You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
The problem: Lynis does not check and detect presense and state of some modern Linux kernel's security subsystems, such as lockdown, landlock, etc...
And Lynis doesn't rank it, of course.
Also, Lynis doesn't check some memory hardening Linux kernel options for sanitizing. I.e., for example:
init_on_free or page_alloc.shuffle
Describe the solution you'd like
Check if kernel Lockdown mode is enabled, and rank it;
Check current Lockdown state (Integrity\Confidentiality) and rank existent less or more;
Check memory hardening options and rank them;
Check if kernel has Landlock mode in LSM modules enabled.
Required changes
For checking kernel_lockdown(7) consider to add somewhere in:
a) check system's current /proc/cmdline and /etc/default/grub content and filter options below:
lsm=lockdown (Lockdown enabling state for running system) lockdown=confidentiality (configured Lockdown mode for kernel)
b) check /sys/kernel/security/lockdown in case of to make sure lockdown mode is the same for configured options and for current running Linux kernel? i.e., for example:
$ cat /sys/kernel/security/lockdown none integrity [confidentiality] (current running state can be compared with configs in a), and shows in brackets]
a) check system's current /proc/cmdline and /etc/default/grub content and filter options below:
lsm=landlock (Landlock enabling state for running system)
For checking memory sanitizing kernel's hardening option:
a) check system's current /proc/cmdline and /etc/default/grub content and filter options below:
init_on_alloc=1 (to make shure kernel clears memory pages on allocation, when mmap(2), I think) init_on_free=1 (to make shure kernel clears memory pages on freeing, when unmap(2), I think) page_alloc.shuffle=1 (to make sure kernel does memory page shuffeling to improve memory-side-cache utilization)
Is your feature request related to a problem? Please describe.
The problem: Lynis does not check and detect presense and state of some modern Linux kernel's security subsystems, such as lockdown, landlock, etc...
And Lynis doesn't rank it, of course.
Also, Lynis doesn't check some memory hardening Linux kernel options for sanitizing. I.e., for example:
init_on_free or page_alloc.shuffle
Describe the solution you'd like
Check if kernel Lockdown mode is enabled, and rank it;
Check current Lockdown state (Integrity\Confidentiality) and rank existent less or more;
Check memory hardening options and rank them;
Check if kernel has Landlock mode in LSM modules enabled.
Required changes
https://github.com/CISOfy/lynis/blob/master/include/tests_kernel_hardening
some tests like:
a) check system's current /proc/cmdline and /etc/default/grub content and filter options below:
lsm=lockdown (Lockdown enabling state for running system)
lockdown=confidentiality (configured Lockdown mode for kernel)
b) check /sys/kernel/security/lockdown in case of to make sure lockdown mode is the same for configured options and for current running Linux kernel? i.e., for example:
$ cat /sys/kernel/security/lockdown
none integrity [confidentiality] (current running state can be compared with configs in a), and shows in brackets]
https://github.com/CISOfy/lynis/blob/master/include/tests_kernel_hardening
some tests like:
a) check system's current /proc/cmdline and /etc/default/grub content and filter options below:
lsm=landlock (Landlock enabling state for running system)
a) check system's current /proc/cmdline and /etc/default/grub content and filter options below:
init_on_alloc=1 (to make shure kernel clears memory pages on allocation, when mmap(2), I think)
init_on_free=1 (to make shure kernel clears memory pages on freeing, when unmap(2), I think)
page_alloc.shuffle=1 (to make sure kernel does memory page shuffeling to improve memory-side-cache utilization)
Rate all options above, if they're enabled
Additional context
https://docs.kernel.org/security/landlock.html
https://lkml.org/lkml/2019/9/10/856
The text was updated successfully, but these errors were encountered: