X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kernel_hardening_checker%2Fchecks.py;h=0a10ae770ff446568e775a4710cefaab4d4212d7;hb=7bb85ef2855e714083f8850db7ec09a119c77d91;hp=8e754c02ceabed5b37fe7396456f03a29e6ff198;hpb=709a822ae90dbf4fe10441da65a842b3a02125d1;p=kconfig-hardened-check.git

diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
index 8e754c0..0a10ae7 100644
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -580,11 +580,8 @@ def normalize_cmdline_options(option, value):
 # TODO: draft of security hardening sysctls:
 #    what about bpf_jit_enable?
 #    vm.mmap_min_addr has a good value
-#    fs.suid_dumpable=0
 #    kernel.modules_disabled=1
-#    kernel.randomize_va_space=2
 #    nosmt sysfs control file
-#    dev.tty.legacy_tiocsti=0
 #    vm.mmap_rnd_bits=max (?)
 #    kernel.sysrq=0
 #    abi.vsyscall32 (any value except 2)
@@ -608,6 +605,7 @@ def add_sysctl_checks(l, arch):
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1')]
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kptr_restrict', '2')]
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.yama.ptrace_scope', '3')]
+    l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', '0')]
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0')]
           # At first, it disabled unprivileged userfaultfd,
           # and since v5.11 it enables unprivileged userfaultfd for user-mode only.
@@ -616,3 +614,5 @@ def add_sysctl_checks(l, arch):
     l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_hardlinks', '1')]
     l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_fifos', '2')]
     l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_regular', '2')]
+    l += [SysctlCheck('harden_userspace', 'kspp', 'fs.suid_dumpable', '0')]
+    l += [SysctlCheck('harden_userspace', 'kspp', 'kernel.randomize_va_space', '2')]