From da577cbec528fab5229036ee820492120053acb0 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Mon, 24 Jul 2023 00:23:38 +0300 Subject: [PATCH] Check the user.max_user_namespaces sysctl --- kconfig_hardened_check/checks.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py index bffc68c..e06146a 100644 --- a/kconfig_hardened_check/checks.py +++ b/kconfig_hardened_check/checks.py @@ -578,7 +578,6 @@ def add_sysctl_checks(l, arch): # TODO: draft of security hardening sysctls: # kernel.kptr_restrict=2 (or 1?) # kernel.yama.ptrace_scope=3 -# user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone) # what about bpf_jit_enable? # kernel.unprivileged_bpf_disabled=1 # vm.unprivileged_userfaultfd=0 @@ -610,3 +609,4 @@ def add_sysctl_checks(l, arch): l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/ l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1')] + l += [SysctlCheck('cut_attack_surface', 'kspp', 'user.max_user_namespaces', '0')] -- 2.31.1