projects
/
kconfig-hardened-check.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (from parent 1:
bb1fc8b
)
Check the kernel.perf_event_paranoid sysctl
author
Alexander Popov
<alex.popov@linux.com>
Sun, 23 Jul 2023 21:17:44 +0000
(
00:17
+0300)
committer
Alexander Popov
<alex.popov@linux.com>
Sun, 23 Jul 2023 21:17:44 +0000
(
00:17
+0300)
kconfig_hardened_check/checks.py
patch
|
blob
|
history
diff --git
a/kconfig_hardened_check/checks.py
b/kconfig_hardened_check/checks.py
index e30746c9fc0c3af0f4a60ef75a8f8d73b486e7d1..e9ac9da379f437bd8d6f287044bb76b1b60c0847 100644
(file)
--- a/
kconfig_hardened_check/checks.py
+++ b/
kconfig_hardened_check/checks.py
@@
-577,7
+577,6
@@
def normalize_cmdline_options(option, value):
def add_sysctl_checks(l, arch):
# TODO: draft of security hardening sysctls:
# kernel.kptr_restrict=2 (or 1?)
def add_sysctl_checks(l, arch):
# TODO: draft of security hardening sysctls:
# kernel.kptr_restrict=2 (or 1?)
-# kernel.perf_event_paranoid=2 (or 3 with a custom patch, see https://lwn.net/Articles/696216/)
# kernel.kexec_load_disabled=1
# kernel.yama.ptrace_scope=3
# user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone)
# kernel.kexec_load_disabled=1
# kernel.yama.ptrace_scope=3
# user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone)
@@
-610,3
+609,4
@@
def add_sysctl_checks(l, arch):
l += [SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')]
l += [SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')]
+ l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/