Update the Ubuntu example configs

[kconfig-hardened-check.git] / kernel_hardening_checker / config_files / kspp-recommendations / kspp-kconfig-x86-64.config

diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64.config
index f179b4ead38def7c6cea7ce3ed5aa512f2c1d4fb..f374cda2ba05fc0aed51d73b27a35ed71c8acf1d 100644 (file)
--- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64.config
+++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64.config
@@ -1,4 +1,4 @@
-# Linux/x86_64 6.1.5 Kernel Configuration
+# Linux/x86_64 6.6.7 Kernel Configuration
 
 # Report BUG() conditions and kill the offending process.
 CONFIG_BUG=y
@@ -68,7 +68,8 @@ CONFIG_HARDENED_USERCOPY=y
 CONFIG_SLAB_FREELIST_RANDOM=y
 CONFIG_SLAB_FREELIST_HARDENED=y
 
-# Randomize high-order page allocation freelist.
+# Allow for randomization of high-order page allocation freelist. Must be enabled with
+# the "page_alloc.shuffle=1" command line below).
 CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
 
 # Allow allocator validation checking to be enabled (see "slub_debug=P" below).
@@ -185,6 +186,9 @@ CONFIG_STATIC_USERMODEHELPER=y
 # Use the modern PTY interface (devpts) only.
 # CONFIG_LEGACY_PTYS is not set
 
+# Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below).
+# CONFIG_LEGACY_TIOCSTI is not set
+
 # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
 # CONFIG_SECURITY_SELINUX_DISABLE is not set
 
@@ -243,6 +247,7 @@ CONFIG_RANDOMIZE_BASE=y
 CONFIG_RANDOMIZE_MEMORY=y
 
 # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
+# CONFIG_X86_VSYSCALL_EMULATION is not set
 CONFIG_LEGACY_VSYSCALL_NONE=y
 
 # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.