Add the 'fs.protected_fifos' check

[kconfig-hardened-check.git] / kernel_hardening_checker / checks.py

diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
index 56d2f7499368d6ce6ca591eb5de97aaece137e9e..fe26f1cecfda3d1a75684f4b7557937fe21807ee 100644 (file)
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -578,15 +578,8 @@ def normalize_cmdline_options(option, value):
 
 
 # TODO: draft of security hardening sysctls:
-#    kernel.yama.ptrace_scope=3
 #    what about bpf_jit_enable?
-#    vm.unprivileged_userfaultfd=0
-#        (at first, it disabled unprivileged userfaultfd,
-#         and since v5.11 it enables unprivileged userfaultfd for user-mode only)
 #    vm.mmap_min_addr has a good value
-#    fs.protected_symlinks=1
-#    fs.protected_hardlinks=1
-#    fs.protected_fifos=2
 #    fs.protected_regular=2
 #    fs.suid_dumpable=0
 #    kernel.modules_disabled=1
@@ -615,3 +608,11 @@ def add_sysctl_checks(l, arch):
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.ldisc_autoload', '0')]
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1')]
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kptr_restrict', '2')]
+    l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.yama.ptrace_scope', '3')]
+    l += [SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0')]
+          # At first, it disabled unprivileged userfaultfd,
+          # and since v5.11 it enables unprivileged userfaultfd for user-mode only.
+
+    l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_symlinks', '1')]
+    l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_hardlinks', '1')]
+    l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_fifos', '2')]