X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2Fchecks.py;h=77645093186e7430a4dbd8ce7812eecc4378edcd;hb=4b97fce50b144ea7a266cf7bdd5cb6f274cfa32a;hp=e30746c9fc0c3af0f4a60ef75a8f8d73b486e7d1;hpb=bb1fc8b96945a06841a55fd56b23666fdbdd8b71;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py index e30746c..7764509 100644 --- a/kconfig_hardened_check/checks.py +++ b/kconfig_hardened_check/checks.py @@ -577,17 +577,12 @@ def normalize_cmdline_options(option, value): def add_sysctl_checks(l, arch): # TODO: draft of security hardening sysctls: # kernel.kptr_restrict=2 (or 1?) -# kernel.perf_event_paranoid=2 (or 3 with a custom patch, see https://lwn.net/Articles/696216/) -# kernel.kexec_load_disabled=1 # kernel.yama.ptrace_scope=3 -# user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone) # what about bpf_jit_enable? -# kernel.unprivileged_bpf_disabled=1 # vm.unprivileged_userfaultfd=0 # (at first, it disabled unprivileged userfaultfd, # and since v5.11 it enables unprivileged userfaultfd for user-mode only) # vm.mmap_min_addr has a good value -# dev.tty.ldisc_autoload=0 # fs.protected_symlinks=1 # fs.protected_hardlinks=1 # fs.protected_fifos=2 @@ -610,3 +605,8 @@ def add_sysctl_checks(l, arch): l += [SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2')] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')] + l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/ + l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1')] + l += [SysctlCheck('cut_attack_surface', 'kspp', 'user.max_user_namespaces', '0')] + l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.ldisc_autoload', '0')] + l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1')]