From: Alexander Popov Date: Thu, 28 Dec 2023 12:30:56 +0000 (+0300) Subject: Update the KSPP recommendations X-Git-Tag: v0.6.6~27 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=33e3e4ffe76d7bec043024106c787d40154aef3d;p=kconfig-hardened-check.git Update the KSPP recommendations --- diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config index d4493e7..c750260 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config @@ -1,4 +1,4 @@ -# Linux/arm 6.1.5 Kernel Configuration +# Linux/arm 6.6.7 Kernel Configuration # Report BUG() conditions and kill the offending process. CONFIG_BUG=y @@ -68,7 +68,8 @@ CONFIG_HARDENED_USERCOPY=y CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y -# Randomize high-order page allocation freelist. +# Allow for randomization of high-order page allocation freelist. Must be enabled with +# the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). @@ -185,6 +186,9 @@ CONFIG_STATIC_USERMODEHELPER=y # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set +# Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). +# CONFIG_LEGACY_TIOCSTI is not set + # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64.config index 50907ab..c059256 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64.config @@ -1,4 +1,4 @@ -# Linux/arm64 6.1.5 Kernel Configuration +# Linux/arm64 6.6.7 Kernel Configuration # Report BUG() conditions and kill the offending process. CONFIG_BUG=y @@ -68,7 +68,8 @@ CONFIG_HARDENED_USERCOPY=y CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y -# Randomize high-order page allocation freelist. +# Allow for randomization of high-order page allocation freelist. Must be enabled with +# the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). @@ -185,6 +186,9 @@ CONFIG_STATIC_USERMODEHELPER=y # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set +# Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). +# CONFIG_LEGACY_TIOCSTI is not set + # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config index 4667aa2..9db30cb 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config @@ -1,4 +1,4 @@ -# Linux/i386 6.1.5 Kernel Configuration +# Linux/i386 6.6.7 Kernel Configuration # Report BUG() conditions and kill the offending process. CONFIG_BUG=y @@ -68,7 +68,8 @@ CONFIG_HARDENED_USERCOPY=y CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y -# Randomize high-order page allocation freelist. +# Allow for randomization of high-order page allocation freelist. Must be enabled with +# the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). @@ -185,6 +186,9 @@ CONFIG_STATIC_USERMODEHELPER=y # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set +# Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). +# CONFIG_LEGACY_TIOCSTI is not set + # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64.config index f179b4e..f374cda 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64.config @@ -1,4 +1,4 @@ -# Linux/x86_64 6.1.5 Kernel Configuration +# Linux/x86_64 6.6.7 Kernel Configuration # Report BUG() conditions and kill the offending process. CONFIG_BUG=y @@ -68,7 +68,8 @@ CONFIG_HARDENED_USERCOPY=y CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y -# Randomize high-order page allocation freelist. +# Allow for randomization of high-order page allocation freelist. Must be enabled with +# the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). @@ -185,6 +186,9 @@ CONFIG_STATIC_USERMODEHELPER=y # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set +# Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). +# CONFIG_LEGACY_TIOCSTI is not set + # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set @@ -243,6 +247,7 @@ CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. +# CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.