From: Alexander Popov <alex.popov@linux.com>
Date: Mon, 3 Jun 2019 17:02:42 +0000 (+0300)
Subject: Add CLIP OS recommendations for cutting attack surface
X-Git-Tag: v0.5.2~23
X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=8be2995ce4e980cd2b1df7c0f32583fd75295a6a;p=kconfig-hardened-check.git

Add CLIP OS recommendations for cutting attack surface

Refers to the issue #19 by @HacKurx
---

diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py
index 26afc40..562dd92 100755
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -320,6 +320,12 @@ def construct_checklist(arch):
     checklist.append(OptCheck('BPF_SYSCALL',          'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
     checklist.append(OptCheck('MMIOTRACE_TEST',       'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
 
+    checklist.append(OptCheck('KSM',                      'is not set', 'clipos', 'cut_attack_surface')) # to prevent FLUSH+RELOAD attack
+    checklist.append(OptCheck('IKCONFIG',                 'is not set', 'clipos', 'cut_attack_surface'))
+    checklist.append(OptCheck('KALLSYMS',                 'is not set', 'clipos', 'cut_attack_surface'))
+    checklist.append(OptCheck('X86_VSYSCALL_EMULATION',   'is not set', 'clipos', 'cut_attack_surface'))
+    checklist.append(OptCheck('MAGIC_SYSRQ',              'is not set', 'clipos', 'cut_attack_surface'))
+
     checklist.append(OptCheck('MMIOTRACE',            'is not set', 'my', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive)
     checklist.append(OptCheck('KEXEC_FILE',           'is not set', 'my', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive)
     checklist.append(OptCheck('LIVEPATCH',            'is not set', 'my', 'cut_attack_surface'))