- checklist.append(OptCheck('LEGACY_VSYSCALL_NONE', 'y', 'kspp', 'cut_attack_surface')) # 'vsyscall=none'
- checklist.append(OptCheck('ACPI_CUSTOM_METHOD', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCKDOWN
- checklist.append(OptCheck('COMPAT_BRK', 'is not set', 'kspp', 'cut_attack_surface'))
- checklist.append(OptCheck('DEVKMEM', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCKDOWN
- checklist.append(OptCheck('COMPAT_VDSO', 'is not set', 'kspp', 'cut_attack_surface'))
- checklist.append(OptCheck('BINFMT_MISC', 'is not set', 'kspp', 'cut_attack_surface'))
- checklist.append(OptCheck('INET_DIAG', 'is not set', 'kspp', 'cut_attack_surface'))
- checklist.append(OptCheck('KEXEC', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCKDOWN
- checklist.append(OptCheck('PROC_KCORE', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCKDOWN
- checklist.append(OptCheck('LEGACY_PTYS', 'is not set', 'kspp', 'cut_attack_surface'))
- checklist.append(OptCheck('HIBERNATION', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCKDOWN
- checklist.append(OptCheck('IA32_EMULATION', 'is not set', 'kspp', 'cut_attack_surface'))
- checklist.append(OptCheck('X86_X32', 'is not set', 'kspp', 'cut_attack_surface'))
- checklist.append(OptCheck('MODIFY_LDT_SYSCALL', 'is not set', 'kspp', 'cut_attack_surface'))
- checklist.append(OptCheck('OABI_COMPAT', 'is not set', 'kspp', 'cut_attack_surface'))
-
- checklist.append(OptCheck('X86_PTDUMP', 'is not set', 'grsecurity', 'cut_attack_surface'))
- checklist.append(OptCheck('ZSMALLOC_STAT', 'is not set', 'grsecurity', 'cut_attack_surface'))
- checklist.append(OptCheck('PAGE_OWNER', 'is not set', 'grsecurity', 'cut_attack_surface'))
- checklist.append(OptCheck('DEBUG_KMEMLEAK', 'is not set', 'grsecurity', 'cut_attack_surface'))
- checklist.append(OptCheck('BINFMT_AOUT', 'is not set', 'grsecurity', 'cut_attack_surface'))
- checklist.append(OptCheck('KPROBES', 'is not set', 'grsecurity', 'cut_attack_surface')) # refers to LOCKDOWN
- checklist.append(OptCheck('UPROBES', 'is not set', 'grsecurity', 'cut_attack_surface'))
- checklist.append(OptCheck('GENERIC_TRACER', 'is not set', 'grsecurity', 'cut_attack_surface')) # refers to LOCKDOWN
- checklist.append(OptCheck('PROC_VMCORE', 'is not set', 'grsecurity', 'cut_attack_surface'))
- checklist.append(OptCheck('PROC_PAGE_MONITOR', 'is not set', 'grsecurity', 'cut_attack_surface'))
- checklist.append(OptCheck('USELIB', 'is not set', 'grsecurity', 'cut_attack_surface'))
- checklist.append(OptCheck('CHECKPOINT_RESTORE', 'is not set', 'grsecurity', 'cut_attack_surface'))
- checklist.append(OptCheck('USERFAULTFD', 'is not set', 'grsecurity', 'cut_attack_surface'))
- checklist.append(OptCheck('HWPOISON_INJECT', 'is not set', 'grsecurity', 'cut_attack_surface'))
- checklist.append(OptCheck('MEM_SOFT_DIRTY', 'is not set', 'grsecurity', 'cut_attack_surface'))
- checklist.append(OptCheck('DEVPORT', 'is not set', 'grsecurity', 'cut_attack_surface')) # refers to LOCKDOWN
- checklist.append(OptCheck('DEBUG_FS', 'is not set', 'grsecurity', 'cut_attack_surface')) # refers to LOCKDOWN
- checklist.append(OptCheck('NOTIFIER_ERROR_INJECTION','is not set', 'grsecurity', 'cut_attack_surface'))
-
- checklist.append(OptCheck('DRM_LEGACY', 'is not set', 'maintainer', 'cut_attack_surface'))
- checklist.append(OptCheck('FB', 'is not set', 'maintainer', 'cut_attack_surface'))
- checklist.append(OptCheck('VT', 'is not set', 'maintainer', 'cut_attack_surface'))
-
- checklist.append(OptCheck('ACPI_TABLE_UPGRADE', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN
- checklist.append(OptCheck('X86_IOPL_IOPERM', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN
- checklist.append(OptCheck('EFI_TEST', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN
- checklist.append(OptCheck('BPF_SYSCALL', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN
- checklist.append(OptCheck('MMIOTRACE_TEST', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN
-
- if arch == 'X86_64' or arch == 'X86_32':
- checklist.append(OptCheck('X86_INTEL_TSX_MODE_OFF', 'y', 'clipos', 'cut_attack_surface')) # tsx=off
- checklist.append(OptCheck('STAGING', 'is not set', 'clipos', 'cut_attack_surface'))
- checklist.append(OptCheck('KSM', 'is not set', 'clipos', 'cut_attack_surface')) # to prevent FLUSH+RELOAD attack
-# checklist.append(OptCheck('IKCONFIG', 'is not set', 'clipos', 'cut_attack_surface')) # no, this info is needed for this check :)
- checklist.append(OptCheck('KALLSYMS', 'is not set', 'clipos', 'cut_attack_surface'))
- checklist.append(OptCheck('X86_VSYSCALL_EMULATION', 'is not set', 'clipos', 'cut_attack_surface'))
- checklist.append(OptCheck('MAGIC_SYSRQ', 'is not set', 'clipos', 'cut_attack_surface'))
- checklist.append(OptCheck('KEXEC_FILE', 'is not set', 'clipos', 'cut_attack_surface')) # refers to LOCKDOWN (permissive)
- checklist.append(OptCheck('USER_NS', 'is not set', 'clipos', 'cut_attack_surface')) # user.max_user_namespaces=0
- checklist.append(OptCheck('X86_MSR', 'is not set', 'clipos', 'cut_attack_surface')) # refers to LOCKDOWN
- checklist.append(OptCheck('X86_CPUID', 'is not set', 'clipos', 'cut_attack_surface'))
- checklist.append(AND(OptCheck('LDISC_AUTOLOAD', 'is not set', 'clipos', 'cut_attack_surface'), \
+ checklist.append(OptCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y')) # 'vsyscall=none'
+ checklist.append(OptCheck('cut_attack_surface', 'kspp', 'ACPI_CUSTOM_METHOD', 'is not set')) # refers to LOCKDOWN
+ checklist.append(OptCheck('cut_attack_surface', 'kspp', 'COMPAT_BRK', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'kspp', 'DEVKMEM', 'is not set')) # refers to LOCKDOWN
+ checklist.append(OptCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'kspp', 'BINFMT_MISC', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'kspp', 'INET_DIAG', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'kspp', 'KEXEC', 'is not set')) # refers to LOCKDOWN
+ checklist.append(OptCheck('cut_attack_surface', 'kspp', 'PROC_KCORE', 'is not set')) # refers to LOCKDOWN
+ checklist.append(OptCheck('cut_attack_surface', 'kspp', 'LEGACY_PTYS', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'kspp', 'HIBERNATION', 'is not set')) # refers to LOCKDOWN
+ checklist.append(OptCheck('cut_attack_surface', 'kspp', 'IA32_EMULATION', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'kspp', 'X86_X32', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'kspp', 'MODIFY_LDT_SYSCALL', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'kspp', 'OABI_COMPAT', 'is not set'))
+
+ # 'cut_attack_surface', 'grsecurity'
+ checklist.append(OptCheck('cut_attack_surface', 'grsecurity', 'X86_PTDUMP', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'grsecurity', 'ZSMALLOC_STAT', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'grsecurity', 'PAGE_OWNER', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'grsecurity', 'DEBUG_KMEMLEAK', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'grsecurity', 'BINFMT_AOUT', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'grsecurity', 'KPROBES', 'is not set')) # refers to LOCKDOWN
