X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kernel_hardening_checker%2Fchecks.py;h=fa2de4240e244ead8c9d0e90ea977095d1f50216;hb=22314345541d97b8f095aec733ef44620ba54801;hp=fda5d46986f4f229c3e839f49f2107751005e907;hpb=48ff85596d7c1ed707a74844cfac72d736d0c71c;p=kconfig-hardened-check.git diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index fda5d46..fa2de42 100755 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -421,7 +421,8 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'BLK_DEV_WRITE_MOUNTED', 'is not set')] l += [OR(KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'TRIM_UNUSED_KSYMS', 'y'), modules_not_set)] - + l += [OR(KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'MAGIC_SYSRQ_SERIAL', 'is not set'), + KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'MAGIC_SYSRQ_DEFAULT_ENABLE', '0x0'))] # 'harden_userspace' if arch == 'ARM64': @@ -532,6 +533,7 @@ def add_cmdline_checks(l: List[ChecklistObjType], arch: str) -> None: l += [CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp l += [CmdlineCheck('self_protection', 'kspp', 'slub_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp l += [CmdlineCheck('self_protection', 'kspp', 'page_alloc.shuffle', '1')] + l += [CmdlineCheck('self_protection', 'kspp', 'cfi', 'kcfi')] l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_nomerge', 'is present'), AND(KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set'), CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set'), @@ -674,10 +676,7 @@ def normalize_cmdline_options(option: str, value: str) -> str: # vm.mmap_min_addr has a good value # nosmt sysfs control file # vm.mmap_rnd_bits=max (?) -# kernel.sysrq=0 # abi.vsyscall32 (any value except 2) -# kernel.oops_limit (think about a proper value) -# kernel.warn_limit (think about a proper value) # net.ipv4.tcp_syncookies=1 (?) def add_sysctl_checks(l: List[ChecklistObjType], _arch: StrOrNone) -> None: @@ -692,6 +691,12 @@ def add_sysctl_checks(l: List[ChecklistObjType], _arch: StrOrNone) -> None: l += [OR(SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2'), AND(KconfigCheck('-', '-', 'BPF_JIT', 'is not set'), have_kconfig))] + # Choosing a right value for 'kernel.oops_limit' and 'kernel.warn_limit' is not easy. + # A small value (e.g. 1, which is recommended by KSPP) allows easy DoS. + # A large value (e.g. 10000, which is default 'kernel.oops_limit') may miss the exploit attempt. + # Let's choose 100 as a reasonable compromise. + l += [SysctlCheck('self_protection', 'a13xp0p0v', 'kernel.oops_limit', '100')] + l += [SysctlCheck('self_protection', 'a13xp0p0v', 'kernel.warn_limit', '100')] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/ @@ -711,10 +716,14 @@ def add_sysctl_checks(l: List[ChecklistObjType], _arch: StrOrNone) -> None: # At first, it disabled unprivileged userfaultfd, # and since v5.11 it enables unprivileged userfaultfd for user-mode only. - l += [OR(SysctlCheck('cut_attack_surface', 'clipos', 'kernel.modules_disabled', '1'), + l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.modules_disabled', '1'), AND(KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set'), have_kconfig))] # radical, but may be useful in some cases + l += [OR(SysctlCheck('cut_attack_surface', 'a13xp0p0v', 'kernel.sysrq', '0'), + AND(KconfigCheck('cut_attack_surface', 'clipos', 'MAGIC_SYSRQ', 'is not set'), + have_kconfig))] + l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_symlinks', '1')] l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_hardlinks', '1')] l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_fifos', '2')]