This module contains knowledge for checks.
"""
-# N.B. Hardening sysctls:
-# kernel.kptr_restrict=2 (or 1?)
-# kernel.dmesg_restrict=1 (also see the kconfig option)
-# kernel.perf_event_paranoid=2 (or 3 with a custom patch, see https://lwn.net/Articles/696216/)
-# kernel.kexec_load_disabled=1
-# kernel.yama.ptrace_scope=3
-# user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone)
-# what about bpf_jit_enable?
-# kernel.unprivileged_bpf_disabled=1
-# net.core.bpf_jit_harden=2
-# vm.unprivileged_userfaultfd=0
-# (at first, it disabled unprivileged userfaultfd,
-# and since v5.11 it enables unprivileged userfaultfd for user-mode only)
-# vm.mmap_min_addr has a good value
-# dev.tty.ldisc_autoload=0
-# fs.protected_symlinks=1
-# fs.protected_hardlinks=1
-# fs.protected_fifos=2
-# fs.protected_regular=2
-# fs.suid_dumpable=0
-# kernel.modules_disabled=1
-# kernel.randomize_va_space=2
-# nosmt sysfs control file
-# dev.tty.legacy_tiocsti=0
-# vm.mmap_rnd_bits=max (?)
-# kernel.sysrq=0
-# abi.vsyscall32 (any value except 2)
-# kernel.oops_limit (think about a proper value)
-# kernel.warn_limit (think about a proper value)
-#
-# Think of these boot params:
-# module.sig_enforce=1
-# lockdown=confidentiality
-# mce=0
-# nosmt=force
-# intel_iommu=on
-# amd_iommu=on
-# efi=disable_early_pci_dma
-# cfi=
-
# pylint: disable=missing-function-docstring,line-too-long,invalid-name
# pylint: disable=too-many-branches,too-many-statements
l += [KconfigCheck('cut_attack_surface', 'my', 'KGDB', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'AIO', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'CORESIGHT', 'is not set')]
+ l += [KconfigCheck('cut_attack_surface', 'my', 'XFS_SUPPORT_V4', 'is not set')]
l += [OR(KconfigCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'),
modules_not_set)]
'slub_debug', # See setup_slub_debug() in mm/slub.c
'iommu', # See iommu_setup() in arch/x86/kernel/pci-dma.c
'vsyscall', # See vsyscall_setup() in arch/x86/entry/vsyscall/vsyscall_64.c
+ 'vdso32', # See vdso32_setup() in arch/x86/entry/vdso/vdso32-setup.c
+ 'vdso', # See vdso32_setup() in arch/x86/entry/vdso/vdso32-setup.c
'tsx' # See tsx_init() in arch/x86/kernel/cpu/tsx.c
]
return value
# Implement a limited part of the kstrtobool() logic
- if value in ('1', 'on', 'On', 'ON', 'y', 'Y', 'yes', 'Yes', 'YES'):
+ if value.lower() in ('1', 'on', 'y', 'yes', 't', 'true'):
return '1'
- if value in ('0', 'off', 'Off', 'OFF', 'n', 'N', 'no', 'No', 'NO'):
+ if value.lower() in ('0', 'off', 'n', 'no', 'f', 'false'):
return '0'
# Preserve unique values
return value
+
+
+# def add_sysctl_checks(l, arch):
+# TODO: draft of security hardening sysctls:
+# kernel.kptr_restrict=2 (or 1?)
+# kernel.dmesg_restrict=1 (also see the kconfig option)
+# kernel.perf_event_paranoid=2 (or 3 with a custom patch, see https://lwn.net/Articles/696216/)
+# kernel.kexec_load_disabled=1
+# kernel.yama.ptrace_scope=3
+# user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone)
+# what about bpf_jit_enable?
+# kernel.unprivileged_bpf_disabled=1
+# net.core.bpf_jit_harden=2
+# vm.unprivileged_userfaultfd=0
+# (at first, it disabled unprivileged userfaultfd,
+# and since v5.11 it enables unprivileged userfaultfd for user-mode only)
+# vm.mmap_min_addr has a good value
+# dev.tty.ldisc_autoload=0
+# fs.protected_symlinks=1
+# fs.protected_hardlinks=1
+# fs.protected_fifos=2
+# fs.protected_regular=2
+# fs.suid_dumpable=0
+# kernel.modules_disabled=1
+# kernel.randomize_va_space=2
+# nosmt sysfs control file
+# dev.tty.legacy_tiocsti=0
+# vm.mmap_rnd_bits=max (?)
+# kernel.sysrq=0
+# abi.vsyscall32 (any value except 2)
+# kernel.oops_limit (think about a proper value)
+# kernel.warn_limit (think about a proper value)
+# net.ipv4.tcp_syncookies=1 (?)