# TODO: draft of security hardening sysctls:
-# kernel.yama.ptrace_scope=3
# what about bpf_jit_enable?
-# vm.unprivileged_userfaultfd=0
-# (at first, it disabled unprivileged userfaultfd,
-# and since v5.11 it enables unprivileged userfaultfd for user-mode only)
# vm.mmap_min_addr has a good value
-# fs.protected_symlinks=1
-# fs.protected_hardlinks=1
-# fs.protected_fifos=2
# fs.protected_regular=2
# fs.suid_dumpable=0
# kernel.modules_disabled=1
l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.ldisc_autoload', '0')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kptr_restrict', '2')]
+ l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.yama.ptrace_scope', '3')]
+ l += [SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0')]
+ # At first, it disabled unprivileged userfaultfd,
+ # and since v5.11 it enables unprivileged userfaultfd for user-mode only.
+
+ l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_symlinks', '1')]
+ l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_hardlinks', '1')]
+ l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_fifos', '2')]