Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider to add checks for some more kernel and memory hardenig #1477

Open
Constacalm opened this issue Apr 1, 2024 · 1 comment
Open

Consider to add checks for some more kernel and memory hardenig #1477

Constacalm opened this issue Apr 1, 2024 · 1 comment

Comments

@Constacalm
Copy link
Contributor

Constacalm commented Apr 1, 2024
edited

Is your feature request related to a problem? Please describe.

The problem: Lynis does not check and detect presense and state of some modern Linux kernel's security subsystems, such as lockdown, landlock, etc...

And Lynis doesn't rank it, of course.

Also, Lynis doesn't check some memory hardening Linux kernel options for sanitizing. I.e., for example:

init_on_free or page_alloc.shuffle

Describe the solution you'd like

Check if kernel Lockdown mode is enabled, and rank it;
Check current Lockdown state (Integrity\Confidentiality) and rank existent less or more;
Check memory hardening options and rank them;
Check if kernel has Landlock mode in LSM modules enabled.

Required changes

  1. For checking kernel_lockdown(7) consider to add somewhere in:

https://github.com/CISOfy/lynis/blob/master/include/tests_kernel_hardening

some tests like:

a) check system's current /proc/cmdline and /etc/default/grub content and filter options below:

lsm=lockdown (Lockdown enabling state for running system)
lockdown=confidentiality (configured Lockdown mode for kernel)

b) check /sys/kernel/security/lockdown in case of to make sure lockdown mode is the same for configured options and for current running Linux kernel? i.e., for example:

$ cat /sys/kernel/security/lockdown
none integrity [confidentiality] (current running state can be compared with configs in a), and shows in brackets]

  1. For checking landlock (https://docs.kernel.org/security/landlock.html) consider to add somewhere in:

https://github.com/CISOfy/lynis/blob/master/include/tests_kernel_hardening

some tests like:

a) check system's current /proc/cmdline and /etc/default/grub content and filter options below:

lsm=landlock (Landlock enabling state for running system)

  1. For checking memory sanitizing kernel's hardening option:

a) check system's current /proc/cmdline and /etc/default/grub content and filter options below:

init_on_alloc=1 (to make shure kernel clears memory pages on allocation, when mmap(2), I think)
init_on_free=1 (to make shure kernel clears memory pages on freeing, when unmap(2), I think)
page_alloc.shuffle=1 (to make sure kernel does memory page shuffeling to improve memory-side-cache utilization)

Rate all options above, if they're enabled

Additional context

https://docs.kernel.org/security/landlock.html
https://lkml.org/lkml/2019/9/10/856
@mboelen
Copy link
Member

mboelen commented May 16, 2024

Great suggestions. Want to help building them into tests?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mboelen @Constacalm