Skip to content

K
kernel-hardening-checker
Commit 5559c0d8 by Alexander Popov
Options

Merge branch 'decision-cleanup' 

Thanks to @Bernhard40 for a nice idea.
parents a5085a0d 31e2c5e5
Showing with 93 additions and 93 deletions
README.md
...@@ -40,34 +40,30 @@ optional arguments: ...@@ -40,34 +40,30 @@ optional arguments:
[+] Checking "config_files/ubuntu-bionic-generic.config" against hardening preferences... [+] Checking "config_files/ubuntu-bionic-generic.config" against hardening preferences...
option name | desired val | decision | reason || check result option name | desired val | decision | reason || check result
=================================================================================================================== ===================================================================================================================
CONFIG_BUG | y | ubuntu18 | self_protection || OK CONFIG_BUG | y |defconfig | self_protection || OK
CONFIG_PAGE_TABLE_ISOLATION | y | ubuntu18 | self_protection || OK CONFIG_PAGE_TABLE_ISOLATION | y |defconfig | self_protection || OK
CONFIG_RETPOLINE | y | ubuntu18 | self_protection || OK CONFIG_RETPOLINE | y |defconfig | self_protection || OK
CONFIG_X86_64 | y | ubuntu18 | self_protection || OK CONFIG_X86_64 | y |defconfig | self_protection || OK
CONFIG_X86_SMAP | y | ubuntu18 | self_protection || OK CONFIG_X86_SMAP | y |defconfig | self_protection || OK
CONFIG_X86_INTEL_UMIP | y | ubuntu18 | self_protection || OK CONFIG_X86_INTEL_UMIP | y |defconfig | self_protection || OK
CONFIG_STRICT_KERNEL_RWX | y | ubuntu18 | self_protection || OK CONFIG_STRICT_KERNEL_RWX | y |defconfig | self_protection || OK
CONFIG_DEBUG_WX | y | ubuntu18 | self_protection || OK CONFIG_RANDOMIZE_BASE | y |defconfig | self_protection || OK
CONFIG_RANDOMIZE_BASE | y | ubuntu18 | self_protection || OK CONFIG_RANDOMIZE_MEMORY | y |defconfig | self_protection || OK
CONFIG_RANDOMIZE_MEMORY | y | ubuntu18 | self_protection || OK CONFIG_STACKPROTECTOR_STRONG | y |defconfig | self_protection ||CONFIG_CC_STACKPROTECTOR_STRONG: OK ("y")
CONFIG_STACKPROTECTOR_STRONG | y | ubuntu18 | self_protection ||CONFIG_CC_STACKPROTECTOR_STRONG: OK ("y") CONFIG_VMAP_STACK | y |defconfig | self_protection || OK
CONFIG_VMAP_STACK | y | ubuntu18 | self_protection || OK CONFIG_THREAD_INFO_IN_TASK | y |defconfig | self_protection || OK
CONFIG_THREAD_INFO_IN_TASK | y | ubuntu18 | self_protection || OK CONFIG_SLUB_DEBUG | y |defconfig | self_protection || OK
CONFIG_SCHED_STACK_END_CHECK | y | ubuntu18 | self_protection || OK CONFIG_STRICT_MODULE_RWX | y |defconfig | self_protection || OK
CONFIG_SLUB_DEBUG | y | ubuntu18 | self_protection || OK CONFIG_SYN_COOKIES | y |defconfig | self_protection || OK
CONFIG_SLAB_FREELIST_HARDENED | y | ubuntu18 | self_protection || OK
CONFIG_SLAB_FREELIST_RANDOM | y | ubuntu18 | self_protection || OK
CONFIG_HARDENED_USERCOPY | y | ubuntu18 | self_protection || OK
CONFIG_FORTIFY_SOURCE | y | ubuntu18 | self_protection || OK
CONFIG_LOCK_DOWN_KERNEL | y | ubuntu18 | self_protection || OK
CONFIG_STRICT_MODULE_RWX | y | ubuntu18 | self_protection || OK
CONFIG_MODULE_SIG | y | ubuntu18 | self_protection || OK
CONFIG_MODULE_SIG_ALL | y | ubuntu18 | self_protection || OK
CONFIG_MODULE_SIG_SHA512 | y | ubuntu18 | self_protection || OK
CONFIG_SYN_COOKIES | y | ubuntu18 | self_protection || OK
CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | ubuntu18 | self_protection || OK
CONFIG_BUG_ON_DATA_CORRUPTION | y | kspp | self_protection || FAIL: "is not set" CONFIG_BUG_ON_DATA_CORRUPTION | y | kspp | self_protection || FAIL: "is not set"
CONFIG_DEBUG_WX | y | kspp | self_protection || OK
CONFIG_SCHED_STACK_END_CHECK | y | kspp | self_protection || OK
CONFIG_PAGE_POISONING | y | kspp | self_protection || FAIL: "is not set" CONFIG_PAGE_POISONING | y | kspp | self_protection || FAIL: "is not set"
CONFIG_SLAB_FREELIST_HARDENED | y | kspp | self_protection || OK
CONFIG_SLAB_FREELIST_RANDOM | y | kspp | self_protection || OK
CONFIG_HARDENED_USERCOPY | y | kspp | self_protection || OK
CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp | self_protection || OK: not found
CONFIG_FORTIFY_SOURCE | y | kspp | self_protection || OK
CONFIG_GCC_PLUGINS | y | kspp | self_protection || FAIL: "is not set" CONFIG_GCC_PLUGINS | y | kspp | self_protection || FAIL: "is not set"
CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection || FAIL: not found CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection || FAIL: not found
CONFIG_GCC_PLUGIN_STRUCTLEAK | y | kspp | self_protection || FAIL: not found CONFIG_GCC_PLUGIN_STRUCTLEAK | y | kspp | self_protection || FAIL: not found
...@@ -78,9 +74,13 @@ optional arguments: ...@@ -78,9 +74,13 @@ optional arguments:
CONFIG_DEBUG_SG | y | kspp | self_protection || FAIL: "is not set" CONFIG_DEBUG_SG | y | kspp | self_protection || FAIL: "is not set"
CONFIG_DEBUG_CREDENTIALS | y | kspp | self_protection || FAIL: "is not set" CONFIG_DEBUG_CREDENTIALS | y | kspp | self_protection || FAIL: "is not set"
CONFIG_DEBUG_NOTIFIERS | y | kspp | self_protection || FAIL: "is not set" CONFIG_DEBUG_NOTIFIERS | y | kspp | self_protection || FAIL: "is not set"
CONFIG_MODULE_SIG | y | kspp | self_protection || OK
CONFIG_MODULE_SIG_ALL | y | kspp | self_protection || OK
CONFIG_MODULE_SIG_SHA512 | y | kspp | self_protection || OK
CONFIG_MODULE_SIG_FORCE | y | kspp | self_protection || FAIL: "is not set" CONFIG_MODULE_SIG_FORCE | y | kspp | self_protection || FAIL: "is not set"
CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp | self_protection || OK: not found CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_STACKLEAK | y | my | self_protection || FAIL: not found CONFIG_GCC_PLUGIN_STACKLEAK | y | my | self_protection || FAIL: not found
CONFIG_LOCK_DOWN_KERNEL | y | my | self_protection || OK
CONFIG_SLUB_DEBUG_ON | y | my | self_protection || FAIL: "is not set" CONFIG_SLUB_DEBUG_ON | y | my | self_protection || FAIL: "is not set"
CONFIG_SECURITY_DMESG_RESTRICT | y | my | self_protection || FAIL: "is not set" CONFIG_SECURITY_DMESG_RESTRICT | y | my | self_protection || FAIL: "is not set"
CONFIG_STATIC_USERMODEHELPER | y | my | self_protection || FAIL: "is not set" CONFIG_STATIC_USERMODEHELPER | y | my | self_protection || FAIL: "is not set"
...@@ -88,24 +88,18 @@ optional arguments: ...@@ -88,24 +88,18 @@ optional arguments:
CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection || OK: not found CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection || OK: not found
CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection || OK: not found CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection || OK: not found
CONFIG_SLAB_MERGE_DEFAULT | is not set | my | self_protection || FAIL: "y" CONFIG_SLAB_MERGE_DEFAULT | is not set | my | self_protection || FAIL: "y"
CONFIG_SECURITY | y | ubuntu18 | security_policy || OK CONFIG_SECURITY | y |defconfig | security_policy || OK
CONFIG_SECURITY_YAMA | y | ubuntu18 | security_policy || OK CONFIG_SECURITY_YAMA | y | kspp | security_policy || OK
CONFIG_SECURITY_SELINUX_DISABLE | is not set | ubuntu18 | security_policy || OK CONFIG_SECURITY_SELINUX_DISABLE | is not set | kspp | security_policy || OK
CONFIG_SECCOMP | y | ubuntu18 | cut_attack_surface || OK CONFIG_SECCOMP | y |defconfig | cut_attack_surface || OK
CONFIG_SECCOMP_FILTER | y | ubuntu18 | cut_attack_surface || OK CONFIG_SECCOMP_FILTER | y |defconfig | cut_attack_surface || OK
CONFIG_STRICT_DEVMEM | y | ubuntu18 | cut_attack_surface || OK CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface || OK
CONFIG_ACPI_CUSTOM_METHOD | is not set | ubuntu18 | cut_attack_surface || OK
CONFIG_COMPAT_BRK | is not set | ubuntu18 | cut_attack_surface || OK
CONFIG_DEVKMEM | is not set | ubuntu18 | cut_attack_surface || OK
CONFIG_COMPAT_VDSO | is not set | ubuntu18 | cut_attack_surface || OK
CONFIG_X86_PTDUMP | is not set | ubuntu18 | cut_attack_surface || OK
CONFIG_ZSMALLOC_STAT | is not set | ubuntu18 | cut_attack_surface || OK
CONFIG_PAGE_OWNER | is not set | ubuntu18 | cut_attack_surface || OK
CONFIG_DEBUG_KMEMLEAK | is not set | ubuntu18 | cut_attack_surface || OK
CONFIG_BINFMT_AOUT | is not set | ubuntu18 | cut_attack_surface || OK: not found
CONFIG_MMIOTRACE_TEST | is not set | ubuntu18 | cut_attack_surface || OK
CONFIG_IO_STRICT_DEVMEM | y | kspp | cut_attack_surface || FAIL: "is not set" CONFIG_IO_STRICT_DEVMEM | y | kspp | cut_attack_surface || FAIL: "is not set"
CONFIG_LEGACY_VSYSCALL_NONE | y | kspp | cut_attack_surface || FAIL: "is not set" CONFIG_LEGACY_VSYSCALL_NONE | y | kspp | cut_attack_surface || FAIL: "is not set"
CONFIG_ACPI_CUSTOM_METHOD | is not set | kspp | cut_attack_surface || OK
CONFIG_COMPAT_BRK | is not set | kspp | cut_attack_surface || OK
CONFIG_DEVKMEM | is not set | kspp | cut_attack_surface || OK
CONFIG_COMPAT_VDSO | is not set | kspp | cut_attack_surface || OK
CONFIG_BINFMT_MISC | is not set | kspp | cut_attack_surface || FAIL: "m" CONFIG_BINFMT_MISC | is not set | kspp | cut_attack_surface || FAIL: "m"
CONFIG_INET_DIAG | is not set | kspp | cut_attack_surface || FAIL: "m" CONFIG_INET_DIAG | is not set | kspp | cut_attack_surface || FAIL: "m"
CONFIG_KEXEC | is not set | kspp | cut_attack_surface || FAIL: "y" CONFIG_KEXEC | is not set | kspp | cut_attack_surface || FAIL: "y"
...@@ -115,6 +109,11 @@ optional arguments: ...@@ -115,6 +109,11 @@ optional arguments:
CONFIG_X86_X32 | is not set | kspp | cut_attack_surface || FAIL: "y" CONFIG_X86_X32 | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_MODIFY_LDT_SYSCALL | is not set | kspp | cut_attack_surface || FAIL: "y" CONFIG_MODIFY_LDT_SYSCALL | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_HIBERNATION | is not set | kspp | cut_attack_surface || FAIL: "y" CONFIG_HIBERNATION | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_X86_PTDUMP | is not set |grsecurity| cut_attack_surface || OK
CONFIG_ZSMALLOC_STAT | is not set |grsecurity| cut_attack_surface || OK
CONFIG_PAGE_OWNER | is not set |grsecurity| cut_attack_surface || OK
CONFIG_DEBUG_KMEMLEAK | is not set |grsecurity| cut_attack_surface || OK
CONFIG_BINFMT_AOUT | is not set |grsecurity| cut_attack_surface || OK: not found
CONFIG_KPROBES | is not set |grsecurity| cut_attack_surface || FAIL: "y" CONFIG_KPROBES | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_UPROBES | is not set |grsecurity| cut_attack_surface || FAIL: "y" CONFIG_UPROBES | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_GENERIC_TRACER | is not set |grsecurity| cut_attack_surface || FAIL: "y" CONFIG_GENERIC_TRACER | is not set |grsecurity| cut_attack_surface || FAIL: "y"
...@@ -132,6 +131,7 @@ optional arguments: ...@@ -132,6 +131,7 @@ optional arguments:
CONFIG_ACPI_APEI_EINJ | is not set | lockdown | cut_attack_surface || FAIL: "m" CONFIG_ACPI_APEI_EINJ | is not set | lockdown | cut_attack_surface || FAIL: "m"
CONFIG_PROFILING | is not set | lockdown | cut_attack_surface || FAIL: "y" CONFIG_PROFILING | is not set | lockdown | cut_attack_surface || FAIL: "y"
CONFIG_BPF_SYSCALL | is not set | lockdown | cut_attack_surface || FAIL: "y" CONFIG_BPF_SYSCALL | is not set | lockdown | cut_attack_surface || FAIL: "y"
CONFIG_MMIOTRACE_TEST | is not set | lockdown | cut_attack_surface || OK
CONFIG_MMIOTRACE | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_MMIOTRACE | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_KEXEC_FILE | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_KEXEC_FILE | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_LIVEPATCH | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_LIVEPATCH | is not set | my | cut_attack_surface || FAIL: "y"
......
kconfig-hardened-check.py
...@@ -112,42 +112,35 @@ def construct_checklist(): ...@@ -112,42 +112,35 @@ def construct_checklist():
modules_not_set = OptCheck('MODULES', 'is not set', 'kspp', 'cut_attack_surface') modules_not_set = OptCheck('MODULES', 'is not set', 'kspp', 'cut_attack_surface')
devmem_not_set = OptCheck('DEVMEM', 'is not set', 'kspp', 'cut_attack_surface') # refers to LOCK_DOWN_KERNEL devmem_not_set = OptCheck('DEVMEM', 'is not set', 'kspp', 'cut_attack_surface') # refers to LOCK_DOWN_KERNEL
checklist.append(OptCheck('BUG', 'y', 'ubuntu18', 'self_protection')) checklist.append(OptCheck('BUG', 'y', 'defconfig', 'self_protection'))
checklist.append(OptCheck('PAGE_TABLE_ISOLATION', 'y', 'ubuntu18', 'self_protection')) checklist.append(OptCheck('PAGE_TABLE_ISOLATION', 'y', 'defconfig', 'self_protection'))
checklist.append(OptCheck('RETPOLINE', 'y', 'ubuntu18', 'self_protection')) checklist.append(OptCheck('RETPOLINE', 'y', 'defconfig', 'self_protection'))
checklist.append(OptCheck('X86_64', 'y', 'ubuntu18', 'self_protection')) checklist.append(OptCheck('X86_64', 'y', 'defconfig', 'self_protection'))
checklist.append(OptCheck('X86_SMAP', 'y', 'ubuntu18', 'self_protection')) checklist.append(OptCheck('X86_SMAP', 'y', 'defconfig', 'self_protection'))
checklist.append(OptCheck('X86_INTEL_UMIP', 'y', 'ubuntu18', 'self_protection')) checklist.append(OptCheck('X86_INTEL_UMIP', 'y', 'defconfig', 'self_protection'))
checklist.append(OR(OptCheck('STRICT_KERNEL_RWX', 'y', 'ubuntu18', 'self_protection'), \ checklist.append(OR(OptCheck('STRICT_KERNEL_RWX', 'y', 'defconfig', 'self_protection'), \
OptCheck('DEBUG_RODATA', 'y', 'before_v4.11', 'self_protection'))) OptCheck('DEBUG_RODATA', 'y', 'defconfig', 'self_protection'))) # before v4.11
checklist.append(OptCheck('DEBUG_WX', 'y', 'ubuntu18', 'self_protection')) checklist.append(OptCheck('RANDOMIZE_BASE', 'y', 'defconfig', 'self_protection'))
checklist.append(OptCheck('RANDOMIZE_BASE', 'y', 'ubuntu18', 'self_protection')) checklist.append(OptCheck('RANDOMIZE_MEMORY', 'y', 'defconfig', 'self_protection'))
checklist.append(OptCheck('RANDOMIZE_MEMORY', 'y', 'ubuntu18', 'self_protection')) checklist.append(OR(OptCheck('STACKPROTECTOR_STRONG', 'y', 'defconfig', 'self_protection'), \
checklist.append(OR(OptCheck('STACKPROTECTOR_STRONG', 'y', 'ubuntu18', 'self_protection'), \ OptCheck('CC_STACKPROTECTOR_STRONG', 'y', 'defconfig', 'self_protection')))
OptCheck('CC_STACKPROTECTOR_STRONG', 'y', 'ubuntu18', 'self_protection'))) checklist.append(OptCheck('VMAP_STACK', 'y', 'defconfig', 'self_protection'))
checklist.append(OptCheck('VMAP_STACK', 'y', 'ubuntu18', 'self_protection')) checklist.append(OptCheck('THREAD_INFO_IN_TASK', 'y', 'defconfig', 'self_protection'))
checklist.append(OptCheck('THREAD_INFO_IN_TASK', 'y', 'ubuntu18', 'self_protection')) checklist.append(OptCheck('SLUB_DEBUG', 'y', 'defconfig', 'self_protection'))
checklist.append(OptCheck('SCHED_STACK_END_CHECK', 'y', 'ubuntu18', 'self_protection')) checklist.append(OR(OptCheck('STRICT_MODULE_RWX', 'y', 'defconfig', 'self_protection'), \
checklist.append(OptCheck('SLUB_DEBUG', 'y', 'ubuntu18', 'self_protection')) OptCheck('DEBUG_SET_MODULE_RONX', 'y', 'defconfig', 'self_protection'), \
checklist.append(OptCheck('SLAB_FREELIST_HARDENED', 'y', 'ubuntu18', 'self_protection')) modules_not_set)) # DEBUG_SET_MODULE_RONX was before v4.11
checklist.append(OptCheck('SLAB_FREELIST_RANDOM', 'y', 'ubuntu18', 'self_protection')) checklist.append(OptCheck('SYN_COOKIES', 'y', 'defconfig', 'self_protection')) # another reason?
checklist.append(OptCheck('HARDENED_USERCOPY', 'y', 'ubuntu18', 'self_protection'))
checklist.append(OptCheck('FORTIFY_SOURCE', 'y', 'ubuntu18', 'self_protection'))
checklist.append(OptCheck('LOCK_DOWN_KERNEL', 'y', 'ubuntu18', 'self_protection')) # remember about LOCK_DOWN_MANDATORY
checklist.append(OR(OptCheck('STRICT_MODULE_RWX', 'y', 'ubuntu18', 'self_protection'), \
OptCheck('DEBUG_SET_MODULE_RONX', 'y', 'before_v4.11', 'self_protection'), \
modules_not_set))
checklist.append(OR(OptCheck('MODULE_SIG', 'y', 'ubuntu18', 'self_protection'), \
modules_not_set))
checklist.append(OR(OptCheck('MODULE_SIG_ALL', 'y', 'ubuntu18', 'self_protection'), \
modules_not_set))
checklist.append(OR(OptCheck('MODULE_SIG_SHA512', 'y', 'ubuntu18', 'self_protection'), \
modules_not_set))
checklist.append(OptCheck('SYN_COOKIES', 'y', 'ubuntu18', 'self_protection')) # another reason?
