Add a comment about 'kernel.modules_disabled'

author Alexander Popov <alex.popov@linux.com>

Sat, 11 Nov 2023 15:13:19 +0000 (18:13 +0300)

committer Alexander Popov <alex.popov@linux.com>

Sat, 2 Dec 2023 06:14:17 +0000 (09:14 +0300)
author Alexander Popov <alex.popov@linux.com>
Sat, 11 Nov 2023 15:13:19 +0000 (18:13 +0300)
committer Alexander Popov <alex.popov@linux.com>
Sat, 2 Dec 2023 06:14:17 +0000 (09:14 +0300)
diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py

index 96da656bf14ad4368a0f7fcd0996a7961606dfc3..f7c786dfb026540a58ec7472836144bfd59d02ce 100644 (file)
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -580,7 +580,6 @@ def normalize_cmdline_options(option, value):
  # TODO: draft of security hardening sysctls:
  #    what about bpf_jit_enable?
  #    vm.mmap_min_addr has a good value
-#    kernel.modules_disabled=1
  #    nosmt sysfs control file
  #    vm.mmap_rnd_bits=max (?)
  #    kernel.sysrq=0
@@ -609,6 +608,8 @@ def add_sysctl_checks(l, arch):
            # At first, it disabled unprivileged userfaultfd,
            # and since v5.11 it enables unprivileged userfaultfd for user-mode only.
  
+#   l += [SysctlCheck('cut_attack_surface', 'clipos', 'kernel.modules_disabled', '1')] # radical, but may be useful in some cases
+
      l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_symlinks', '1')]
      l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_hardlinks', '1')]
      l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_fifos', '2')]
author	Alexander Popov <alex.popov@linux.com>
	Sat, 11 Nov 2023 15:13:19 +0000 (18:13 +0300)
committer	Alexander Popov <alex.popov@linux.com>
	Sat, 2 Dec 2023 06:14:17 +0000 (09:14 +0300)