#
# Please don't cry if my Python code looks like C.
#
-
+#
# N.B Hardening command line parameters:
# page_poison=1
-# slub_debug=P
+# slub_debug=FZP
# slab_nomerge
# pti=on
# kernel.kptr_restrict=1
# lockdown=1
+#
+# N.B. Hardening sysctl's:
+# net.core.bpf_jit_harden
+#
+#
+# TODO: add hardening preferences for ARM
import sys
from argparse import ArgumentParser
checklist.append(OptCheck('PAGE_TABLE_ISOLATION', 'y', 'ubuntu18', 'self_protection'))
checklist.append(OptCheck('RETPOLINE', 'y', 'ubuntu18', 'self_protection'))
checklist.append(OptCheck('X86_64', 'y', 'ubuntu18', 'self_protection'))
+ checklist.append(OptCheck('X86_SMAP', 'y', 'ubuntu18', 'self_protection'))
+ checklist.append(OptCheck('X86_INTEL_UMIP', 'y', 'ubuntu18', 'self_protection'))
checklist.append(OR(OptCheck('STRICT_KERNEL_RWX', 'y', 'ubuntu18', 'self_protection'), \
OptCheck('DEBUG_RODATA', 'y', 'before_v4.11', 'self_protection')))
checklist.append(OptCheck('DEBUG_WX', 'y', 'ubuntu18', 'self_protection'))
checklist.append(OptCheck('SLUB_DEBUG_ON', 'y', 'my', 'self_protection'))
checklist.append(OptCheck('SECURITY_DMESG_RESTRICT', 'y', 'my', 'self_protection'))
checklist.append(OptCheck('STATIC_USERMODEHELPER', 'y', 'my', 'self_protection')) # breaks systemd?
+ checklist.append(OptCheck('SECURITY_LOADPIN', 'y', 'my', 'self_protection'))
checklist.append(OptCheck('PAGE_POISONING_NO_SANITY', 'is not set', 'my', 'self_protection'))
checklist.append(OptCheck('PAGE_POISONING_ZERO', 'is not set', 'my', 'self_protection'))
+ checklist.append(OptCheck('SLAB_MERGE_DEFAULT', 'is not set', 'my', 'self_protection')) # slab_nomerge
checklist.append(OptCheck('SECURITY', 'y', 'ubuntu18', 'security_policy'))
checklist.append(OptCheck('SECURITY_YAMA', 'y', 'ubuntu18', 'security_policy'))
projects / kconfig-hardened-check.git / blobdiff