import re
import json
from .__about__ import __version__
-from .checks import add_kconfig_checks, add_cmdline_checks, normalize_cmdline_options
+from .checks import add_kconfig_checks, add_cmdline_checks, normalize_cmdline_options, add_sysctl_checks
from .engine import populate_with_data, perform_checks, override_expected_value
parsed_options[name] = value
+def parse_sysctl_file(parsed_options, fname):
+ print('parse_sysctl_file: TODO')
+
+
def main():
# Report modes:
# * verbose mode for
help='check the security hardening options in the kernel Kconfig file (also supports *.gz files)')
parser.add_argument('-l', '--cmdline',
help='check the security hardening options in the kernel cmdline file (contents of /proc/cmdline)')
+# parser.add_argument('-s', '--sysctl',
+# help='check the security hardening options in the sysctl output file (`sudo sysctl -a > file`)')
parser.add_argument('-p', '--print', choices=supported_archs,
help='print the security hardening recommendations for the selected microarchitecture')
parser.add_argument('-g', '--generate', choices=supported_archs,
help='generate a Kconfig fragment with the security hardening options for the selected microarchitecture')
args = parser.parse_args()
+ args.sysctl = None # FIXME
mode = None
if args.mode:
print(f'[+] Kconfig file to check: {args.config}')
if args.cmdline:
print(f'[+] Kernel cmdline file to check: {args.cmdline}')
+ if args.sysctl:
+ print(f'[+] Kernel sysctl output file to check: {args.sysctl}')
arch, msg = detect_arch(args.config, supported_archs)
if arch is None:
# add relevant cmdline checks to the checklist
add_cmdline_checks(config_checklist, arch)
+ if args.sysctl:
+ # add relevant sysctl checks to the checklist
+ add_sysctl_checks(config_checklist, arch)
+
# populate the checklist with the parsed Kconfig data
parsed_kconfig_options = OrderedDict()
parse_kconfig_file(parsed_kconfig_options, args.config)
parse_cmdline_file(parsed_cmdline_options, args.cmdline)
populate_with_data(config_checklist, parsed_cmdline_options, 'cmdline')
+ if args.sysctl:
+ # populate the checklist with the parsed sysctl data
+ parsed_sysctl_options = OrderedDict()
+ parse_sysctl_file(parsed_sysctl_options, args.sysctl)
+ populate_with_data(config_checklist, parsed_sysctl_options, 'sysctl')
+
# hackish refinement of the CONFIG_ARCH_MMAP_RND_BITS check
mmap_rnd_bits_max = parsed_kconfig_options.get('CONFIG_ARCH_MMAP_RND_BITS_MAX', None)
if mmap_rnd_bits_max:
all_parsed_options = parsed_kconfig_options # assignment does not copy
if args.cmdline:
all_parsed_options.update(parsed_cmdline_options)
+ if args.sysctl:
+ all_parsed_options.update(parsed_sysctl_options)
print_unknown_options(config_checklist, all_parsed_options)
# finally print the results
sys.exit(0)
elif args.cmdline:
- sys.exit('[!] ERROR: checking cmdline doesn\'t work without checking Kconfig')
+ sys.exit('[!] ERROR: checking cmdline depends on checking Kconfig')
+ elif args.sysctl:
+ # TODO: sysctl check should also work separately
+ sys.exit('[!] ERROR: checking sysctl depends on checking Kconfig')
if args.print:
- assert(args.config is None and args.cmdline is None), 'unexpected args'
+ assert(args.config is None and args.cmdline is None and args.sysctl is None), 'unexpected args'
if mode and mode not in ('verbose', 'json'):
sys.exit(f'[!] ERROR: wrong mode "{mode}" for --print')
arch = args.print
add_kconfig_checks(config_checklist, arch)
add_cmdline_checks(config_checklist, arch)
+ add_sysctl_checks(config_checklist, arch)
if mode != 'json':
print(f'[+] Printing kernel security hardening options for {arch}...')
print_checklist(mode, config_checklist, False)
sys.exit(0)
if args.generate:
- assert(args.config is None and args.cmdline is None), 'unexpected args'
+ assert(args.config is None and args.cmdline is None and args.sysctl is None), 'unexpected args'
if mode:
sys.exit(f'[!] ERROR: wrong mode "{mode}" for --generate')
arch = args.generate
# pylint: disable=missing-function-docstring,line-too-long,invalid-name
# pylint: disable=too-many-branches,too-many-statements
-from .engine import KconfigCheck, CmdlineCheck, VersionCheck, OR, AND
+from .engine import KconfigCheck, CmdlineCheck, SysctlCheck, VersionCheck, OR, AND
def add_kconfig_checks(l, arch):
return value
-# def add_sysctl_checks(l, arch):
+def add_sysctl_checks(l, arch):
# TODO: draft of security hardening sysctls:
# kernel.kptr_restrict=2 (or 1?)
-# kernel.dmesg_restrict=1 (also see the kconfig option)
# kernel.perf_event_paranoid=2 (or 3 with a custom patch, see https://lwn.net/Articles/696216/)
# kernel.kexec_load_disabled=1
# kernel.yama.ptrace_scope=3
# kernel.oops_limit (think about a proper value)
# kernel.warn_limit (think about a proper value)
# net.ipv4.tcp_syncookies=1 (?)
+#
+# Calling the SysctlCheck class constructor:
+# SysctlCheck(reason, decision, name, expected)
+ l += [SysctlCheck('self_protection', 'kspp', 'kernel.dmesg_restrict', '1')]
projects / kconfig-hardened-check.git / commitdiff