projects
/
kconfig-hardened-check.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
e535f51
)
Add the 'kernel.randomize_va_space' check
author
Alexander Popov
<alex.popov@linux.com>
Tue, 17 Oct 2023 16:27:37 +0000
(19:27 +0300)
committer
Alexander Popov
<alex.popov@linux.com>
Tue, 17 Oct 2023 16:27:37 +0000
(19:27 +0300)
kernel_hardening_checker/checks.py
patch
|
blob
|
history
diff --git
a/kernel_hardening_checker/checks.py
b/kernel_hardening_checker/checks.py
index ca829a3d857b19f3f4fca918195b38cad4b385bb..e814d2045e407d4702879eebd78d0b873e5a4dca 100644
(file)
--- a/
kernel_hardening_checker/checks.py
+++ b/
kernel_hardening_checker/checks.py
@@
-581,7
+581,6
@@
def normalize_cmdline_options(option, value):
# what about bpf_jit_enable?
# vm.mmap_min_addr has a good value
# kernel.modules_disabled=1
# what about bpf_jit_enable?
# vm.mmap_min_addr has a good value
# kernel.modules_disabled=1
-# kernel.randomize_va_space=2
# nosmt sysfs control file
# dev.tty.legacy_tiocsti=0
# vm.mmap_rnd_bits=max (?)
# nosmt sysfs control file
# dev.tty.legacy_tiocsti=0
# vm.mmap_rnd_bits=max (?)
@@
-616,3
+615,4
@@
def add_sysctl_checks(l, arch):
l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_fifos', '2')]
l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_regular', '2')]
l += [SysctlCheck('harden_userspace', 'kspp', 'fs.suid_dumpable', '0')]
l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_fifos', '2')]
l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_regular', '2')]
l += [SysctlCheck('harden_userspace', 'kspp', 'fs.suid_dumpable', '0')]
+ l += [SysctlCheck('harden_userspace', 'kspp', 'kernel.randomize_va_space', '2')]