Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
kernel-hardening-checker
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
fact-depend
kernel-hardening-checker
Commits
6cf9979c
Commit
6cf9979c
authored
a year ago
by
Alexander Popov
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Support separate sysctl checking (without kconfig)
parent
ac93b409
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
36 additions
and
6 deletions
+36
-6
__init__.py
kconfig_hardened_check/__init__.py
+28
-4
checks.py
kconfig_hardened_check/checks.py
+8
-2
No files found.
kconfig_hardened_check/__init__.py
View file @
6cf9979c
...
...
@@ -258,7 +258,6 @@ def main():
if
args
.
config
:
if
args
.
print
:
sys
.
exit
(
'[!] ERROR: --config and --print can
\'
t be used together'
)
if
args
.
generate
:
sys
.
exit
(
'[!] ERROR: --config and --generate can
\'
t be used together'
)
...
...
@@ -338,13 +337,38 @@ def main():
# finally print the results
print_checklist
(
mode
,
config_checklist
,
True
)
sys
.
exit
(
0
)
elif
args
.
cmdline
:
sys
.
exit
(
'[!] ERROR: checking cmdline depends on checking Kconfig'
)
elif
args
.
sysctl
:
# TODO: sysctl check should also work separately
sys
.
exit
(
'[!] ERROR: checking sysctl depends on checking Kconfig'
)
# separate sysctl checking (without kconfig)
assert
(
args
.
config
is
None
and
args
.
cmdline
is
None
),
'unexpected args'
if
args
.
print
:
sys
.
exit
(
'[!] ERROR: --sysctl and --print can
\'
t be used together'
)
if
args
.
generate
:
sys
.
exit
(
'[!] ERROR: --sysctl and --generate can
\'
t be used together'
)
if
mode
!=
'json'
:
print
(
f
'[+] Sysctl output file to check: {args.sysctl}'
)
# add relevant sysctl checks to the checklist
add_sysctl_checks
(
config_checklist
,
None
)
# populate the checklist with the parsed sysctl data
parsed_sysctl_options
=
OrderedDict
()
parse_sysctl_file
(
mode
,
parsed_sysctl_options
,
args
.
sysctl
)
populate_with_data
(
config_checklist
,
parsed_sysctl_options
,
'sysctl'
)
# now everything is ready, perform the checks
perform_checks
(
config_checklist
)
if
mode
==
'verbose'
:
# print the parsed options without the checks (for debugging)
print_unknown_options
(
config_checklist
,
parsed_sysctl_options
)
# finally print the results
print_checklist
(
mode
,
config_checklist
,
True
)
sys
.
exit
(
0
)
if
args
.
print
:
assert
(
args
.
config
is
None
and
args
.
cmdline
is
None
and
args
.
sysctl
is
None
),
'unexpected args'
...
...
This diff is collapsed.
Click to expand it.
kconfig_hardened_check/checks.py
View file @
6cf9979c
...
...
@@ -15,6 +15,8 @@ from .engine import KconfigCheck, CmdlineCheck, SysctlCheck, VersionCheck, OR, A
def
add_kconfig_checks
(
l
,
arch
):
assert
(
arch
),
'empty arch'
# Calling the KconfigCheck class constructor:
# KconfigCheck(reason, decision, name, expected)
#
...
...
@@ -379,6 +381,8 @@ def add_kconfig_checks(l, arch):
def
add_cmdline_checks
(
l
,
arch
):
assert
(
arch
),
'empty arch'
# Calling the CmdlineCheck class constructor:
# CmdlineCheck(reason, decision, name, expected)
#
...
...
@@ -574,7 +578,6 @@ def normalize_cmdline_options(option, value):
return
value
def
add_sysctl_checks
(
l
,
arch
):
# TODO: draft of security hardening sysctls:
# kernel.kptr_restrict=2 (or 1?)
# kernel.yama.ptrace_scope=3
...
...
@@ -598,7 +601,10 @@ def add_sysctl_checks(l, arch):
# kernel.oops_limit (think about a proper value)
# kernel.warn_limit (think about a proper value)
# net.ipv4.tcp_syncookies=1 (?)
#
def
add_sysctl_checks
(
l
,
arch
):
# This function may be called with arch=None
# Calling the SysctlCheck class constructor:
# SysctlCheck(reason, decision, name, expected)
...
...
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment