search

CISOfy / lynis

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
https://cisofy.com/lynis/
GNU General Public License v3.0
13.52k stars 1.49k forks source link

Consider to add checks for some more kernel and memory hardenig #1477

Open Constacalm opened 8 months ago

Constacalm commented 8 months ago

Is your feature request related to a problem? Please describe.

The problem: Lynis does not check and detect presense and state of some modern Linux kernel's security subsystems, such as lockdown, landlock, etc...

And Lynis doesn't rank it, of course.

Also, Lynis doesn't check some memory hardening Linux kernel options for sanitizing. I.e., for example:

_init_onfree or _pagealloc.shuffle

Describe the solution you'd like

Check if kernel Lockdown mode is enabled, and rank it; Check current Lockdown state (Integrity\Confidentiality) and rank existent less or more; Check memory hardening options and rank them; Check if kernel has Landlock mode in LSM modules enabled.

Required changes

  1. For checking _kernellockdown(7) consider to add somewhere in:

    https://github.com/CISOfy/lynis/blob/master/include/tests_kernel_hardening

    some tests like:

    a) check system's current /proc/cmdline and /etc/default/grub content and filter options below:

    lsm=lockdown (Lockdown enabling state for running system) lockdown=confidentiality (configured Lockdown mode for kernel)

    b) check /sys/kernel/security/lockdown in case of to make sure lockdown mode is the same for configured options and for current running Linux kernel? i.e., for example:

$ cat /sys/kernel/security/lockdown none integrity [confidentiality] (current running state can be compared with configs in a), and shows in brackets]

  1. For checking landlock (https://docs.kernel.org/security/landlock.html) consider to add somewhere in:

    https://github.com/CISOfy/lynis/blob/master/include/tests_kernel_hardening

    some tests like:

    a) check system's current /proc/cmdline and /etc/default/grub content and filter options below:

    lsm=landlock (Landlock enabling state for running system)

    1. For checking memory sanitizing kernel's hardening option:

    a) check system's current /proc/cmdline and /etc/default/grub content and filter options below:

    _init_onalloc=1 (to make shure kernel clears memory pages on allocation, when mmap(2), I think) _init_onfree=1 (to make shure kernel clears memory pages on freeing, when unmap(2), I think) _pagealloc.shuffle=1 (to make sure kernel does memory page shuffeling to improve memory-side-cache utilization)

Rate all options above, if they're enabled

Additional context

https://docs.kernel.org/security/landlock.html https://lkml.org/lkml/2019/9/10/856

mboelen commented 6 months ago

Great suggestions. Want to help building them into tests?