Merge branch 'cis'

a13xp0p0v · a13xp0p0v · commit 28f12956018e · 2025-09-13T22:20:25.000+03:00
Refers to #199.
diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
@@ -69,11 +69,12 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None:
     vmap_stack_is_set = KconfigCheck('self_protection', 'defconfig', 'VMAP_STACK', 'y')
     if arch in ('X86_64', 'ARM64', 'ARM', 'RISCV'):
         l += [vmap_stack_is_set]
+    if arch in ('X86_64', 'X86_32', 'RISCV'):
+        l += [KconfigCheck('self_protection', 'defconfig', 'LSM_MMAP_MIN_ADDR', '65536')]
     if arch in ('X86_64', 'X86_32'):
         l += [KconfigCheck('self_protection', 'defconfig', 'DEBUG_WX', 'y')]
         l += [KconfigCheck('self_protection', 'defconfig', 'WERROR', 'y')]
         l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE', 'y')]
-        l += [KconfigCheck('self_protection', 'defconfig', 'SYN_COOKIES', 'y')] # another reason?
         microcode_is_set = KconfigCheck('self_protection', 'defconfig', 'MICROCODE', 'y')
         l += [microcode_is_set] # is needed for mitigating CPU bugs
         l += [OR(KconfigCheck('self_protection', 'defconfig', 'MICROCODE_INTEL', 'y'),
@@ -134,11 +135,15 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None:
                      VersionCheck((5, 9, 0))))] # HARDEN_EL2_VECTORS was included in RANDOMIZE_BASE in v5.9
         l += [OR(KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y'),
                  VersionCheck((5, 10, 0)))] # HARDEN_BRANCH_PREDICTOR is enabled by default since v5.10
+        l += [AND(KconfigCheck('self_protection', 'defconfig', 'LSM_MMAP_MIN_ADDR', '65536'),
+                  KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT', 'is not set'))]
+                  # LSM_MMAP_MIN_ADDR for ARM64 requires disabled COMPAT (see security/Kconfig)
     if arch == 'ARM':
         l += [KconfigCheck('self_protection', 'defconfig', 'CPU_SW_DOMAIN_PAN', 'y')]
         l += [KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')]
         l += [KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_HISTORY', 'y')]
         l += [KconfigCheck('self_protection', 'defconfig', 'DEBUG_ALIGN_RODATA', 'y')]
+        l += [KconfigCheck('self_protection', 'defconfig', 'LSM_MMAP_MIN_ADDR', '32768')]
     if arch == 'RISCV':
         l += [KconfigCheck('self_protection', 'defconfig', 'DEBUG_SG', 'y')]
         l += [OR(KconfigCheck('self_protection', 'defconfig', 'LIST_HARDENED', 'y'),
@@ -255,7 +260,6 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None:
         l += [KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '65536')]
         l += [KconfigCheck('self_protection', 'kspp', 'HW_RANDOM_TPM', 'y')]
     if arch in ('ARM64', 'ARM', 'RISCV'):
-        l += [KconfigCheck('self_protection', 'kspp', 'SYN_COOKIES', 'y')] # another reason?
         l += [KconfigCheck('self_protection', 'kspp', 'WERROR', 'y')]
     if arch in ('X86_64', 'ARM64'):
         l += [AND(cfi_clang_is_set,
@@ -505,6 +509,12 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None:
     l += [OR(KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'TRIM_UNUSED_KSYMS', 'y'),
              modules_not_set)]
 
+    # 'network_security'
+    if arch in ('X86_64', 'X86_32'):
+        l += [KconfigCheck('network_security', 'defconfig', 'SYN_COOKIES', 'y')]
+    if arch in ('ARM64', 'ARM', 'RISCV'):
+        l += [KconfigCheck('network_security', 'kspp', 'SYN_COOKIES', 'y')]
+
     # 'harden_userspace'
     if arch == 'ARM64':
         l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_PTR_AUTH', 'y')]
@@ -806,15 +816,10 @@ def add_sysctl_checks(l: List[ChecklistObjType], arch: StrOrNone) -> None:
     # Use an omnipresent kconfig symbol to see if we have a kconfig file for checking:
     have_kconfig = KconfigCheck('-', '-', 'LOCALVERSION', 'is present')
 