checklist.append(OptCheck('DEFAULT_MMAP_MIN_ADDR', '65536', 'ubuntu18', 'self_protection'))
checklist.append(OptCheck('BUG_ON_DATA_CORRUPTION', 'y', 'kspp', 'self_protection')) checklist.append(OptCheck('BUG_ON_DATA_CORRUPTION', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('DEBUG_WX', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('SCHED_STACK_END_CHECK', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('PAGE_POISONING', 'y', 'kspp', 'self_protection')) checklist.append(OptCheck('PAGE_POISONING', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('SLAB_FREELIST_HARDENED', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('SLAB_FREELIST_RANDOM', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('HARDENED_USERCOPY', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('HARDENED_USERCOPY_FALLBACK', 'is not set', 'kspp', 'self_protection'))
checklist.append(OptCheck('FORTIFY_SOURCE', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('GCC_PLUGINS', 'y', 'kspp', 'self_protection')) checklist.append(OptCheck('GCC_PLUGINS', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('GCC_PLUGIN_RANDSTRUCT', 'y', 'kspp', 'self_protection')) checklist.append(OptCheck('GCC_PLUGIN_RANDSTRUCT', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('GCC_PLUGIN_STRUCTLEAK', 'y', 'kspp', 'self_protection')) checklist.append(OptCheck('GCC_PLUGIN_STRUCTLEAK', 'y', 'kspp', 'self_protection'))
...@@ -158,10 +151,17 @@ def construct_checklist(): ...@@ -158,10 +151,17 @@ def construct_checklist():
checklist.append(OptCheck('DEBUG_SG', 'y', 'kspp', 'self_protection')) checklist.append(OptCheck('DEBUG_SG', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('DEBUG_CREDENTIALS', 'y', 'kspp', 'self_protection')) checklist.append(OptCheck('DEBUG_CREDENTIALS', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('DEBUG_NOTIFIERS', 'y', 'kspp', 'self_protection')) checklist.append(OptCheck('DEBUG_NOTIFIERS', 'y', 'kspp', 'self_protection'))
checklist.append(OR(OptCheck('MODULE_SIG', 'y', 'kspp', 'self_protection'), \
modules_not_set))
checklist.append(OR(OptCheck('MODULE_SIG_ALL', 'y', 'kspp', 'self_protection'), \
modules_not_set))
checklist.append(OR(OptCheck('MODULE_SIG_SHA512', 'y', 'kspp', 'self_protection'), \
modules_not_set))
checklist.append(OptCheck('MODULE_SIG_FORCE', 'y', 'kspp', 'self_protection')) # refers to LOCK_DOWN_KERNEL checklist.append(OptCheck('MODULE_SIG_FORCE', 'y', 'kspp', 'self_protection')) # refers to LOCK_DOWN_KERNEL
checklist.append(OptCheck('HARDENED_USERCOPY_FALLBACK', 'is not set', 'kspp', 'self_protection')) checklist.append(OptCheck('DEFAULT_MMAP_MIN_ADDR', '65536', 'kspp', 'self_protection'))
checklist.append(OptCheck('GCC_PLUGIN_STACKLEAK', 'y', 'my', 'self_protection')) checklist.append(OptCheck('GCC_PLUGIN_STACKLEAK', 'y', 'my', 'self_protection'))
checklist.append(OptCheck('LOCK_DOWN_KERNEL', 'y', 'my', 'self_protection')) # remember about LOCK_DOWN_MANDATORY
checklist.append(OptCheck('SLUB_DEBUG_ON', 'y', 'my', 'self_protection')) checklist.append(OptCheck('SLUB_DEBUG_ON', 'y', 'my', 'self_protection'))
checklist.append(OptCheck('SECURITY_DMESG_RESTRICT', 'y', 'my', 'self_protection')) checklist.append(OptCheck('SECURITY_DMESG_RESTRICT', 'y', 'my', 'self_protection'))
checklist.append(OptCheck('STATIC_USERMODEHELPER', 'y', 'my', 'self_protection')) # breaks systemd? checklist.append(OptCheck('STATIC_USERMODEHELPER', 'y', 'my', 'self_protection')) # breaks systemd?
