X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kernel_hardening_checker%2Fchecks.py;h=d95d301fb1f0ea3e25564a601dd44519a6a3f994;hb=04f7596cfa16efb6cfb2fb8d6a56a55574489ecf;hp=ca829a3d857b19f3f4fca918195b38cad4b385bb;hpb=e535f514ea058276a71106e52f5e18f4ed0eec37;p=kconfig-hardened-check.git diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index ca829a3..d95d301 100644 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -27,7 +27,7 @@ def add_kconfig_checks(l, arch): cc_is_gcc = KconfigCheck('-', '-', 'CC_IS_GCC', 'y') # exists since v4.18 cc_is_clang = KconfigCheck('-', '-', 'CC_IS_CLANG', 'y') # exists since v4.18 - modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set') + modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set') # radical, but may be useful in some cases devmem_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN bpf_syscall_not_set = KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set') # refers to LOCKDOWN @@ -458,7 +458,6 @@ def add_cmdline_checks(l, arch): # 'self_protection', 'kspp' l += [CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt')] - l += [CmdlineCheck('self_protection', 'kspp', 'nosmt', 'is present')] # slow (high performance penalty) l += [CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp l += [CmdlineCheck('self_protection', 'kspp', 'slub_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp l += [CmdlineCheck('self_protection', 'kspp', 'page_alloc.shuffle', '1')] @@ -507,6 +506,7 @@ def add_cmdline_checks(l, arch): CmdlineCheck('cut_attack_surface', 'defconfig', 'tsx', 'is not set')))] # 'cut_attack_surface', 'kspp' + l += [CmdlineCheck('cut_attack_surface', 'kspp', 'nosmt', 'is present')] # slow (high performance penalty) if arch == 'X86_64': l += [OR(CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'none'), KconfigCheck('cut_attack_surface', 'kspp', 'X86_VSYSCALL_EMULATION', 'is not set'), @@ -580,10 +580,7 @@ def normalize_cmdline_options(option, value): # TODO: draft of security hardening sysctls: # what about bpf_jit_enable? # vm.mmap_min_addr has a good value -# kernel.modules_disabled=1 -# kernel.randomize_va_space=2 # nosmt sysfs control file -# dev.tty.legacy_tiocsti=0 # vm.mmap_rnd_bits=max (?) # kernel.sysrq=0 # abi.vsyscall32 (any value except 2) @@ -606,13 +603,17 @@ def add_sysctl_checks(l, arch): l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.ldisc_autoload', '0')] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1')] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kptr_restrict', '2')] - l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.yama.ptrace_scope', '3')] + l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', '0')] l += [SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0')] # At first, it disabled unprivileged userfaultfd, # and since v5.11 it enables unprivileged userfaultfd for user-mode only. + l += [SysctlCheck('cut_attack_surface', 'clipos', 'kernel.modules_disabled', '1')] # radical, but may be useful in some cases + l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_symlinks', '1')] l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_hardlinks', '1')] l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_fifos', '2')] l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_regular', '2')] l += [SysctlCheck('harden_userspace', 'kspp', 'fs.suid_dumpable', '0')] + l += [SysctlCheck('harden_userspace', 'kspp', 'kernel.randomize_va_space', '2')] + l += [SysctlCheck('harden_userspace', 'kspp', 'kernel.yama.ptrace_scope', '3')]