projects
/
kconfig-hardened-check.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
95c3e4d
)
Small syctl cleanup
author
Alexander Popov
<alex.popov@linux.com>
Tue, 24 Mar 2020 11:14:20 +0000
(14:14 +0300)
committer
Alexander Popov
<alex.popov@linux.com>
Tue, 24 Mar 2020 12:07:41 +0000
(15:07 +0300)
kconfig-hardened-check.py
patch
|
blob
|
history
diff --git
a/kconfig-hardened-check.py
b/kconfig-hardened-check.py
index 923402bf6e62cc6714b71bf616445412337d5cd5..b24918a0b067eae7ae4bc3b1082b6944858e9f4d 100755
(executable)
--- a/
kconfig-hardened-check.py
+++ b/
kconfig-hardened-check.py
@@
-13,7
+13,6
@@
# N.B Hardening command line parameters:
# slub_debug=FZP
# slab_nomerge
# N.B Hardening command line parameters:
# slub_debug=FZP
# slab_nomerge
-# kernel.kptr_restrict=1
# page_alloc.shuffle=1
# iommu=force (does it help against DMA attacks?)
# page_poison=1 (if enabled)
# page_alloc.shuffle=1
# iommu=force (does it help against DMA attacks?)
# page_poison=1 (if enabled)
@@
-35,17
+34,24
@@
# ssbd=force-on
#
# N.B. Hardening sysctls:
# ssbd=force-on
#
# N.B. Hardening sysctls:
-# net.core.bpf_jit_harden=2
-# kptr_restrict=2
-# vm.unprivileged_userfaultfd=0
+# kernel.kptr_restrict=2
+# kernel.dmesg_restrict=1
# kernel.perf_event_paranoid=3
# kernel.perf_event_paranoid=3
-# kernel.yama.ptrace_scope=1 (or even 3?)
+# kernel.kexec_load_disabled=1
+# kernel.yama.ptrace_scope=3
+# user.max_user_namespaces=0
# kernel.unprivileged_bpf_disabled=1
# kernel.unprivileged_bpf_disabled=1
+# net.core.bpf_jit_harden=2
+#
+# vm.unprivileged_userfaultfd=0
+#
+# dev.tty.ldisc_autoload=0
+# fs.protected_symlinks=1
+# fs.protected_hardlinks=1
+# fs.protected_fifos=2
+# fs.protected_regular=2
# fs.suid_dumpable=0
# fs.suid_dumpable=0
-# fs.protected_symlinks = 1
-# fs.protected_hardlinks = 1
-# fs.protected_fifos = 2
-# fs.protected_regular = 2
+# kernel.modules_disabled=1
import sys
from argparse import ArgumentParser
import sys
from argparse import ArgumentParser