...@@ -170,28 +170,22 @@ def construct_checklist(): ...@@ -170,28 +170,22 @@ def construct_checklist():
checklist.append(OptCheck('PAGE_POISONING_ZERO', 'is not set', 'my', 'self_protection')) checklist.append(OptCheck('PAGE_POISONING_ZERO', 'is not set', 'my', 'self_protection'))
checklist.append(OptCheck('SLAB_MERGE_DEFAULT', 'is not set', 'my', 'self_protection')) # slab_nomerge checklist.append(OptCheck('SLAB_MERGE_DEFAULT', 'is not set', 'my', 'self_protection')) # slab_nomerge
checklist.append(OptCheck('SECURITY', 'y', 'ubuntu18', 'security_policy')) checklist.append(OptCheck('SECURITY', 'y', 'defconfig', 'security_policy'))
checklist.append(OptCheck('SECURITY_YAMA', 'y', 'ubuntu18', 'security_policy')) checklist.append(OptCheck('SECURITY_YAMA', 'y', 'kspp', 'security_policy'))
checklist.append(OptCheck('SECURITY_SELINUX_DISABLE', 'is not set', 'ubuntu18', 'security_policy')) checklist.append(OptCheck('SECURITY_SELINUX_DISABLE', 'is not set', 'kspp', 'security_policy'))
checklist.append(OptCheck('SECCOMP', 'y', 'ubuntu18', 'cut_attack_surface')) checklist.append(OptCheck('SECCOMP', 'y', 'defconfig', 'cut_attack_surface'))
checklist.append(OptCheck('SECCOMP_FILTER', 'y', 'ubuntu18', 'cut_attack_surface')) checklist.append(OptCheck('SECCOMP_FILTER', 'y', 'defconfig', 'cut_attack_surface'))
checklist.append(OR(OptCheck('STRICT_DEVMEM', 'y', 'ubuntu18', 'cut_attack_surface'), \ checklist.append(OR(OptCheck('STRICT_DEVMEM', 'y', 'defconfig', 'cut_attack_surface'), \
devmem_not_set)) # refers to LOCK_DOWN_KERNEL devmem_not_set)) # refers to LOCK_DOWN_KERNEL
checklist.append(OptCheck('ACPI_CUSTOM_METHOD', 'is not set', 'ubuntu18', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
checklist.append(OptCheck('COMPAT_BRK', 'is not set', 'ubuntu18', 'cut_attack_surface'))
checklist.append(OptCheck('DEVKMEM', 'is not set', 'ubuntu18', 'cut_attack_surface'))
checklist.append(OptCheck('COMPAT_VDSO', 'is not set', 'ubuntu18', 'cut_attack_surface'))
checklist.append(OptCheck('X86_PTDUMP', 'is not set', 'ubuntu18', 'cut_attack_surface'))
checklist.append(OptCheck('ZSMALLOC_STAT', 'is not set', 'ubuntu18', 'cut_attack_surface'))
checklist.append(OptCheck('PAGE_OWNER', 'is not set', 'ubuntu18', 'cut_attack_surface'))
checklist.append(OptCheck('DEBUG_KMEMLEAK', 'is not set', 'ubuntu18', 'cut_attack_surface'))
checklist.append(OptCheck('BINFMT_AOUT', 'is not set', 'ubuntu18', 'cut_attack_surface'))
checklist.append(OptCheck('MMIOTRACE_TEST', 'is not set', 'ubuntu18', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
checklist.append(OR(OptCheck('IO_STRICT_DEVMEM', 'y', 'kspp', 'cut_attack_surface'), \ checklist.append(OR(OptCheck('IO_STRICT_DEVMEM', 'y', 'kspp', 'cut_attack_surface'), \
devmem_not_set)) # refers to LOCK_DOWN_KERNEL devmem_not_set)) # refers to LOCK_DOWN_KERNEL
checklist.append(OptCheck('LEGACY_VSYSCALL_NONE', 'y', 'kspp', 'cut_attack_surface')) # 'vsyscall=none' checklist.append(OptCheck('LEGACY_VSYSCALL_NONE', 'y', 'kspp', 'cut_attack_surface')) # 'vsyscall=none'
checklist.append(OptCheck('ACPI_CUSTOM_METHOD', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
checklist.append(OptCheck('COMPAT_BRK', 'is not set', 'kspp', 'cut_attack_surface'))
checklist.append(OptCheck('DEVKMEM', 'is not set', 'kspp', 'cut_attack_surface'))
