projects / kconfig-hardened-check.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add a comment about `kernel.oops_limit` and `kernel.warn_limit` sysctls
[kconfig-hardened-check.git] / kconfig_hardened_check / checks.py
diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py
index cda3df86a50a1bd8ccae98d34c95b95b1d12d410..ab25afa41b00d6b179a0174e903fc35560fef780 100644 (file)
--- a/kconfig_hardened_check/checks.py
+++ b/kconfig_hardened_check/checks.py
@@ -16,7 +16,7 @@ This module contains knowledge for checks.
 #    kernel.perf_event_paranoid=2 (or 3 with a custom patch, see https://lwn.net/Articles/696216/)
 #    kernel.kexec_load_disabled=1
 #    kernel.yama.ptrace_scope=3
-#    user.max_user_namespaces=0
+#    user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone)
 #    what about bpf_jit_enable?
 #    kernel.unprivileged_bpf_disabled=1
 #    net.core.bpf_jit_harden=2
@@ -37,6 +37,8 @@ This module contains knowledge for checks.
 #    vm.mmap_rnd_bits=max (?)
 #    kernel.sysrq=0
 #    abi.vsyscall32 (any value except 2)
+#    kernel.oops_limit (think about a proper value)
+#    kernel.warn_limit (think about a proper value)
 #
 # Think of these boot params:
 #    module.sig_enforce=1
kconfig-hardened-check