def parse_sysctl_file(mode, parsed_options, fname):
with open(fname, 'r', encoding='utf-8') as f:
- sysctl_pattern = re.compile("[a-zA-Z0-9\._-]+ =.*$")
+ sysctl_pattern = re.compile("[a-zA-Z0-9/\._-]+ =.*$")
for line in f.readlines():
line = line.strip()
if not sysctl_pattern.match(line):
help='check the security hardening options in the kernel Kconfig file (also supports *.gz files)')
parser.add_argument('-l', '--cmdline',
help='check the security hardening options in the kernel cmdline file (contents of /proc/cmdline)')
-# parser.add_argument('-s', '--sysctl',
-# help='check the security hardening options in the sysctl output file (`sudo sysctl -a > file`)')
+ parser.add_argument('-s', '--sysctl',
+ help='check the security hardening options in the sysctl output file (`sudo sysctl -a > file`)')
parser.add_argument('-p', '--print', choices=supported_archs,
help='print the security hardening recommendations for the selected microarchitecture')
parser.add_argument('-g', '--generate', choices=supported_archs,
help='generate a Kconfig fragment with the security hardening options for the selected microarchitecture')
args = parser.parse_args()
- args.sysctl = None # FIXME
mode = None
if args.mode:
if args.print:
assert(args.config is None and args.cmdline is None and args.sysctl is None), 'unexpected args'
+ if args.generate:
+ sys.exit('[!] ERROR: --print and --generate can\'t be used together')
if mode and mode not in ('verbose', 'json'):
sys.exit(f'[!] ERROR: wrong mode "{mode}" for --print')
arch = args.print
sys.exit(0)
if args.generate:
- assert(args.config is None and args.cmdline is None and args.sysctl is None), 'unexpected args'
+ assert(args.config is None and args.cmdline is None and args.sysctl is None and args.print is None), 'unexpected args'
if mode:
sys.exit(f'[!] ERROR: wrong mode "{mode}" for --generate')
arch = args.generate