X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kernel_hardening_checker%2Fchecks.py;h=fa5c08a9e0854ec97151727e7dd41e8905f8042a;hb=ce0afbc572d36c842891bd717bb462fce41f5e10;hp=ed8354181699c849ab8fc8f5f2ba56bfebe1dabc;hpb=b4e374903e5e22dddfce8be0c4162fa7dcd20808;p=kconfig-hardened-check.git diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index ed83541..fa5c08a 100644 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -663,14 +663,17 @@ def add_sysctl_checks(l, _arch): # Calling the SysctlCheck class constructor: # SysctlCheck(reason, decision, name, expected) + # use an omnipresent config symbol to see if we have a config file + have_config_file = KconfigCheck('-', '-', 'DEFAULT_INIT', 'is present') l += [OR(SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2'), AND(KconfigCheck('cut_attack_surface', 'kspp', 'BPF_JIT', 'is not set'), - # use an omnipresent config symbol to see if we have a config file to check BPF_JIT. - KconfigCheck('cut_attack_surface', 'kspp', 'DEFAULT_INIT', 'is present')))] + have_config_file))] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/ - l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1')] + l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1'), + AND(KconfigCheck('cut_attack_surfice', 'kspp', 'KEXEC_CORE', 'is not set'), + have_config_file))] l += [SysctlCheck('cut_attack_surface', 'kspp', 'user.max_user_namespaces', '0')] # may break the upower daemon in Ubuntu l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.ldisc_autoload', '0')] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1')]