Save more hardening sysctls for TODO

author Alexander Popov <alex.popov@linux.com>

Thu, 28 Nov 2019 16:28:52 +0000 (19:28 +0300)

committer Alexander Popov <alex.popov@linux.com>

Thu, 28 Nov 2019 16:28:52 +0000 (19:28 +0300)
author Alexander Popov <alex.popov@linux.com>
Thu, 28 Nov 2019 16:28:52 +0000 (19:28 +0300)
committer Alexander Popov <alex.popov@linux.com>
Thu, 28 Nov 2019 16:28:52 +0000 (19:28 +0300)
diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py

index 97cb91357c688f8d374f4835adce693739aee564..5c60fb7a63d02e0a8f64fb9a27bf804373c969ce 100755 (executable)
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -36,8 +36,13 @@
  #    kptr_restrict=2
  #    vm.unprivileged_userfaultfd=0
  #    kernel.perf_event_paranoid=3
-#    kernel.yama.ptrace_scope=1
+#    kernel.yama.ptrace_scope=1 (or even 3?)
  #    kernel.unprivileged_bpf_disabled=1
+#    fs.suid_dumpable=0
+#    fs.protected_symlinks = 1
+#    fs.protected_hardlinks = 1
+#    fs.protected_fifos = 2
+#    fs.protected_regular = 2
  
  import sys
  from argparse import ArgumentParser
author	Alexander Popov <alex.popov@linux.com>
	Thu, 28 Nov 2019 16:28:52 +0000 (19:28 +0300)
committer	Alexander Popov <alex.popov@linux.com>
	Thu, 28 Nov 2019 16:28:52 +0000 (19:28 +0300)