checklist.append(OptCheck('COMPAT_VDSO', 'is not set', 'kspp', 'cut_attack_surface'))
checklist.append(OptCheck('BINFMT_MISC', 'is not set', 'kspp', 'cut_attack_surface')) checklist.append(OptCheck('BINFMT_MISC', 'is not set', 'kspp', 'cut_attack_surface'))
checklist.append(OptCheck('INET_DIAG', 'is not set', 'kspp', 'cut_attack_surface')) checklist.append(OptCheck('INET_DIAG', 'is not set', 'kspp', 'cut_attack_surface'))
checklist.append(OptCheck('KEXEC', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL checklist.append(OptCheck('KEXEC', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
...@@ -202,6 +196,11 @@ def construct_checklist(): ...@@ -202,6 +196,11 @@ def construct_checklist():
checklist.append(OptCheck('MODIFY_LDT_SYSCALL', 'is not set', 'kspp', 'cut_attack_surface')) checklist.append(OptCheck('MODIFY_LDT_SYSCALL', 'is not set', 'kspp', 'cut_attack_surface'))
checklist.append(OptCheck('HIBERNATION', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL checklist.append(OptCheck('HIBERNATION', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
checklist.append(OptCheck('X86_PTDUMP', 'is not set', 'grsecurity', 'cut_attack_surface'))
checklist.append(OptCheck('ZSMALLOC_STAT', 'is not set', 'grsecurity', 'cut_attack_surface'))
checklist.append(OptCheck('PAGE_OWNER', 'is not set', 'grsecurity', 'cut_attack_surface'))
checklist.append(OptCheck('DEBUG_KMEMLEAK', 'is not set', 'grsecurity', 'cut_attack_surface'))
checklist.append(OptCheck('BINFMT_AOUT', 'is not set', 'grsecurity', 'cut_attack_surface'))
checklist.append(OptCheck('KPROBES', 'is not set', 'grsecurity', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL checklist.append(OptCheck('KPROBES', 'is not set', 'grsecurity', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
checklist.append(OptCheck('UPROBES', 'is not set', 'grsecurity', 'cut_attack_surface')) checklist.append(OptCheck('UPROBES', 'is not set', 'grsecurity', 'cut_attack_surface'))
checklist.append(OptCheck('GENERIC_TRACER', 'is not set', 'grsecurity', 'cut_attack_surface')) checklist.append(OptCheck('GENERIC_TRACER', 'is not set', 'grsecurity', 'cut_attack_surface'))
...@@ -220,6 +219,7 @@ def construct_checklist(): ...@@ -220,6 +219,7 @@ def construct_checklist():
checklist.append(OptCheck('ACPI_APEI_EINJ', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL checklist.append(OptCheck('ACPI_APEI_EINJ', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
checklist.append(OptCheck('PROFILING', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL checklist.append(OptCheck('PROFILING', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
checklist.append(OptCheck('BPF_SYSCALL', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL checklist.append(OptCheck('BPF_SYSCALL', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
checklist.append(OptCheck('MMIOTRACE_TEST', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
checklist.append(OptCheck('MMIOTRACE', 'is not set', 'my', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive) checklist.append(OptCheck('MMIOTRACE', 'is not set', 'my', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive)
checklist.append(OptCheck('KEXEC_FILE', 'is not set', 'my', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive) checklist.append(OptCheck('KEXEC_FILE', 'is not set', 'my', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment