From: Alexander Popov Date: Sun, 23 Jul 2023 21:23:38 +0000 (+0300) Subject: Check the user.max_user_namespaces sysctl X-Git-Tag: v0.6.6~107 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=da577cbec528fab5229036ee820492120053acb0;p=kconfig-hardened-check.git Check the user.max_user_namespaces sysctl --- diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py index bffc68c..e06146a 100644 --- a/kconfig_hardened_check/checks.py +++ b/kconfig_hardened_check/checks.py @@ -578,7 +578,6 @@ def add_sysctl_checks(l, arch): # TODO: draft of security hardening sysctls: # kernel.kptr_restrict=2 (or 1?) # kernel.yama.ptrace_scope=3 -# user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone) # what about bpf_jit_enable? # kernel.unprivileged_bpf_disabled=1 # vm.unprivileged_userfaultfd=0 @@ -610,3 +609,4 @@ def add_sysctl_checks(l, arch): l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/ l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1')] + l += [SysctlCheck('cut_attack_surface', 'kspp', 'user.max_user_namespaces', '0')]