Skip to content

K
kernel-hardening-checker
Commit da577cbe by Alexander Popov
Options

Check the user.max_user_namespaces sysctl

parent 181c2d9b
Showing with 1 additions and 1 deletions
kconfig_hardened_check/checks.py
...@@ -578,7 +578,6 @@ def add_sysctl_checks(l, arch): ...@@ -578,7 +578,6 @@ def add_sysctl_checks(l, arch):
# TODO: draft of security hardening sysctls: # TODO: draft of security hardening sysctls:
# kernel.kptr_restrict=2 (or 1?) # kernel.kptr_restrict=2 (or 1?)
# kernel.yama.ptrace_scope=3 # kernel.yama.ptrace_scope=3
# user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone)
# what about bpf_jit_enable? # what about bpf_jit_enable?
# kernel.unprivileged_bpf_disabled=1 # kernel.unprivileged_bpf_disabled=1
# vm.unprivileged_userfaultfd=0 # vm.unprivileged_userfaultfd=0
...@@ -610,3 +609,4 @@ def add_sysctl_checks(l, arch): ...@@ -610,3 +609,4 @@ def add_sysctl_checks(l, arch):
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/ l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1')] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'user.max_user_namespaces', '0')]
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment