+ l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kptr_restrict', '2')]
+ l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', '0')]
+ l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1'),
+ AND(KconfigCheck('-', '-', 'KEXEC_CORE', 'is not set'),
+ have_kconfig))]
+ l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1'),
+ AND(KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set'),
+ have_kconfig))]
+ l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0'),
+ AND(KconfigCheck('cut_attack_surface', 'grsec', 'USERFAULTFD', 'is not set'),
+ have_kconfig))]
+ # At first, it disabled unprivileged userfaultfd,
+ # and since v5.11 it enables unprivileged userfaultfd for user-mode only.
+
+ l += [OR(SysctlCheck('cut_attack_surface', 'clipos', 'kernel.modules_disabled', '1'),
+ AND(KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set'),
+ have_kconfig))] # radical, but may be useful in some cases
+
+ l += [OR(SysctlCheck('cut_attack_surface', 'a13xp0p0v', 'kernel.sysrq', '0'),
+ AND(KconfigCheck('cut_attack_surface', 'clipos', 'MAGIC_SYSRQ', 'is not set'),
+ have_kconfig))]
+
+ l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_symlinks', '1')]
+ l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_hardlinks', '1')]
+ l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_fifos', '2')]
+ l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_regular', '2')]
+ l += [SysctlCheck('harden_userspace', 'kspp', 'fs.suid_dumpable', '0')]
+ l += [SysctlCheck('harden_userspace', 'kspp', 'kernel.randomize_va_space', '2')]
+ l += [SysctlCheck('harden_userspace', 'kspp', 'kernel.yama.ptrace_scope', '3')]