X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2Fchecks.py;h=77645093186e7430a4dbd8ce7812eecc4378edcd;hb=4b97fce50b144ea7a266cf7bdd5cb6f274cfa32a;hp=d857ad132c5658f04641564208920c0feea2a95e;hpb=78675ceec3da0a4e99fe9cf5389078e50c14ef95;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py index d857ad1..7764509 100644 --- a/kconfig_hardened_check/checks.py +++ b/kconfig_hardened_check/checks.py @@ -11,7 +11,7 @@ This module contains knowledge for checks. # pylint: disable=missing-function-docstring,line-too-long,invalid-name # pylint: disable=too-many-branches,too-many-statements -from .engine import KconfigCheck, CmdlineCheck, VersionCheck, OR, AND +from .engine import KconfigCheck, CmdlineCheck, SysctlCheck, VersionCheck, OR, AND def add_kconfig_checks(l, arch): @@ -574,22 +574,15 @@ def normalize_cmdline_options(option, value): return value -# def add_sysctl_checks(l, arch): +def add_sysctl_checks(l, arch): # TODO: draft of security hardening sysctls: # kernel.kptr_restrict=2 (or 1?) -# kernel.dmesg_restrict=1 (also see the kconfig option) -# kernel.perf_event_paranoid=2 (or 3 with a custom patch, see https://lwn.net/Articles/696216/) -# kernel.kexec_load_disabled=1 # kernel.yama.ptrace_scope=3 -# user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone) # what about bpf_jit_enable? -# kernel.unprivileged_bpf_disabled=1 -# net.core.bpf_jit_harden=2 # vm.unprivileged_userfaultfd=0 # (at first, it disabled unprivileged userfaultfd, # and since v5.11 it enables unprivileged userfaultfd for user-mode only) # vm.mmap_min_addr has a good value -# dev.tty.ldisc_autoload=0 # fs.protected_symlinks=1 # fs.protected_hardlinks=1 # fs.protected_fifos=2 @@ -605,3 +598,15 @@ def normalize_cmdline_options(option, value): # kernel.oops_limit (think about a proper value) # kernel.warn_limit (think about a proper value) # net.ipv4.tcp_syncookies=1 (?) +# +# Calling the SysctlCheck class constructor: +# SysctlCheck(reason, decision, name, expected) + + l += [SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2')] + + l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')] + l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/ + l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1')] + l += [SysctlCheck('cut_attack_surface', 'kspp', 'user.max_user_namespaces', '0')] + l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.ldisc_autoload', '0')] + l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1')]