+    # 'self_protection', 'kspp'
     l += [OR(SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2'),
              AND(KconfigCheck('-', '-', 'BPF_JIT', 'is not set'),
                  have_kconfig))]
-    # Choosing a right value for 'kernel.oops_limit' and 'kernel.warn_limit' is not easy.
-    # A small value (e.g. 1, which is recommended by KSPP) allows easy DoS.
-    # A large value (e.g. 10000, which is default 'kernel.oops_limit') may miss the exploit attempt.
-    # Let's choose 100 as a reasonable compromise.
-    l += [SysctlCheck('self_protection', 'a13xp0p0v', 'kernel.oops_limit', '100')]
-    l += [SysctlCheck('self_protection', 'a13xp0p0v', 'kernel.warn_limit', '100')]
     # Compatible with the 'DEFAULT_MMAP_MIN_ADDR' kconfig check by KSPP:
     if arch in ('X86_64', 'X86_32', 'RISCV'):
         l += [SysctlCheck('self_protection', 'kspp', 'vm.mmap_min_addr', '65536')]
@@ -825,6 +830,15 @@ def add_sysctl_checks(l: List[ChecklistObjType], arch: StrOrNone) -> None:
     if arch == 'ARM':
         l += [SysctlCheck('self_protection', 'kspp', 'vm.mmap_min_addr', '32768')]
 
+    # 'self_protection', 'a13xp0p0v'
+    # Choosing a right value for 'kernel.oops_limit' and 'kernel.warn_limit' is not easy.
+    # A small value (e.g. 1, which is recommended by KSPP) allows easy DoS.
+    # A large value (e.g. 10000, which is default 'kernel.oops_limit') may miss the exploit attempt.
+    # Let's choose 100 as a reasonable compromise.
+    l += [SysctlCheck('self_protection', 'a13xp0p0v', 'kernel.oops_limit', '100')]
+    l += [SysctlCheck('self_protection', 'a13xp0p0v', 'kernel.warn_limit', '100')]
+
+    # 'cut_attack_surface', 'kspp'
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')]
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')]
           # Without the custom patch that adds CONFIG_SECURITY_PERF_EVENTS_RESTRICT,
@@ -850,28 +864,62 @@ def add_sysctl_checks(l: List[ChecklistObjType], arch: StrOrNone) -> None:
                  have_kconfig))]
              # at first, it disabled unprivileged userfaultfd,
              # and since v5.11 it enables unprivileged userfaultfd for user-mode only
-
     l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.modules_disabled', '1'),
              AND(KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set'),
                  have_kconfig))]
              # kernel.modules_disabled=1 should be set (e.g. with systemd) after
              # the kernel startup, when all the required modules have loaded
 
+    # 'cut_attack_surface', 'grsec'
     l += [OR(SysctlCheck('cut_attack_surface', 'grsec', 'kernel.io_uring_disabled', '2'),
              AND(KconfigCheck('cut_attack_surface', 'grsec', 'IO_URING', 'is not set'),
                  have_kconfig))] # compatible with the 'IO_URING' kconfig check by grsecurity
 
+    # 'cut_attack_surface', 'a13xp0p0v'
     l += [OR(SysctlCheck('cut_attack_surface', 'a13xp0p0v', 'kernel.sysrq', '0'),
              AND(KconfigCheck('cut_attack_surface', 'clipos', 'MAGIC_SYSRQ', 'is not set'),
                  have_kconfig))]
 
