, we'll take a quick tour of the /proc filesystem and show you how to configure certain parameters within it to help beef up security. Then, we'll turn to the subject of process isolation and talk about various methods to ensure that processes remain isolated from each other.

In this chapter, we'll cover the following topics:

• Understanding the /proc filesystem
• Setting kernel parameters with sysctl
• Configuring the sysctl.conf file
• An overview of process isolation
• Control groups
• Namespace isolation
• Kernel capabilities
• SECCOMP and system calls
• Using process isolation with Docker containers

• Sandboxing with Firejail
• Sandboxing with Snappy
• Sandboxing with Flatpak

So, if you're ready and raring, we'll start by looking at the /proc filesystem.