Skip to content

K
kernel-hardening-checker
Commit 29de5cc2 by Alexander Popov
Options

Update KSPP recommendations

parent fb4d95bd
Showing with 18 additions and 0 deletions
kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config
...@@ -80,6 +80,9 @@ CONFIG_REFCOUNT_FULL=y ...@@ -80,6 +80,9 @@ CONFIG_REFCOUNT_FULL=y
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
CONFIG_FORTIFY_SOURCE=y CONFIG_FORTIFY_SOURCE=y
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)
CONFIG_SECURITY_DMESG_RESTRICT=y
# Dangerous; enabling this allows direct physical memory writing. # Dangerous; enabling this allows direct physical memory writing.
# CONFIG_ACPI_CUSTOM_METHOD is not set # CONFIG_ACPI_CUSTOM_METHOD is not set
......
kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config
...@@ -80,6 +80,9 @@ CONFIG_REFCOUNT_FULL=y ...@@ -80,6 +80,9 @@ CONFIG_REFCOUNT_FULL=y
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
CONFIG_FORTIFY_SOURCE=y CONFIG_FORTIFY_SOURCE=y
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)
CONFIG_SECURITY_DMESG_RESTRICT=y
# Dangerous; enabling this allows direct physical memory writing. # Dangerous; enabling this allows direct physical memory writing.
# CONFIG_ACPI_CUSTOM_METHOD is not set # CONFIG_ACPI_CUSTOM_METHOD is not set
......
kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config
...@@ -80,6 +80,9 @@ CONFIG_REFCOUNT_FULL=y ...@@ -80,6 +80,9 @@ CONFIG_REFCOUNT_FULL=y
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
CONFIG_FORTIFY_SOURCE=y CONFIG_FORTIFY_SOURCE=y
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)
CONFIG_SECURITY_DMESG_RESTRICT=y
# Dangerous; enabling this allows direct physical memory writing. # Dangerous; enabling this allows direct physical memory writing.
# CONFIG_ACPI_CUSTOM_METHOD is not set # CONFIG_ACPI_CUSTOM_METHOD is not set
...@@ -162,6 +165,9 @@ CONFIG_X86_PAE=y ...@@ -162,6 +165,9 @@ CONFIG_X86_PAE=y
# Disallow allocating the first 64k of memory. # Disallow allocating the first 64k of memory.
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
# Disable Model-Specific Register writes.
# CONFIG_X86_MSR is not set
# Randomize position of kernel. # Randomize position of kernel.
CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_BASE=y
......
kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config
...@@ -80,6 +80,9 @@ CONFIG_REFCOUNT_FULL=y ...@@ -80,6 +80,9 @@ CONFIG_REFCOUNT_FULL=y
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
CONFIG_FORTIFY_SOURCE=y CONFIG_FORTIFY_SOURCE=y
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)
CONFIG_SECURITY_DMESG_RESTRICT=y
# Dangerous; enabling this allows direct physical memory writing. # Dangerous; enabling this allows direct physical memory writing.
# CONFIG_ACPI_CUSTOM_METHOD is not set # CONFIG_ACPI_CUSTOM_METHOD is not set
...@@ -157,6 +160,9 @@ CONFIG_X86_64=y ...@@ -157,6 +160,9 @@ CONFIG_X86_64=y
# Disallow allocating the first 64k of memory. # Disallow allocating the first 64k of memory.
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
# Disable Model-Specific Register writes.
# CONFIG_X86_MSR is not set
# Randomize position of kernel and memory. # Randomize position of kernel and memory.
CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_BASE=y
CONFIG_RANDOMIZE_MEMORY=y CONFIG_RANDOMIZE_MEMORY=y
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment