projects / kconfig-hardened-check.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 07687df)
Add CLIP OS recommendations for cutting attack surface
authorAlexander Popov <alex.popov@linux.com>
Mon, 3 Jun 2019 17:02:42 +0000 (20:02 +0300)
committerAlexander Popov <alex.popov@linux.com>
Mon, 3 Jun 2019 17:02:42 +0000 (20:02 +0300)
Refers to the issue #19 by @HacKurx

kconfig-hardened-check.py patch | blob | history

diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py
index 26afc40324ce39dec03bf0f77ebc9d756a5d9432..562dd92ca0b7e760b31819a282e40b8024edf1ec 100755 (executable)
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -320,6 +320,12 @@ def construct_checklist(arch):
     checklist.append(OptCheck('BPF_SYSCALL',          'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
     checklist.append(OptCheck('MMIOTRACE_TEST',       'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
 
+    checklist.append(OptCheck('KSM',                      'is not set', 'clipos', 'cut_attack_surface')) # to prevent FLUSH+RELOAD attack
+    checklist.append(OptCheck('IKCONFIG',                 'is not set', 'clipos', 'cut_attack_surface'))
+    checklist.append(OptCheck('KALLSYMS',                 'is not set', 'clipos', 'cut_attack_surface'))
+    checklist.append(OptCheck('X86_VSYSCALL_EMULATION',   'is not set', 'clipos', 'cut_attack_surface'))
+    checklist.append(OptCheck('MAGIC_SYSRQ',              'is not set', 'clipos', 'cut_attack_surface'))
+
     checklist.append(OptCheck('MMIOTRACE',            'is not set', 'my', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive)
     checklist.append(OptCheck('KEXEC_FILE',           'is not set', 'my', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive)
     checklist.append(OptCheck('LIVEPATCH',            'is not set', 'my', 'cut_attack_surface'))
kconfig-hardened-check