summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Alexander Popov [Fri, 13 Jul 2018 23:11:41 +0000 (02:11 +0300)]
ArgumentParser: drop unneeded default=False for args with action='store_true'
Alexander Popov [Fri, 13 Jul 2018 23:10:23 +0000 (02:10 +0300)]
ArgumentParser: Improve description
anthraxx [Mon, 9 Jul 2018 00:25:23 +0000 (02:25 +0200)]
argparse: using python module instead of manual getopt
Alexander Popov [Thu, 5 Jul 2018 11:44:04 +0000 (14:44 +0300)]
Consider 'not found' as an equivalent of 'is not set'
Alexander Popov [Thu, 5 Jul 2018 10:54:40 +0000 (13:54 +0300)]
Add rules for options disabled by grsecurity
Carefully extracted from their last public patch
Alexander Popov [Wed, 4 Jul 2018 18:08:21 +0000 (21:08 +0300)]
Move some features to 'cut_attack_surface' category
STRICT_DEVMEM and IO_STRICT_DEVMEM, SECCOMP and SECCOMP_FILTER
are not self protection features. They cut attack surface.
I'm also not sure about SYN_COOKIES. Mark it with a comment.
Alexander Popov [Wed, 4 Jul 2018 09:29:39 +0000 (12:29 +0300)]
More decisions on kernel options
Alexander Popov [Tue, 3 Jul 2018 20:31:48 +0000 (23:31 +0300)]
Add Oracle Unbreakable Enterprise Kernel 5 (UEK-5) config
Alexander Popov [Fri, 22 Jun 2018 12:34:23 +0000 (15:34 +0300)]
Drop CONFIG_DEBUG_KERNEL from kspp-recommendations.config
It is needed only for kernels prior to v4.11 (Kees has updated the wiki)
Alexander Popov [Wed, 20 Jun 2018 21:07:52 +0000 (00:07 +0300)]
Disable buggy IP_SCTP to cut attack surface
Alexander Popov [Wed, 20 Jun 2018 21:09:12 +0000 (00:09 +0300)]
Disable only CONFIG_USER_NS, not whole CONFIG_NAMESPACES
Thanks to @Bernhard40 for the correction
Signed-off-by: Alexander Popov <alex.popov@linux.com>
Alexander Popov [Wed, 20 Jun 2018 14:09:42 +0000 (17:09 +0300)]
Add kconfig-hardened-check.py
This script helps me to check the Linux kernel Kconfig option list
against my hardening preferences for x86_64.
Nobody likes checking configs manually. Let the computers do their job!
Signed-off-by: Alexander Popov <alex.popov@linux.com>