sys.exit(f'[!] ERROR: {fname} doesn\'t look like a sysctl output file, please try `sudo sysctl -a > {fname}`')
# let's check the presence of a sysctl option available for root
- if 'net.core.bpf_jit_harden' not in parsed_options and mode != 'json':
- print(f'[!] WARNING: sysctl option "net.core.bpf_jit_harden" available for root is not found in {fname}, please try `sudo sysctl -a > {fname}`')
+ if 'kernel.cad_pid' not in parsed_options and mode != 'json':
+ print(f'[!] WARNING: sysctl option "kernel.cad_pid" available for root is not found in {fname}, please try `sudo sysctl -a > {fname}`')
def main():
# Calling the SysctlCheck class constructor:
# SysctlCheck(reason, decision, name, expected)
- l += [SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2')]
+ l += [OR(SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2'),
+ AND(KconfigCheck('cut_attack_surface', 'kspp', 'BPF_JIT', 'is not set'),
+ # use an omnipresent config symbol to see if we have a config file to check BPF_JIT.
+ KconfigCheck('cut_attack_surface', 'kspp', 'DEFAULT_INIT', 'is present')))]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/
projects / kconfig-hardened-check.git / commitdiff