def test_pax():
pax_kernel_options = {
"Non-executable kernel pages": "CONFIG_PAX_KERNEXEC",
"Non-executable pages": "CONFIG_PAX_NOEXEC",
"Paging based non-executable pages": "CONFIG_PAX_PAGEEXEC",
"Restrict MPROTECT": "CONFIG_PAX_MPROTECT",
"Address space layout randomization": "CONFIG_PAX_ASLR",
"Randomize kernel stack": "CONFIG_PAX_RANDKSTACK",
"Randomize user stack": "CONFIG_PAX_RANDUSTACK",
"Randomize MMAP stack": "CONFIG_PAX_RANDMMAP",
"Sanitize freed memory": "CONFIG_PAX_MEMORY_SANITIZE",
"Sanitize kernel stack": "CONFIG_PAX_MEMORY_STACKLEAK",
"Prevent userspace pointer deref": "CONFIG_PAX_MEMORY_UDEREF",
"Prevent kboject refcount overflow": "CONFIG_PAX_REFCOUNT",
"Bounds check heap object copies": "CONFIG_PAX_USERCOPY",
}
config = utils.kconfig()
if not config:
return TestResult(Result.SKIP, notes="Unable to find kernel config")
if not utils.kconfig_option('CONFIG_GRKERNSEC', config):
return TestResult(Result.FAIL,
notes="Kernel not compiled with GRSECURITY patches")
results = GroupTestResult()
for test, setting in pax_kernel_options.items():
enabled = utils.kconfig_option(setting, config)
if enabled and enabled == 'y':
results.add_result(test, TestResult(Result.PASS))
else:
results.add_result(test, TestResult(Result.FAIL))
return results
def test_pax():
pax_kernel_options = {
"Non-executable kernel pages": "CONFIG_PAX_KERNEXEC",
"Non-executable pages": "CONFIG_PAX_NOEXEC",
"Paging based non-executable pages": "CONFIG_PAX_PAGEEXEC",
"Restrict MPROTECT": "CONFIG_PAX_MPROTECT",
"Address space layout randomization": "CONFIG_PAX_ASLR",
"Randomize kernel stack": "CONFIG_PAX_RANDKSTACK",
"Randomize user stack": "CONFIG_PAX_RANDUSTACK",
"Randomize MMAP stack": "CONFIG_PAX_RANDMMAP",
"Sanitize freed memory": "CONFIG_PAX_MEMORY_SANITIZE",
"Sanitize kernel stack": "CONFIG_PAX_MEMORY_STACKLEAK",
"Prevent userspace pointer deref": "CONFIG_PAX_MEMORY_UDEREF",
"Prevent kboject refcount overflow": "CONFIG_PAX_REFCOUNT",
"Bounds check heap object copies": "CONFIG_PAX_USERCOPY",
}
config = utils.kconfig()
if not config:
return TestResult(Result.SKIP, notes="Unable to find kernel config")
if not utils.kconfig_option('CONFIG_GRKERNSEC', config):
return TestResult(Result.FAIL,
notes="Kernel not compiled with GRSECURITY patches")
results = GroupTestResult()
for test, setting in pax_kernel_options.items():
enabled = utils.kconfig_option(setting, config)
if enabled and enabled == 'y':
results.add_result(test, TestResult(Result.PASS))
else:
results.add_result(test, TestResult(Result.FAIL))
return results
def test_devmem():
# initial configurations
reason = " "
logger.debug("Attempting to validate /dev/mem protection.")
result = Result.FAIL # set fail by default?
# check kernel config - CONFIG_STRICT_DEVMEM=y
try:
devmem_val = utils.kconfig_option('CONFIG_STRICT_DEVMEM')
if devmem_val == 'y':
reason = "/dev/mem protection is enabled."
logger.debug(reason)
result = Result.PASS
elif devmem_val == 'n':
reason = "/dev/mem protection is not enabled."
logger.debug(reason)
result = Result.FAIL
else:
result = Result.SKIP
reason = "Cannot find the kernel config or option"
except IOError as e:
reason = "Error opening /proc/config.gz."
logger.debug("Unable to open /proc/config.gz.\n"
" Exception information: [ {} ]".format(e))
result = Result.SKIP
return TestResult(result, reason)
def test_ptrace_scope():
ptrace_scope = 'kernel/yama/ptrace_scope'
kernel_compiled_with_yama = utils.kconfig_option("CONFIG_SECURITY_YAMA")
if not kernel_compiled_with_yama:
return TestResult(Result.FAIL,
notes="Kernel missing CONFIG_SECURITY_YAMA")
enabled = int(utils.get_sysctl_value(ptrace_scope))
rc = Result.PASS if enabled >= 1 else Result.FAIL
return TestResult(rc, notes="{} = {}".format(ptrace_scope, enabled))
def test_ptrace_scope():
ptrace_scope = 'kernel/yama/ptrace_scope'
kernel_compiled_with_yama = utils.kconfig_option(
"CONFIG_SECURITY_YAMA")
if not kernel_compiled_with_yama:
return TestResult(Result.FAIL,
notes="Kernel missing CONFIG_SECURITY_YAMA")
enabled = int(utils.get_sysctl_value(ptrace_scope))
rc = Result.PASS if enabled >= 1 else Result.FAIL
return TestResult(rc, notes="{} = {}".format(ptrace_scope, enabled))
def test_module_signing():
results = GroupTestResult()
enabled_check = "Module signature checking enabled"
forced_check = "Module signature checking forced"
tainted_check = "Present modules"
if utils.kconfig_option("CONFIG_MODULE_SIG") == "y":
result = TestResult(Result.PASS, notes="Enabled")
available = True
else:
result = TestResult(Result.FAIL, notes="Disabled")
available = False
results.add_result(enabled_check, result)
if not available:
result = TestResult(Result.SKIP, notes="Not available")
results.add_result(forced_check, result)
results.add_result(tainted_check, result)
return results
if utils.kconfig_option("CONFIG_MODULE_SIG_FORCE") == "y":
result = TestResult(Result.PASS, notes="Enabled")
else:
result = TestResult(Result.FAIL, notes="Disabled")
results.add_result(forced_check, result)
try:
with open('/proc/sys/kernel/tainted', 'r') as f:
contents = f.read()
level = int(contents)
if level & 8192:
result = TestResult(Result.FAIL, notes="Unsigned module detected")
else:
result = TestResult(Result.PASS,
notes="All loaded modules are signed")
except (IOError, ValueError):
result = TestResult(Result.FAIL, notes="Taint level cannot be read")
results.add_result(tainted_check, result)
return results