From b68eb59c9d222478af8f7b6aeb76801456f3d301 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Thu, 21 Jun 2018 00:07:52 +0300 Subject: [PATCH] Disable buggy IP_SCTP to cut attack surface --- README.md | 3 ++- kconfig-hardened-check.py | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b87801e..8fdd80c 100644 --- a/README.md +++ b/README.md @@ -97,6 +97,7 @@ Usage: ./kconfig-hardened-check.py [-p | -c ] CONFIG_LIVEPATCH | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_USER_NS | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_IP_DCCP | is not set | my | cut_attack_surface || FAIL: "m" + CONFIG_IP_SCTP | is not set | my | cut_attack_surface || FAIL: "m" CONFIG_FTRACE | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_KPROBES | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_PROFILING | is not set | my | cut_attack_surface || FAIL: "y" @@ -105,7 +106,7 @@ Usage: ./kconfig-hardened-check.py [-p | -c ] CONFIG_BPF_SYSCALL | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_LKDTM | m | my | feature_test || FAIL: "is not set" -[-] config check is NOT PASSED: 39 errors +[-] config check is NOT PASSED: 40 errors ``` __Go and fix them all!__ diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py index a63df18..e784d07 100755 --- a/kconfig-hardened-check.py +++ b/kconfig-hardened-check.py @@ -96,6 +96,7 @@ def construct_opt_list(): opt_list.append([Opt('LIVEPATCH', 'is not set', 'my', 'cut_attack_surface'), '']) opt_list.append([Opt('USER_NS', 'is not set', 'my', 'cut_attack_surface'), '']) # user.max_user_namespaces=0 opt_list.append([Opt('IP_DCCP', 'is not set', 'my', 'cut_attack_surface'), '']) + opt_list.append([Opt('IP_SCTP', 'is not set', 'my', 'cut_attack_surface'), '']) opt_list.append([Opt('FTRACE', 'is not set', 'my', 'cut_attack_surface'), '']) opt_list.append([Opt('KPROBES', 'is not set', 'my', 'cut_attack_surface'), '']) opt_list.append([Opt('PROFILING', 'is not set', 'my', 'cut_attack_surface'), '']) -- 2.31.1