projects
/
kconfig-hardened-check.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
d233ea5
)
Update the KSPP recommendations
author
Alexander Popov
<alex.popov@linux.com>
Thu, 28 Dec 2023 12:30:56 +0000
(15:30 +0300)
committer
Alexander Popov
<alex.popov@linux.com>
Thu, 28 Dec 2023 12:33:22 +0000
(15:33 +0300)
kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config
patch
|
blob
|
history
kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64.config
patch
|
blob
|
history
kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config
patch
|
blob
|
history
kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64.config
patch
|
blob
|
history
diff --git
a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config
b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config
index d4493e7eaa3bf932d40904d91f0777afc7366d8e..c75026046439f27d1423e0358bceb938c669b363 100644
(file)
--- a/
kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config
+++ b/
kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config
@@
-1,4
+1,4
@@
-# Linux/arm 6.
1.5
Kernel Configuration
+# Linux/arm 6.
6.7
Kernel Configuration
# Report BUG() conditions and kill the offending process.
CONFIG_BUG=y
# Report BUG() conditions and kill the offending process.
CONFIG_BUG=y
@@
-68,7
+68,8
@@
CONFIG_HARDENED_USERCOPY=y
CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y
CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y
-# Randomize high-order page allocation freelist.
+# Allow for randomization of high-order page allocation freelist. Must be enabled with
+# the "page_alloc.shuffle=1" command line below).
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).
@@
-185,6
+186,9
@@
CONFIG_STATIC_USERMODEHELPER=y
# Use the modern PTY interface (devpts) only.
# CONFIG_LEGACY_PTYS is not set
# Use the modern PTY interface (devpts) only.
# CONFIG_LEGACY_PTYS is not set
+# Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below).
+# CONFIG_LEGACY_TIOCSTI is not set
+
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
# CONFIG_SECURITY_SELINUX_DISABLE is not set
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
# CONFIG_SECURITY_SELINUX_DISABLE is not set
diff --git
a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64.config
b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64.config
index 50907ab4e9795e3ab86628efc3029647b90f1e74..c059256fbdb3842be6cfeefd8805fc1c196a9f87 100644
(file)
--- a/
kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64.config
+++ b/
kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64.config
@@
-1,4
+1,4
@@
-# Linux/arm64 6.
1.5
Kernel Configuration
+# Linux/arm64 6.
6.7
Kernel Configuration
# Report BUG() conditions and kill the offending process.
CONFIG_BUG=y
# Report BUG() conditions and kill the offending process.
CONFIG_BUG=y
@@
-68,7
+68,8
@@
CONFIG_HARDENED_USERCOPY=y
CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y
CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y
-# Randomize high-order page allocation freelist.
+# Allow for randomization of high-order page allocation freelist. Must be enabled with
+# the "page_alloc.shuffle=1" command line below).
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).
@@
-185,6
+186,9
@@
CONFIG_STATIC_USERMODEHELPER=y
# Use the modern PTY interface (devpts) only.
# CONFIG_LEGACY_PTYS is not set
# Use the modern PTY interface (devpts) only.
# CONFIG_LEGACY_PTYS is not set
+# Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below).
+# CONFIG_LEGACY_TIOCSTI is not set
+
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
# CONFIG_SECURITY_SELINUX_DISABLE is not set
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
# CONFIG_SECURITY_SELINUX_DISABLE is not set
diff --git
a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config
b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config
index 4667aa287e5ccfae7c8f49049978d728fcd92543..9db30cbb1caff4b868f9ab58c73e1f80e5753ab8 100644
(file)
--- a/
kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config
+++ b/
kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config
@@
-1,4
+1,4
@@
-# Linux/i386 6.
1.5
Kernel Configuration
+# Linux/i386 6.
6.7
Kernel Configuration
# Report BUG() conditions and kill the offending process.
CONFIG_BUG=y
# Report BUG() conditions and kill the offending process.
CONFIG_BUG=y
@@
-68,7
+68,8
@@
CONFIG_HARDENED_USERCOPY=y
CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y
CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y
-# Randomize high-order page allocation freelist.
+# Allow for randomization of high-order page allocation freelist. Must be enabled with
+# the "page_alloc.shuffle=1" command line below).
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).
@@
-185,6
+186,9
@@
CONFIG_STATIC_USERMODEHELPER=y
# Use the modern PTY interface (devpts) only.
# CONFIG_LEGACY_PTYS is not set
# Use the modern PTY interface (devpts) only.
# CONFIG_LEGACY_PTYS is not set
+# Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below).
+# CONFIG_LEGACY_TIOCSTI is not set
+
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
# CONFIG_SECURITY_SELINUX_DISABLE is not set
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
# CONFIG_SECURITY_SELINUX_DISABLE is not set
diff --git
a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64.config
b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64.config
index f179b4ead38def7c6cea7ce3ed5aa512f2c1d4fb..f374cda2ba05fc0aed51d73b27a35ed71c8acf1d 100644
(file)
--- a/
kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64.config
+++ b/
kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64.config
@@
-1,4
+1,4
@@
-# Linux/x86_64 6.
1.5
Kernel Configuration
+# Linux/x86_64 6.
6.7
Kernel Configuration
# Report BUG() conditions and kill the offending process.
CONFIG_BUG=y
# Report BUG() conditions and kill the offending process.
CONFIG_BUG=y
@@
-68,7
+68,8
@@
CONFIG_HARDENED_USERCOPY=y
CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y
CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y
-# Randomize high-order page allocation freelist.
+# Allow for randomization of high-order page allocation freelist. Must be enabled with
+# the "page_alloc.shuffle=1" command line below).
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).
@@
-185,6
+186,9
@@
CONFIG_STATIC_USERMODEHELPER=y
# Use the modern PTY interface (devpts) only.
# CONFIG_LEGACY_PTYS is not set
# Use the modern PTY interface (devpts) only.
# CONFIG_LEGACY_PTYS is not set
+# Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below).
+# CONFIG_LEGACY_TIOCSTI is not set
+
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
# CONFIG_SECURITY_SELINUX_DISABLE is not set
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
# CONFIG_SECURITY_SELINUX_DISABLE is not set
@@
-243,6
+247,7
@@
CONFIG_RANDOMIZE_BASE=y
CONFIG_RANDOMIZE_MEMORY=y
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
CONFIG_RANDOMIZE_MEMORY=y
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
+# CONFIG_X86_VSYSCALL_EMULATION is not set
CONFIG_LEGACY_VSYSCALL_NONE=y
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
CONFIG_LEGACY_VSYSCALL_NONE=y
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.