X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kernel_hardening_checker%2Fchecks.py;h=f7c786dfb026540a58ec7472836144bfd59d02ce;hb=6df376e63dd5f3f0fc7e82bb221e719aea4c166b;hp=96da656bf14ad4368a0f7fcd0996a7961606dfc3;hpb=f37cd60e08f1e69fc3e03278f602e386d0ddbfc7;p=kconfig-hardened-check.git

diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
index 96da656..f7c786d 100644
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -580,7 +580,6 @@ def normalize_cmdline_options(option, value):
 # TODO: draft of security hardening sysctls:
 #    what about bpf_jit_enable?
 #    vm.mmap_min_addr has a good value
-#    kernel.modules_disabled=1
 #    nosmt sysfs control file
 #    vm.mmap_rnd_bits=max (?)
 #    kernel.sysrq=0
@@ -609,6 +608,8 @@ def add_sysctl_checks(l, arch):
           # At first, it disabled unprivileged userfaultfd,
           # and since v5.11 it enables unprivileged userfaultfd for user-mode only.
 
+#   l += [SysctlCheck('cut_attack_surface', 'clipos', 'kernel.modules_disabled', '1')] # radical, but may be useful in some cases
+
     l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_symlinks', '1')]
     l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_hardlinks', '1')]
     l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_fifos', '2')]