X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2Fchecks.py;h=bffc68c774e88ed255768ec9f7e28fb70267be8f;hb=181c2d9b5cc2c9a71f470ff78bb1a2cfc44a55d3;hp=3a58c7034683a4e90d9d78b28ea146717898a313;hpb=9503bb6ed5150171095d65aa7eb0ff787322638c;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py index 3a58c70..bffc68c 100644 --- a/kconfig_hardened_check/checks.py +++ b/kconfig_hardened_check/checks.py @@ -11,7 +11,7 @@ This module contains knowledge for checks. # pylint: disable=missing-function-docstring,line-too-long,invalid-name # pylint: disable=too-many-branches,too-many-statements -from .engine import KconfigCheck, CmdlineCheck, VersionCheck, OR, AND +from .engine import KconfigCheck, CmdlineCheck, SysctlCheck, VersionCheck, OR, AND def add_kconfig_checks(l, arch): @@ -365,6 +365,7 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'my', 'KGDB', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'my', 'AIO', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'my', 'CORESIGHT', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'my', 'XFS_SUPPORT_V4', 'is not set')] l += [OR(KconfigCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'), modules_not_set)] @@ -573,17 +574,13 @@ def normalize_cmdline_options(option, value): return value -# def add_sysctl_checks(l, arch): +def add_sysctl_checks(l, arch): # TODO: draft of security hardening sysctls: # kernel.kptr_restrict=2 (or 1?) -# kernel.dmesg_restrict=1 (also see the kconfig option) -# kernel.perf_event_paranoid=2 (or 3 with a custom patch, see https://lwn.net/Articles/696216/) -# kernel.kexec_load_disabled=1 # kernel.yama.ptrace_scope=3 # user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone) # what about bpf_jit_enable? # kernel.unprivileged_bpf_disabled=1 -# net.core.bpf_jit_harden=2 # vm.unprivileged_userfaultfd=0 # (at first, it disabled unprivileged userfaultfd, # and since v5.11 it enables unprivileged userfaultfd for user-mode only) @@ -604,3 +601,12 @@ def normalize_cmdline_options(option, value): # kernel.oops_limit (think about a proper value) # kernel.warn_limit (think about a proper value) # net.ipv4.tcp_syncookies=1 (?) +# +# Calling the SysctlCheck class constructor: +# SysctlCheck(reason, decision, name, expected) + + l += [SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2')] + + l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')] + l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/ + l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1')]