Check the kernel.kexec_load_disabled sysctl

[kconfig-hardened-check.git] / kconfig_hardened_check / checks.py

diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py
index 4a994e706b3d6ffd26d1213c4f5b01bdadd722d2..bffc68c774e88ed255768ec9f7e28fb70267be8f 100644 (file)
--- a/kconfig_hardened_check/checks.py
+++ b/kconfig_hardened_check/checks.py
@@ -577,13 +577,10 @@ def normalize_cmdline_options(option, value):
 def add_sysctl_checks(l, arch):
 # TODO: draft of security hardening sysctls:
 #    kernel.kptr_restrict=2 (or 1?)
-#    kernel.perf_event_paranoid=2 (or 3 with a custom patch, see https://lwn.net/Articles/696216/)
-#    kernel.kexec_load_disabled=1
 #    kernel.yama.ptrace_scope=3
 #    user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone)
 #    what about bpf_jit_enable?
 #    kernel.unprivileged_bpf_disabled=1
-#    net.core.bpf_jit_harden=2
 #    vm.unprivileged_userfaultfd=0
 #        (at first, it disabled unprivileged userfaultfd,
 #         and since v5.11 it enables unprivileged userfaultfd for user-mode only)
@@ -607,4 +604,9 @@ def add_sysctl_checks(l, arch):
 #
 # Calling the SysctlCheck class constructor:
 #   SysctlCheck(reason, decision, name, expected)
-    l += [SysctlCheck('self_protection', 'kspp', 'kernel.dmesg_restrict', '1')]
+
+    l += [SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2')]
+
+    l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')]
+    l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/
+    l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1')]