+ checklist.append(OptCheck('cut_attack_surface', 'grsecurity', 'UPROBES', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'grsecurity', 'GENERIC_TRACER', 'is not set')) # refers to LOCKDOWN
+ checklist.append(OptCheck('cut_attack_surface', 'grsecurity', 'PROC_VMCORE', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'grsecurity', 'PROC_PAGE_MONITOR', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'grsecurity', 'USELIB', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'grsecurity', 'CHECKPOINT_RESTORE', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'grsecurity', 'USERFAULTFD', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'grsecurity', 'HWPOISON_INJECT', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'grsecurity', 'MEM_SOFT_DIRTY', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'grsecurity', 'DEVPORT', 'is not set')) # refers to LOCKDOWN
+ checklist.append(OptCheck('cut_attack_surface', 'grsecurity', 'DEBUG_FS', 'is not set')) # refers to LOCKDOWN
+ checklist.append(OptCheck('cut_attack_surface', 'grsecurity', 'NOTIFIER_ERROR_INJECTION','is not set'))
+
+ # 'cut_attack_surface', 'maintainer'
+ checklist.append(OptCheck('cut_attack_surface', 'maintainer', 'DRM_LEGACY', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'maintainer', 'FB', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'maintainer', 'VT', 'is not set'))
+
+ # 'cut_attack_surface', 'lockdown'
+ checklist.append(OptCheck('cut_attack_surface', 'lockdown', 'ACPI_TABLE_UPGRADE', 'is not set')) # refers to LOCKDOWN
+ checklist.append(OptCheck('cut_attack_surface', 'lockdown', 'X86_IOPL_IOPERM', 'is not set')) # refers to LOCKDOWN
+ checklist.append(OptCheck('cut_attack_surface', 'lockdown', 'EFI_TEST', 'is not set')) # refers to LOCKDOWN
+ checklist.append(OptCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set')) # refers to LOCKDOWN
+ checklist.append(OptCheck('cut_attack_surface', 'lockdown', 'MMIOTRACE_TEST', 'is not set')) # refers to LOCKDOWN
+
+ # 'cut_attack_surface', 'clipos'
+ if arch in ('X86_64', 'X86_32'):
+ checklist.append(OptCheck('cut_attack_surface', 'clipos', 'X86_INTEL_TSX_MODE_OFF', 'y')) # tsx=off
+ checklist.append(OptCheck('cut_attack_surface', 'clipos', 'STAGING', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'clipos', 'KSM', 'is not set')) # to prevent FLUSH+RELOAD attack
+# checklist.append(OptCheck('cut_attack_surface', 'clipos', 'IKCONFIG', 'is not set')) # no, this info is needed for this check :)
+ checklist.append(OptCheck('cut_attack_surface', 'clipos', 'KALLSYMS', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'clipos', 'X86_VSYSCALL_EMULATION', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'clipos', 'MAGIC_SYSRQ', 'is not set'))
+ checklist.append(OptCheck('cut_attack_surface', 'clipos', 'KEXEC_FILE', 'is not set')) # refers to LOCKDOWN (permissive)
+ checklist.append(OptCheck('cut_attack_surface', 'clipos', 'USER_NS', 'is not set')) # user.max_user_namespaces=0
+ checklist.append(OptCheck('cut_attack_surface', 'clipos', 'X86_MSR', 'is not set')) # refers to LOCKDOWN
+ checklist.append(OptCheck('cut_attack_surface', 'clipos', 'X86_CPUID', 'is not set'))
+ checklist.append(AND(OptCheck('cut_attack_surface', 'clipos', 'LDISC_AUTOLOAD', 'is not set'), \