+    # 'network_security', 'cis'
+    l += [SysctlCheck('network_security', 'cis', 'net.ipv4.icmp_ignore_bogus_error_responses', '1')]
+    l += [SysctlCheck('network_security', 'cis', 'net.ipv4.icmp_echo_ignore_broadcasts', '1')]
+    l += [SysctlCheck('network_security', 'cis', 'net.ipv4.conf.all.accept_redirects', '0')]
+    l += [SysctlCheck('network_security', 'cis', 'net.ipv4.conf.default.accept_redirects', '0')]
+    l += [SysctlCheck('network_security', 'cis', 'net.ipv6.conf.all.accept_redirects', '0')]
+    l += [SysctlCheck('network_security', 'cis', 'net.ipv6.conf.default.accept_redirects', '0')]
+    l += [SysctlCheck('network_security', 'cis', 'net.ipv4.conf.all.accept_source_route', '0')]
+    l += [SysctlCheck('network_security', 'cis', 'net.ipv4.conf.default.accept_source_route', '0')]
+    l += [SysctlCheck('network_security', 'cis', 'net.ipv6.conf.all.accept_source_route', '0')]
+    l += [SysctlCheck('network_security', 'cis', 'net.ipv6.conf.default.accept_source_route', '0')]
+    l += [SysctlCheck('network_security', 'cis', 'net.ipv4.tcp_syncookies', '1')]
+    l += [SysctlCheck('network_security', 'cis', 'net.ipv6.conf.all.accept_ra', '0')]
+    l += [SysctlCheck('network_security', 'cis', 'net.ipv6.conf.default.accept_ra', '0')]
+    # The following recommendations from the CIS Benchmark may impact normal network functionality:
+    #  CAUTION: without IP forwarding your system can not act as a router
+    #   l += [SysctlCheck('network_security', 'cis', 'net.ipv4.ip_forward', '0')]
+    #   l += [SysctlCheck('network_security', 'cis', 'net.ipv6.conf.all.forwarding', '0')]
+    #   l += [SysctlCheck('network_security', 'cis', 'net.ipv4.conf.all.send_redirects', '0')]
+    #   l += [SysctlCheck('network_security', 'cis', 'net.ipv4.conf.default.send_redirects', '0')]
+    #  CAUTION: it's strange to ignore ICMP redirects from your default gateway
+    #   l += [SysctlCheck('network_security', 'cis', 'net.ipv4.conf.all.secure_redirects', '0')]
+    #   l += [SysctlCheck('network_security', 'cis', 'net.ipv4.conf.default.secure_redirects', '0')]
+    #  CAUTION: rp_filter for network packets breaks asymmetrical routing (BGP, OSPF, etc) and some VPNs
+    #   l += [SysctlCheck('network_security', 'cis', 'net.ipv4.conf.all.rp_filter', '1')]
+    #   l += [SysctlCheck('network_security', 'cis', 'net.ipv4.conf.default.rp_filter', '1')]
+    #  CAUTION: messages about packets with un-routable source addresses may clog up the kernel log
+    #   l += [SysctlCheck('network_security', 'cis', 'net.ipv4.conf.all.log_martians', '1')]
+    #   l += [SysctlCheck('network_security', 'cis', 'net.ipv4.conf.default.log_martians', '1')]
+
+    # 'harden_userspace', 'kspp'
     l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_symlinks', '1')]
     l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_hardlinks', '1')]
     l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_fifos', '2')]
     l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_regular', '2')]
     l += [SysctlCheck('harden_userspace', 'kspp', 'fs.suid_dumpable', '0')]
     l += [SysctlCheck('harden_userspace', 'kspp', 'kernel.randomize_va_space', '2')]
     l += [SysctlCheck('harden_userspace', 'kspp', 'kernel.yama.ptrace_scope', '3')]
+
+    # 'harden_userspace', 'a13xp0p0v'
     l += [SysctlCheck('harden_userspace', 'a13xp0p0v', 'vm.mmap_rnd_bits', 'MAX')]
           # 'MAX' value is refined using ARCH_MMAP_RND_BITS_MAX
     l += [SysctlCheck('harden_userspace', 'a13xp0p0v', 'vm.mmap_rnd_compat_bits', 'MAX')]
