#
# Please don't cry if my Python code looks like C.
#
-
+#
# N.B Hardening command line parameters:
# page_poison=1
-# slub_debug=P
+# slub_debug=FZP
# slab_nomerge
# pti=on
# kernel.kptr_restrict=1
+# lockdown=1
+#
+# N.B. Hardening sysctl's:
+# net.core.bpf_jit_harden
+#
import sys
from argparse import ArgumentParser
def construct_checklist():
modules_not_set = OptCheck('MODULES', 'is not set', 'kspp', 'cut_attack_surface')
- devmem_not_set = OptCheck('DEVMEM', 'is not set', 'kspp', 'cut_attack_surface')
+ devmem_not_set = OptCheck('DEVMEM', 'is not set', 'kspp', 'cut_attack_surface') # refers to LOCK_DOWN_KERNEL
checklist.append(OptCheck('BUG', 'y', 'ubuntu18', 'self_protection'))
checklist.append(OptCheck('PAGE_TABLE_ISOLATION', 'y', 'ubuntu18', 'self_protection'))
checklist.append(OptCheck('SLAB_FREELIST_RANDOM', 'y', 'ubuntu18', 'self_protection'))
checklist.append(OptCheck('HARDENED_USERCOPY', 'y', 'ubuntu18', 'self_protection'))
checklist.append(OptCheck('FORTIFY_SOURCE', 'y', 'ubuntu18', 'self_protection'))
+ checklist.append(OptCheck('LOCK_DOWN_KERNEL', 'y', 'ubuntu18', 'self_protection')) # remember about LOCK_DOWN_MANDATORY
checklist.append(OR(OptCheck('STRICT_MODULE_RWX', 'y', 'ubuntu18', 'self_protection'), \
OptCheck('DEBUG_SET_MODULE_RONX', 'y', 'before_v4.11', 'self_protection'), \
modules_not_set))
checklist.append(OptCheck('DEBUG_SG', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('DEBUG_CREDENTIALS', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('DEBUG_NOTIFIERS', 'y', 'kspp', 'self_protection'))
- checklist.append(OptCheck('MODULE_SIG_FORCE', 'y', 'kspp', 'self_protection'))
+ checklist.append(OptCheck('MODULE_SIG_FORCE', 'y', 'kspp', 'self_protection')) # refers to LOCK_DOWN_KERNEL
checklist.append(OptCheck('HARDENED_USERCOPY_FALLBACK', 'is not set', 'kspp', 'self_protection'))
checklist.append(OptCheck('GCC_PLUGIN_STACKLEAK', 'y', 'my', 'self_protection'))
checklist.append(OptCheck('SLUB_DEBUG_ON', 'y', 'my', 'self_protection'))
checklist.append(OptCheck('SECURITY_DMESG_RESTRICT', 'y', 'my', 'self_protection'))
checklist.append(OptCheck('STATIC_USERMODEHELPER', 'y', 'my', 'self_protection')) # breaks systemd?
+ checklist.append(OptCheck('SECURITY_LOADPIN', 'y', 'my', 'self_protection'))
checklist.append(OptCheck('PAGE_POISONING_NO_SANITY', 'is not set', 'my', 'self_protection'))
checklist.append(OptCheck('PAGE_POISONING_ZERO', 'is not set', 'my', 'self_protection'))
+ checklist.append(OptCheck('SLAB_MERGE_DEFAULT', 'is not set', 'my', 'self_protection')) # slab_nomerge
checklist.append(OptCheck('SECURITY', 'y', 'ubuntu18', 'security_policy'))
checklist.append(OptCheck('SECURITY_YAMA', 'y', 'ubuntu18', 'security_policy'))
checklist.append(OptCheck('SECCOMP', 'y', 'ubuntu18', 'cut_attack_surface'))
checklist.append(OptCheck('SECCOMP_FILTER', 'y', 'ubuntu18', 'cut_attack_surface'))
checklist.append(OR(OptCheck('STRICT_DEVMEM', 'y', 'ubuntu18', 'cut_attack_surface'), \
- devmem_not_set))
- checklist.append(OptCheck('ACPI_CUSTOM_METHOD', 'is not set', 'ubuntu18', 'cut_attack_surface'))
+ devmem_not_set)) # refers to LOCK_DOWN_KERNEL
+ checklist.append(OptCheck('ACPI_CUSTOM_METHOD', 'is not set', 'ubuntu18', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
checklist.append(OptCheck('COMPAT_BRK', 'is not set', 'ubuntu18', 'cut_attack_surface'))
checklist.append(OptCheck('DEVKMEM', 'is not set', 'ubuntu18', 'cut_attack_surface'))
checklist.append(OptCheck('COMPAT_VDSO', 'is not set', 'ubuntu18', 'cut_attack_surface'))
checklist.append(OptCheck('PAGE_OWNER', 'is not set', 'ubuntu18', 'cut_attack_surface'))
checklist.append(OptCheck('DEBUG_KMEMLEAK', 'is not set', 'ubuntu18', 'cut_attack_surface'))
checklist.append(OptCheck('BINFMT_AOUT', 'is not set', 'ubuntu18', 'cut_attack_surface'))
+ checklist.append(OptCheck('MMIOTRACE_TEST', 'is not set', 'ubuntu18', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
checklist.append(OR(OptCheck('IO_STRICT_DEVMEM', 'y', 'kspp', 'cut_attack_surface'), \
- devmem_not_set))
+ devmem_not_set)) # refers to LOCK_DOWN_KERNEL
checklist.append(OptCheck('LEGACY_VSYSCALL_NONE', 'y', 'kspp', 'cut_attack_surface')) # 'vsyscall=none'
checklist.append(OptCheck('BINFMT_MISC', 'is not set', 'kspp', 'cut_attack_surface'))
checklist.append(OptCheck('INET_DIAG', 'is not set', 'kspp', 'cut_attack_surface'))
- checklist.append(OptCheck('KEXEC', 'is not set', 'kspp', 'cut_attack_surface'))
- checklist.append(OptCheck('PROC_KCORE', 'is not set', 'kspp', 'cut_attack_surface'))
+ checklist.append(OptCheck('KEXEC', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
+ checklist.append(OptCheck('PROC_KCORE', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
checklist.append(OptCheck('LEGACY_PTYS', 'is not set', 'kspp', 'cut_attack_surface'))
checklist.append(OptCheck('IA32_EMULATION', 'is not set', 'kspp', 'cut_attack_surface'))
checklist.append(OptCheck('X86_X32', 'is not set', 'kspp', 'cut_attack_surface'))
checklist.append(OptCheck('MODIFY_LDT_SYSCALL', 'is not set', 'kspp', 'cut_attack_surface'))
- checklist.append(OptCheck('HIBERNATION', 'is not set', 'kspp', 'cut_attack_surface'))
+ checklist.append(OptCheck('HIBERNATION', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
- checklist.append(OptCheck('KPROBES', 'is not set', 'grsecurity', 'cut_attack_surface'))
+ checklist.append(OptCheck('KPROBES', 'is not set', 'grsecurity', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
checklist.append(OptCheck('UPROBES', 'is not set', 'grsecurity', 'cut_attack_surface'))
checklist.append(OptCheck('GENERIC_TRACER', 'is not set', 'grsecurity', 'cut_attack_surface'))
checklist.append(OptCheck('PROC_VMCORE', 'is not set', 'grsecurity', 'cut_attack_surface'))
checklist.append(OptCheck('USERFAULTFD', 'is not set', 'grsecurity', 'cut_attack_surface'))
checklist.append(OptCheck('HWPOISON_INJECT', 'is not set', 'grsecurity', 'cut_attack_surface'))
checklist.append(OptCheck('MEM_SOFT_DIRTY', 'is not set', 'grsecurity', 'cut_attack_surface'))
- checklist.append(OptCheck('DEVPORT', 'is not set', 'grsecurity', 'cut_attack_surface'))
- checklist.append(OptCheck('DEBUG_FS', 'is not set', 'grsecurity', 'cut_attack_surface'))
+ checklist.append(OptCheck('DEVPORT', 'is not set', 'grsecurity', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
+ checklist.append(OptCheck('DEBUG_FS', 'is not set', 'grsecurity', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
checklist.append(OptCheck('NOTIFIER_ERROR_INJECTION','is not set', 'grsecurity', 'cut_attack_surface'))
- checklist.append(OptCheck('KEXEC_FILE', 'is not set', 'my', 'cut_attack_surface'))
+ checklist.append(OptCheck('ACPI_TABLE_UPGRADE', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
+ checklist.append(OptCheck('ACPI_APEI_EINJ', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
+ checklist.append(OptCheck('PROFILING', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
+ checklist.append(OptCheck('BPF_SYSCALL', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
+
+ checklist.append(OptCheck('MMIOTRACE', 'is not set', 'my', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive)
+ checklist.append(OptCheck('KEXEC_FILE', 'is not set', 'my', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive)
checklist.append(OptCheck('LIVEPATCH', 'is not set', 'my', 'cut_attack_surface'))
checklist.append(OptCheck('USER_NS', 'is not set', 'my', 'cut_attack_surface')) # user.max_user_namespaces=0
checklist.append(OptCheck('IP_DCCP', 'is not set', 'my', 'cut_attack_surface'))
checklist.append(OptCheck('IP_SCTP', 'is not set', 'my', 'cut_attack_surface'))
checklist.append(OptCheck('FTRACE', 'is not set', 'my', 'cut_attack_surface'))
- checklist.append(OptCheck('PROFILING', 'is not set', 'my', 'cut_attack_surface'))
checklist.append(OptCheck('BPF_JIT', 'is not set', 'my', 'cut_attack_surface'))
- checklist.append(OptCheck('BPF_SYSCALL', 'is not set', 'my', 'cut_attack_surface'))
checklist.append(OptCheck('ARCH_MMAP_RND_BITS', '32', 'my', 'userspace_protection'))
print('[+] Printing kernel hardening preferences...')
print(' {:<39}|{:^13}|{:^10}|{:^20}'.format(
'option name', 'desired val', 'decision', 'reason'))
- print(' ' + '=' * 88)
+ print(' ' + '=' * 86)
for opt in checklist:
print(' CONFIG_{:<32}|{:^13}|{:^10}|{:^20}'.format(
- opt.name, opt.expected, opt.decision, opt.reason))
+ opt.name, opt.expected, opt.decision, opt.reason))
print()
def get_option_state(options, name):
- return options[name] if name in options else None
+ return options.get(name, None)
def perform_checks(parsed_options):
projects / kconfig-hardened-check.git / blobdiff