Skip to content

K
kernel-hardening-checker
Commit 33e3e4ff by Alexander Popov
Options

Update the KSPP recommendations

parent d233ea52
Showing with 25 additions and 8 deletions
kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config
# Linux/arm 6.1.5 Kernel Configuration # Linux/arm 6.6.7 Kernel Configuration
# Report BUG() conditions and kill the offending process. # Report BUG() conditions and kill the offending process.
CONFIG_BUG=y CONFIG_BUG=y
...@@ -68,7 +68,8 @@ CONFIG_HARDENED_USERCOPY=y ...@@ -68,7 +68,8 @@ CONFIG_HARDENED_USERCOPY=y
CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_SLAB_FREELIST_HARDENED=y
# Randomize high-order page allocation freelist. # Allow for randomization of high-order page allocation freelist. Must be enabled with
# the "page_alloc.shuffle=1" command line below).
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
# Allow allocator validation checking to be enabled (see "slub_debug=P" below). # Allow allocator validation checking to be enabled (see "slub_debug=P" below).
...@@ -185,6 +186,9 @@ CONFIG_STATIC_USERMODEHELPER=y ...@@ -185,6 +186,9 @@ CONFIG_STATIC_USERMODEHELPER=y
# Use the modern PTY interface (devpts) only. # Use the modern PTY interface (devpts) only.
# CONFIG_LEGACY_PTYS is not set # CONFIG_LEGACY_PTYS is not set
# Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below).
# CONFIG_LEGACY_TIOCSTI is not set
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
# CONFIG_SECURITY_SELINUX_DISABLE is not set # CONFIG_SECURITY_SELINUX_DISABLE is not set
......
kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64.config
# Linux/arm64 6.1.5 Kernel Configuration # Linux/arm64 6.6.7 Kernel Configuration
# Report BUG() conditions and kill the offending process. # Report BUG() conditions and kill the offending process.
CONFIG_BUG=y CONFIG_BUG=y
...@@ -68,7 +68,8 @@ CONFIG_HARDENED_USERCOPY=y ...@@ -68,7 +68,8 @@ CONFIG_HARDENED_USERCOPY=y
CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_SLAB_FREELIST_HARDENED=y
# Randomize high-order page allocation freelist. # Allow for randomization of high-order page allocation freelist. Must be enabled with
# the "page_alloc.shuffle=1" command line below).
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
# Allow allocator validation checking to be enabled (see "slub_debug=P" below). # Allow allocator validation checking to be enabled (see "slub_debug=P" below).
...@@ -185,6 +186,9 @@ CONFIG_STATIC_USERMODEHELPER=y ...@@ -185,6 +186,9 @@ CONFIG_STATIC_USERMODEHELPER=y
# Use the modern PTY interface (devpts) only. # Use the modern PTY interface (devpts) only.
# CONFIG_LEGACY_PTYS is not set # CONFIG_LEGACY_PTYS is not set
# Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below).
# CONFIG_LEGACY_TIOCSTI is not set
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
# CONFIG_SECURITY_SELINUX_DISABLE is not set # CONFIG_SECURITY_SELINUX_DISABLE is not set
......
kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config
# Linux/i386 6.1.5 Kernel Configuration # Linux/i386 6.6.7 Kernel Configuration
# Report BUG() conditions and kill the offending process. # Report BUG() conditions and kill the offending process.
CONFIG_BUG=y CONFIG_BUG=y
...@@ -68,7 +68,8 @@ CONFIG_HARDENED_USERCOPY=y ...@@ -68,7 +68,8 @@ CONFIG_HARDENED_USERCOPY=y
CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_SLAB_FREELIST_HARDENED=y
# Randomize high-order page allocation freelist. # Allow for randomization of high-order page allocation freelist. Must be enabled with
# the "page_alloc.shuffle=1" command line below).
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
# Allow allocator validation checking to be enabled (see "slub_debug=P" below). # Allow allocator validation checking to be enabled (see "slub_debug=P" below).
...@@ -185,6 +186,9 @@ CONFIG_STATIC_USERMODEHELPER=y ...@@ -185,6 +186,9 @@ CONFIG_STATIC_USERMODEHELPER=y
# Use the modern PTY interface (devpts) only. # Use the modern PTY interface (devpts) only.
# CONFIG_LEGACY_PTYS is not set # CONFIG_LEGACY_PTYS is not set
# Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below).
# CONFIG_LEGACY_TIOCSTI is not set
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
# CONFIG_SECURITY_SELINUX_DISABLE is not set # CONFIG_SECURITY_SELINUX_DISABLE is not set
......
kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64.config
# Linux/x86_64 6.1.5 Kernel Configuration # Linux/x86_64 6.6.7 Kernel Configuration
# Report BUG() conditions and kill the offending process. # Report BUG() conditions and kill the offending process.
CONFIG_BUG=y CONFIG_BUG=y
...@@ -68,7 +68,8 @@ CONFIG_HARDENED_USERCOPY=y ...@@ -68,7 +68,8 @@ CONFIG_HARDENED_USERCOPY=y
CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_SLAB_FREELIST_HARDENED=y
# Randomize high-order page allocation freelist. # Allow for randomization of high-order page allocation freelist. Must be enabled with
# the "page_alloc.shuffle=1" command line below).
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
# Allow allocator validation checking to be enabled (see "slub_debug=P" below). # Allow allocator validation checking to be enabled (see "slub_debug=P" below).
...@@ -185,6 +186,9 @@ CONFIG_STATIC_USERMODEHELPER=y ...@@ -185,6 +186,9 @@ CONFIG_STATIC_USERMODEHELPER=y
# Use the modern PTY interface (devpts) only. # Use the modern PTY interface (devpts) only.
# CONFIG_LEGACY_PTYS is not set # CONFIG_LEGACY_PTYS is not set
# Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below).
# CONFIG_LEGACY_TIOCSTI is not set
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
# CONFIG_SECURITY_SELINUX_DISABLE is not set # CONFIG_SECURITY_SELINUX_DISABLE is not set
...@@ -243,6 +247,7 @@ CONFIG_RANDOMIZE_BASE=y ...@@ -243,6 +247,7 @@ CONFIG_RANDOMIZE_BASE=y
CONFIG_RANDOMIZE_MEMORY=y CONFIG_RANDOMIZE_MEMORY=y
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
# CONFIG_X86_VSYSCALL_EMULATION is not set
CONFIG_LEGACY_VSYSCALL_NONE=y CONFIG_LEGACY_VSYSCALL_NONE=y
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment