projects / kconfig-hardened-check.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b6ee2f5)
Disable buggy IP_SCTP to cut attack surface
authorAlexander Popov <alex.popov@linux.com>
Wed, 20 Jun 2018 21:07:52 +0000 (00:07 +0300)
committerAlexander Popov <alex.popov@linux.com>
Wed, 20 Jun 2018 21:09:27 +0000 (00:09 +0300)
README.md patch | blob | history
kconfig-hardened-check.py patch | blob | history

diff --git a/README.md b/README.md
index b87801e58bea593fbf4a0ac109dcad5cb107762d..8fdd80cf010a6a89effd9a47403bc3a75cf5e487 100644 (file)
--- a/README.md
+++ b/README.md
@@ -97,6 +97,7 @@ Usage: ./kconfig-hardened-check.py [-p | -c <config_file>]
   CONFIG_LIVEPATCH                       | is not set  |    my    | cut_attack_surface ||     FAIL: "y"      
   CONFIG_USER_NS                         | is not set  |    my    | cut_attack_surface ||     FAIL: "y"      
   CONFIG_IP_DCCP                         | is not set  |    my    | cut_attack_surface ||     FAIL: "m"      
+  CONFIG_IP_SCTP                         | is not set  |    my    | cut_attack_surface ||     FAIL: "m"      
   CONFIG_FTRACE                          | is not set  |    my    | cut_attack_surface ||     FAIL: "y"      
   CONFIG_KPROBES                         | is not set  |    my    | cut_attack_surface ||     FAIL: "y"      
   CONFIG_PROFILING                       | is not set  |    my    | cut_attack_surface ||     FAIL: "y"      
@@ -105,7 +106,7 @@ Usage: ./kconfig-hardened-check.py [-p | -c <config_file>]
   CONFIG_BPF_SYSCALL                     | is not set  |    my    | cut_attack_surface ||     FAIL: "y"      
   CONFIG_LKDTM                           |      m      |    my    |    feature_test    || FAIL: "is not set" 
 
-[-] config check is NOT PASSED: 39 errors
+[-] config check is NOT PASSED: 40 errors
 ```
 
 __Go and fix them all!__
diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py
index a63df18abaead7a9c6357915d68f0fabb024e377..e784d073fdf32b658dda9b78ab33899a25296a55 100755 (executable)
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -96,6 +96,7 @@ def construct_opt_list():
     opt_list.append([Opt('LIVEPATCH',            'is not set', 'my', 'cut_attack_surface'), ''])
     opt_list.append([Opt('USER_NS',              'is not set', 'my', 'cut_attack_surface'), '']) # user.max_user_namespaces=0
     opt_list.append([Opt('IP_DCCP',              'is not set', 'my', 'cut_attack_surface'), ''])
+    opt_list.append([Opt('IP_SCTP',              'is not set', 'my', 'cut_attack_surface'), ''])
     opt_list.append([Opt('FTRACE',               'is not set', 'my', 'cut_attack_surface'), ''])
     opt_list.append([Opt('KPROBES',              'is not set', 'my', 'cut_attack_surface'), ''])
     opt_list.append([Opt('PROFILING',            'is not set', 'my', 'cut_attack_surface'), ''])
kconfig-hardened-check