From 5e44660143ccd76a2aa3030f6949e7188e116a37 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sun, 7 Jul 2024 15:49:10 +0300 Subject: [PATCH] Add the CRASH_DUMP check Refers to #84. --- kernel_hardening_checker/checks.py | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index f338bbd..faf2aa2 100755 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -392,6 +392,7 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: l += [KconfigCheck('cut_attack_surface', 'clipos', 'KSM', 'is not set')] # to prevent FLUSH+RELOAD attack l += [KconfigCheck('cut_attack_surface', 'clipos', 'KALLSYMS', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'KEXEC_FILE', 'is not set')] # refers to LOCKDOWN (permissive) + l += [KconfigCheck('cut_attack_surface', 'clipos', 'CRASH_DUMP', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'USER_NS', 'is not set')] # user.max_user_namespaces=0 l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_CPUID', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_IOPL_IOPERM', 'is not set')] # refers to LOCKDOWN -- 2.31.1