hardening – Insinuator.net

July 28, 2025 by Alexander Moch

Setting up Secure Boot on Gentoo Linux

The purpose of this blog post is to explain how Secure Boot works. In particular, we will explain where current implementations of Secure Boot by Linux distributors fall short compared to Microsoft Windows and Apple macOS.

Major distributors like Canonical, Debian, openSUSE, and Red Hat place a high priority on making their operating systems work out of the box. Given the current Linux landscape with out-of-tree drivers and incompatible licenses, providing the end user with all the drivers possibly needed to boot the system can be challenging.

In this post we will describe how to set up Secure Boot on Gentoo Linux. Gentoo Linux is sometimes described as a meta-distribution. It leaves many decisions up to its users—and with that, a fair amount of work. The upside is that users can decide exactly how to set up the boot chain without having to work “against” the distributor. For this reason, we chose Gentoo Linux to demonstrate the different ways to set up Secure Boot.

On a hardened system, Secure Boot should be deployed along with full disk encryption¹.

Continue reading “Setting up Secure Boot on Gentoo Linux”

Building

July 3, 2025 by Alexander Moch

Insecure Boot: Injecting initramfs from a debug shell

Many Linux hardening guides focus on well-known protections: full-disk encryption, Secure Boot, and password-protected bootloaders. While these measures are critical, they often overlook a subtle but serious attack vector: the ability to drop into a debug shell via the Initial RAM Filesystem (initramfs). This oversight can enable an attacker with brief physical access to bypass conventional boot protections and inject persistent malware into the system.

In this post, it is demonstrated how this attack works on modern Linux distributions, such as Ubuntu and Fedora, and explained why existing guidance often fails to mention it.

Continue reading “Insecure Boot: Injecting initramfs from a debug shell”

Breaking

September 3, 2024 by Florian Kiersch

Disclosure: Potential Limitations of Apple ADE in Corporate Usage Scenarios

Apple Automated Device Enrollment (ADE) is presented as a way to automate and simplify the enrollment process of Apple devices within Mobile Device Management (MDE) solutions. This blog post is aimed at organizations currently planning or even already using this feature and making you, the reader, aware of potential limitations of this process that might otherwise not be clearly addressed in your companies’ device management process.

Continue reading “Disclosure: Potential Limitations of Apple ADE in Corporate Usage Scenarios”

Breaking

August 9, 2024 by Jan Ruge

Disclosure: Apple ADE – Network Based Provisioning Bypass

Mobile Device Management (MDM) solutions are used to centrally manage mobile devices in corporate environments. This includes the monitoring of the device, automatic installation/removal of apps or certificates and restrict the functionality. Even though MDM solutions exist for multiple vendors, we will look specifically on Apple devices enrolled via Intune. When an Apple device is registered for Automated Device Enrollment (ADE), it will automatically download and apply these policies during the initial setup and prior to the first boot.

During a customer project, we identified a network-based provisioning bypass which prevents the iPad to fetch and apply the provisioning profiles. Continue reading “Disclosure: Apple ADE – Network Based Provisioning Bypass”

Misc

January 10, 2019 by Birk Kauer

macOS Mojave Hardening Guide

Due to the new release of macOS Mojave in September we updated the El Capitan hardening guide.

Continue reading “macOS Mojave Hardening Guide”

Building

September 18, 2016 by Matthias Luft

Files Your Webserver Shouldn’t Deliver

During penetration tests, we often find interesting files on web servers. Almost as often, those files enable us to carry out further attacks with much higher impact. Inspired by Chris Gate’s great series From Low to Pwned, we decided to share the following small piece.

Continue reading “Files Your Webserver Shouldn’t Deliver”

Building

August 21, 2016 by Matthias Luft

ERNW Hardening Repository

Today we started publishing several of our hardening documents to a dedicated GitHub repository — and we’re quite excited about it! It took a while to develop a suitable markdown template to support all the requirements you have when you write a hardening guide, but we’re online now!

At the moment, only a few hardening guides are online, but that should continuously increase in the future.

Click here for the GitHub ERNW Hardening Repository!

Cheers,

Matthias

Building

June 26, 2015 by Dominik Phillips

Internet Information Service 7.5 Hardening Guide

Internet Information Services (IIS) contains several components that perform important functions for the application and Web server roles in Windows Server. As it is designed to be used in an enterprise environment, the security of this system must be kept at a high level.

By default IIS implements a lot of basic security measures, but are these the relevant ones to protect your business? Continue reading “Internet Information Service 7.5 Hardening Guide”

Building

February 4, 2015 by Enno Rey

IPv6 Hardening Guide for OS X

Similar to the documents we released for Linux and Windows (and actually inspired by a comment to the post on the Linux guide) Antonios wrote another guide, this time for Mac OS X.

Continue reading “IPv6 Hardening Guide for OS X”

Building

December 30, 2014 by Matthias Luft

Hardening Against Local PrivEsc: Protecting Your Links

Following up on this post, we want to provide some details on two rather new (well, compared to its lifespan) Linux kernel parameters — and emphasize the need to enable those:

fs.protected_hardlinks
fs.protected_symlinks

Continue reading “Hardening Against Local PrivEsc: Protecting Your Links”