Skip to content

K
kernel-hardening-checker
Commit b68eb59c by Alexander Popov
Options

Disable buggy IP_SCTP to cut attack surface

parent b6ee2f57
Showing with 3 additions and 1 deletions
README.md
......@@ -97,6 +97,7 @@ Usage: ./kconfig-hardened-check.py [-p | -c <config_file>]
CONFIG_LIVEPATCH | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_USER_NS | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_IP_DCCP | is not set | my | cut_attack_surface || FAIL: "m"
CONFIG_IP_SCTP | is not set | my | cut_attack_surface || FAIL: "m"
CONFIG_FTRACE | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_KPROBES | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_PROFILING | is not set | my | cut_attack_surface || FAIL: "y"
......@@ -105,7 +106,7 @@ Usage: ./kconfig-hardened-check.py [-p | -c <config_file>]
CONFIG_BPF_SYSCALL | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_LKDTM | m | my | feature_test || FAIL: "is not set"
[-] config check is NOT PASSED: 39 errors
[-] config check is NOT PASSED: 40 errors
```
__Go and fix them all!__
......
kconfig-hardened-check.py
......@@ -96,6 +96,7 @@ def construct_opt_list():
opt_list.append([Opt('LIVEPATCH', 'is not set', 'my', 'cut_attack_surface'), ''])
opt_list.append([Opt('USER_NS', 'is not set', 'my', 'cut_attack_surface'), '']) # user.max_user_namespaces=0
opt_list.append([Opt('IP_DCCP', 'is not set', 'my', 'cut_attack_surface'), ''])
opt_list.append([Opt('IP_SCTP', 'is not set', 'my', 'cut_attack_surface'), ''])
opt_list.append([Opt('FTRACE', 'is not set', 'my', 'cut_attack_surface'), ''])
opt_list.append([Opt('KPROBES', 'is not set', 'my', 'cut_attack_surface'), ''])
opt_list.append([Opt('PROFILING', 'is not set', 'my', 'cut_attack_surface'), ''])
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment