]> Git — Sourcephile - julm/julm-nix.git/blob - nixos/profiles/security.nix
oignon: nftables: open 8776 for radicle-node
[julm/julm-nix.git] / nixos / profiles / security.nix
1 { pkgs, lib, config, ... }:
2 with lib;
3 {
4 options = {
5 security.kernel.mitigations = mkOption {
6 type = types.str;
7 default = "auto,nosmt";
8 example = "off";
9 description = ''
10 Control optional mitigations for CPU vulnerabilities. This is a set of
11 curated, arch-independent options, each of which is an aggregation of
12 existing arch-specific options.
13 '';
14 };
15 };
16 config = {
17 boot.kernelPackages = mkDefault pkgs.linuxPackages;
18 #boot.kernelPackages = pkgs.linuxPackages_latest;
19 #boot.kernelPackages = pkgs.linuxPackages_hardened;
20 #boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
21 #environment.memoryAllocator.provider = "libc";
22 nix.settings.allowed-users = [ "@users" ];
23 /*
24 nix.settings.substituters = [
25 "https://nix-community.cachix.org"
26 ];
27 nix.settings.trusted-public-keys = [
28 "nix-community.cachix.org:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
29 ];
30 */
31 nix.settings.trusted-users = [
32 "root"
33 "@wheel"
34 ];
35 networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
36 security.allowSimultaneousMultithreading = false;
37 security.apparmor.enable = mkDefault true;
38 security.forcePageTableIsolation = true;
39 security.lockKernelModules = mkDefault true;
40 security.protectKernelImage = true;
41 security.virtualisation.flushL1DataCache = "always";
42 # Only allow members of the wheel group to execute sudo by setting
43 # the executable’s permissions accordingly.
44 # This prevents users that are not members of wheel
45 # from exploiting vulnerabilities in sudo such as CVE-2021-3156.
46 security.sudo.execWheelOnly = true;
47 boot.blacklistedKernelModules = [
48 # Obscure network protocols
49 "ax25"
50 "netrom"
51 "rose"
52
53 # Old or rare or insufficiently audited filesystems
54 "adfs"
55 "affs"
56 "bfs"
57 "befs"
58 "cramfs"
59 "efs"
60 "erofs"
61 "exofs"
62 "freevxfs"
63 "f2fs"
64 "hfs"
65 "hpfs"
66 "jfs"
67 "minix"
68 "nilfs2"
69 "ntfs"
70 "omfs"
71 "qnx4"
72 "qnx6"
73 "sysv"
74 "ufs"
75 ];
76 # kernel-hardening-checker -c /proc/config.gz -l /proc/cmdline -s <(sudo sysctl -a) -m show_fail
77 boot.kernel.sysctl = {
78 # Mitigate kernel pointer leaks
79 "kernel.kptr_restrict" = 2;
80 # Restricts the kernel log to the CAP_SYSLOG capability
81 "kernel.dmesg_restrict" = 1;
82 # Prevent information leaks
83 #kernel.printk = "3 3 3 3";
84 # Restrict eBPF to the CAP_BPF capability
85 # and enable JIT hardening techniques
86 # such as constant blinding.
87 "kernel.unprivileged_bpf_disabled" = 1;
88 "net.core.bpf_jit_harden" = 2;
89 # Restricts loading TTY line disciplines
90 # to the CAP_SYS_MODULE capability to prevent
91 # unprivileged attackers from loading vulnerable
92 # line disciplines with the TIOCSETD ioctl
93 "dev.tty.ldisc_autoload" = 0;
94 # The userfaultfd() syscall is often abused to exploit
95 # use-after-free flaws.
96 # Due to this, this sysctl is used to restrict
97 # this syscall to the CAP_SYS_PTRACE capability.
98 "vm.unprivileged_userfaultfd" = 0;
99 # kexec is a system call that is used
100 # to boot another kernel during runtime.
101 "kernel.kexec_load_disabled" = 1;
102 # User namespaces are a feature in the kernel which aim to
103 # improve sandboxing and make it easily accessible for
104 # unprivileged users however, this feature exposes
105 # significant kernel attack surface for privilege
106 # escalation so this sysctl restricts the usage of user
107 # namespaces to the CAP_SYS_ADMIN capability.
108 "kernel.unprivileged_userns_clone" = 0;
109 # Restricts all usage of performance events to the
110 # CAP_PERFMON capability
111 "kernel.perf_event_paranoid" = 3;
112 # Helps protect against SYN flood attacks
113 "net.ipv4.tcp_syncookies" = 1;
114 # Protects against time-wait assassination
115 # by dropping RST packets for sockets
116 # in the time-wait state.
117 "net.ipv4.tcp_rfc1337" = 1;
118 # Disable ICMP redirect acceptance and sending to prevent
119 # man-in-the-middle attacks and minimize information disclosure.
120 "net.ipv4.conf.all.accept_redirects" = 0;
121 "net.ipv4.conf.default.accept_redirects" = 0;
122 "net.ipv4.conf.all.secure_redirects" = 0;
123 "net.ipv4.conf.default.secure_redirects" = 0;
124 "net.ipv6.conf.all.accept_redirects" = 0;
125 "net.ipv6.conf.default.accept_redirects" = 0;
126 "net.ipv4.conf.all.send_redirects" = 0;
127 "net.ipv4.conf.default.send_redirects" = 0;
128 # Disable source routing, a mechanism
129 # that allows users to redirect network traffic.
130 "net.ipv4.conf.all.accept_source_route" = 0;
131 "net.ipv4.conf.default.accept_source_route" = 0;
132 "net.ipv6.conf.all.accept_source_route" = 0;
133 "net.ipv6.conf.default.accept_source_route" = 0;
134 /*
135 # Disable TCP SACK, which is commonly exploited
136 # and unnecessary for many circumstances.
137 # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
138 "net.ipv4.tcp_sack" = 0;
139 "net.ipv4.tcp_dsack" = 0;
140 "net.ipv4.tcp_fack" = 0;
141 */
142 # Generate a random IPv6 address
143 "net.ipv6.conf.all.use_tempaddr" = mkForce 2;
144 "net.ipv6.conf.default.use_tempaddr" = mkForce 2;
145 # Restricts usage of ptrace to only processes
146 # with the CAP_SYS_PTRACE capability
147 "kernel.yama.ptrace_scope" = 2;
148 # Do source validation by confirming reverse path
149 "net.ipv4.conf.all.rp_filter" = 1;
150 "net.ipv4.conf.default.rp_filter" = 1;
151 # Any process which has changed privilege levels or is execute only will not be dumped.
152 "fs.suid_dumpable" = 0;
153 "fs.protected_fifos" = 2;
154 "fs.protected_regular" = 2;
155 # TIOCSTI is a dangerous legacy operation that can be disabled on most systems.
156 "dev.tty.legacy_tiocsti" = 0;
157 # User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.
158 #"user.max_user_namespaces" = mkDefault 0;
159 };
160 # DOC: https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
161 boot.kernelParams = [
162 "oops=panic"
163 #"quiet"
164 #"loglevel=0"
165 # Disable merging of slabs with similar size. May be necessary if there is
166 # some reason to distinguish allocs to different slabs, especially in
167 # hardened environments where the risk of heap overflows and layout control
168 # by attackers can usually be frustrated by disabling merging. This will
169 # reduce most of the exposure of a heap attack to a single cache (risks via
170 # metadata attacks are mostly unchanged). Debug options disable merging on
171 # their own.
172 "slab_nomerge"
173 # See slub_debug
174 # https://gitlab.tails.boum.org/tails/tails/-/issues/19613#note_215741
175 "slub_debug=FZ"
176 # Control whether the page allocator should randomize its free lists.
177 "page_alloc.shuffle=1"
178 # Kernel detects whether your CPU model is vulnerable to issues that PTI mitigates
179 # Disabling this feature removes hardening, but improves performance of system calls and interrupts.
180 "pti=auto"
181 # Controls the behavior of vsyscalls
182 # (i.e. calls to fixed addresses of 0xffffffffff600x00 from legacy code).
183 # Most statically-linked binaries and older versions of glibc use these calls.
184 # With none, vsyscalls don't work at all.
185 # This makes them quite hard to use for exploits but might break your system.
186 "vsyscall=none"
187 # Filesystem is not registered and clients get a -EPERM as result
188 # when trying to register files or directories within debugfs.
189 "debugfs=off"
190 # Disabled because the wireguard module is not signed
191 "module.sig_enforce=0"
192 # Disable kernel features that allow userland to modify the running kernel
193 # or to extract confidential information from the kernel.
194 "lockdown=confidentiality"
195 # https://www.kernel.org/doc/Documentation/x86/x86_64/boot-options.rst
196 "mce=bootlog"
197 "mitigations=${config.security.kernel.mitigations}" # kspp | self_protection
198 #"spectre_v2=on" # defconfig | self_protection
199 #"spectre_v2_user=on" # defconfig | self_protection
200 #"spec_store_bypass_disable=on" # defconfig | self_protection
201 #"l1tf=on" # defconfig | self_protection
202 #"mds=on" # defconfig | self_protection
203 #"tsx_async_abort=on" # defconfig | self_protection
204 #"srbds=on" # defconfig | self_protection
205 #"mmio_stale_data=on" # defconfig | self_protection
206 #"retbleed=on" # defconfig | self_protection
207 #"spec_rstack_overflow=on" # defconfig | self_protection
208 # Disable AVX to mitigate systems without microcode mitigation. No effect if the microcode mitigation is present. Known to cause crashes in userspace with buggy AVX enumeration.
209 #"gather_data_sampling=force" # defconfig | self_protection
210 # https://www.phoronix.com/news/randomize_kstack_offset-perf
211 "randomize_kstack_offset=1" # kspp | self_protection
212 # See https://unix.stackexchange.com/questions/592538/what-are-the-implication-of-using-iommu-force-in-the-boot-kernel-options
213 "iommu=force" # clipos | self_protection
214 # DMA unmap operations invalidate IOMMU hardware TLBs synchronously.
215 "iommu.strict=1" # kspp | self_protection
216 "kfence.sample_interval=100" # a13xp0p0v | self_protection
217 "kfence.deferrable=1"
218 # Unconditionally disables IA32 emulation
219 "ia32_emulation=0" # a13xp0p0v |cut_attack_surface
220 # A bit too much
221 # https://patchwork.kernel.org/project/linux-security-module/patch/20190626121943.131390-2-glider@google.com/#22731857
222 #"init_on_alloc=1" # kspp | self_protection
223 #"init_on_free=1" # kspp | self_protection
224 ];
225 services.journald.extraConfig = ''
226 Compress=true
227 MaxRetentionSec=1month
228 Storage=persistent
229 SystemMaxUse=100M
230 '';
231 systemd.coredump = {
232 enable = mkDefault false;
233 extraConfig = ''
234 Compress=true
235 MaxUse=1024M
236 Storage=external
237 '';
238 };
239 services.openssh = {
240 # Avoid TOFU MITM by providing well known public keys here.
241 knownHosts = {
242 "git.sr.ht".hostNames = [ "git.sr.ht" ];
243 "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
244
245 "github.com".hostNames = [ "github.com" ];
246 "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
247
248 "gitlab.com".hostNames = [ "gitlab.com" ];
249 "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
250 };
251 openFirewall = mkDefault false;
252 settings = {
253 Ciphers = [
254 # Not hardware accelerated, but fast enough and somehow more secure
255 # (packet sizes are encrypted and less vulnerable to timing attacks).
256 "chacha20-poly1305@openssh.com"
257 # A bit more throughput.
258 "aes128-gcm@openssh.com"
259 "aes256-gcm@openssh.com"
260 ];
261 KbdInteractiveAuthentication = mkDefault false;
262 # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
263 KexAlgorithms = [
264 "curve25519-sha256"
265 "curve25519-sha256@libssh.org"
266 "diffie-hellman-group16-sha512"
267 "diffie-hellman-group18-sha512"
268 "sntrup761x25519-sha512@openssh.com"
269 ];
270 PasswordAuthentication = false;
271 # Remove any remote gpg-agent's socket.
272 StreamLocalBindUnlink = true;
273 UseDns = mkDefault false;
274 X11Forwarding = mkDefault false;
275 };
276 };
277 };
278 /* TODO: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
279 =========================================================================================================================
280 option_name | type |desired_val | decision | reason | check_result
281 =========================================================================================================================
282 CONFIG_WERROR |kconfig| y |defconfig | self_protection | FAIL: "is not set"
283 CONFIG_X86_KERNEL_IBT |kconfig| y |defconfig | self_protection | FAIL: "is not set"
284 CONFIG_BUG_ON_DATA_CORRUPTION |kconfig| y | kspp | self_protection | FAIL: "is not set"
285 CONFIG_SHUFFLE_PAGE_ALLOCATOR |kconfig| y | kspp | self_protection | FAIL: "is not set"
286 CONFIG_DEBUG_VIRTUAL |kconfig| y | kspp | self_protection | FAIL: "is not set"
287 CONFIG_DEBUG_SG |kconfig| y | kspp | self_protection | FAIL: "is not set"
288 CONFIG_INIT_ON_ALLOC_DEFAULT_ON |kconfig| y | kspp | self_protection | FAIL: "is not set"
289 CONFIG_STATIC_USERMODEHELPER |kconfig| y | kspp | self_protection | FAIL: "is not set"
290 CONFIG_SECURITY_LOCKDOWN_LSM |kconfig| y | kspp | self_protection | FAIL: "is not set"
291 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY |kconfig| y | kspp | self_protection | FAIL: is not found
292 CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|kconfig| y | kspp | self_protection | FAIL: is not found
293 CONFIG_DEBUG_CREDENTIALS |kconfig| y | kspp | self_protection | FAIL: "is not set"
294 CONFIG_DEBUG_NOTIFIERS |kconfig| y | kspp | self_protection | FAIL: "is not set"
295 CONFIG_KFENCE |kconfig| y | kspp | self_protection | FAIL: "is not set"
296 CONFIG_KFENCE_SAMPLE_INTERVAL |kconfig| is not off |a13xp0p0v | self_protection | FAIL: CONFIG_KFENCE is not "y"
297 CONFIG_RANDSTRUCT_FULL |kconfig| y | kspp | self_protection | FAIL: "is not set"
298 CONFIG_RANDSTRUCT_PERFORMANCE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_RANDSTRUCT_FULL is not "y"
299 CONFIG_GCC_PLUGIN_LATENT_ENTROPY |kconfig| y | kspp | self_protection | FAIL: "is not set"
300 CONFIG_MODULE_SIG |kconfig| y | kspp | self_protection | FAIL: "is not set"
301 CONFIG_MODULE_SIG_ALL |kconfig| y | kspp | self_protection | FAIL: is not found
302 CONFIG_MODULE_SIG_SHA512 |kconfig| y | kspp | self_protection | FAIL: is not found
303 CONFIG_MODULE_SIG_FORCE |kconfig| y | kspp | self_protection | FAIL: is not found
304 CONFIG_INIT_ON_FREE_DEFAULT_ON |kconfig| y | kspp | self_protection | FAIL: "is not set"
305 CONFIG_EFI_DISABLE_PCI_DMA |kconfig| y | kspp | self_protection | FAIL: "is not set"
306 CONFIG_RESET_ATTACK_MITIGATION |kconfig| y | kspp | self_protection | FAIL: "is not set"
307 CONFIG_UBSAN_BOUNDS |kconfig| y | kspp | self_protection | FAIL: is not found
308 CONFIG_UBSAN_LOCAL_BOUNDS |kconfig| y | kspp | self_protection | FAIL: is not found
309 CONFIG_UBSAN_TRAP |kconfig| y | kspp | self_protection | FAIL: CONFIG_UBSAN_BOUNDS is not "y"
310 CONFIG_UBSAN_SANITIZE_ALL |kconfig| y | kspp | self_protection | FAIL: CONFIG_UBSAN_BOUNDS is not "y"
311 CONFIG_GCC_PLUGIN_STACKLEAK |kconfig| y | kspp | self_protection | FAIL: "is not set"
312 CONFIG_STACKLEAK_METRICS |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is not "y"
313 CONFIG_STACKLEAK_RUNTIME_DISABLE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is not "y"
314 CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT |kconfig| y | kspp | self_protection | FAIL: "is not set"
315 CONFIG_CFI_CLANG |kconfig| y | kspp | self_protection | FAIL: CONFIG_CC_IS_CLANG is not "y"
316 CONFIG_CFI_PERMISSIVE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_CC_IS_CLANG is not "y"
317 CONFIG_DEFAULT_MMAP_MIN_ADDR |kconfig| 65536 | kspp | self_protection | FAIL: "4096"
318 CONFIG_IOMMU_DEFAULT_DMA_STRICT |kconfig| y | kspp | self_protection | FAIL: "is not set"
319 CONFIG_INTEL_IOMMU_DEFAULT_ON |kconfig| y | kspp | self_protection | FAIL: "is not set"
320 CONFIG_SLS |kconfig| y | kspp | self_protection | FAIL: "is not set"
321 CONFIG_INTEL_IOMMU_SVM |kconfig| y | kspp | self_protection | FAIL: "is not set"
322 CONFIG_AMD_IOMMU_V2 |kconfig| y | kspp | self_protection | FAIL: "m"
323 CONFIG_SLAB_MERGE_DEFAULT |kconfig| is not set | clipos | self_protection | FAIL: "y"
324 CONFIG_LIST_HARDENED |kconfig| y |a13xp0p0v | self_protection | FAIL: is not found
325 CONFIG_RANDOM_KMALLOC_CACHES |kconfig| y |a13xp0p0v | self_protection | FAIL: is not found
326 CONFIG_SECURITY_SELINUX_DISABLE |kconfig| is not set | kspp | security_policy | FAIL: "y"
327 CONFIG_SECURITY_SELINUX_BOOTPARAM |kconfig| is not set | kspp | security_policy | FAIL: "y"
328 CONFIG_SECURITY_SELINUX_DEVELOP |kconfig| is not set | kspp | security_policy | FAIL: "y"
329 CONFIG_SECURITY_WRITABLE_HOOKS |kconfig| is not set | kspp | security_policy | FAIL: "y"
330 CONFIG_SECURITY_DMESG_RESTRICT |kconfig| y | kspp |cut_attack_surface| FAIL: "is not set"
331 CONFIG_ACPI_CUSTOM_METHOD |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m"
332 CONFIG_BINFMT_MISC |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
333 CONFIG_INET_DIAG |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m"
334 CONFIG_KEXEC |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
335 CONFIG_PROC_KCORE |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
336 CONFIG_HIBERNATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
337 CONFIG_COMPAT |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
338 CONFIG_IA32_EMULATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
339 CONFIG_MODIFY_LDT_SYSCALL |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
340 CONFIG_X86_MSR |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m"
341 CONFIG_MODULES |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
342 CONFIG_DEVMEM |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
343 CONFIG_LDISC_AUTOLOAD |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
344 CONFIG_X86_VSYSCALL_EMULATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
345 CONFIG_KPROBE_EVENTS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
346 CONFIG_UPROBE_EVENTS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
347 CONFIG_GENERIC_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
348 CONFIG_FUNCTION_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
349 CONFIG_STACK_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
350 CONFIG_BLK_DEV_IO_TRACE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
351 CONFIG_PROC_PAGE_MONITOR |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
352 CONFIG_CHECKPOINT_RESTORE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
353 CONFIG_USERFAULTFD |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
354 CONFIG_DEVPORT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
355 CONFIG_DEBUG_FS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
356 CONFIG_PUNIT_ATOM_DEBUG |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
357 CONFIG_ACPI_CONFIGFS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
358 CONFIG_MTD_SLRAM |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
359 CONFIG_MTD_PHRAM |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
360 CONFIG_IO_URING |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
361 CONFIG_KCMP |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
362 CONFIG_RSEQ |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
363 CONFIG_PROVIDE_OHCI1394_DMA_INIT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
364 CONFIG_SUNRPC_DEBUG |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
365 CONFIG_FB |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
366 CONFIG_VT |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
367 CONFIG_BLK_DEV_FD |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "m"
368 CONFIG_STAGING |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
369 CONFIG_KSM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
370 CONFIG_KALLSYMS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
371 CONFIG_MAGIC_SYSRQ |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
372 CONFIG_KEXEC_FILE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
373 CONFIG_USER_NS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
374 CONFIG_X86_CPUID |kconfig| is not set | clipos |cut_attack_surface| FAIL: "m"
375 CONFIG_X86_IOPL_IOPERM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
376 CONFIG_ACPI_TABLE_UPGRADE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
377 CONFIG_EFI_CUSTOM_SSDT_OVERLAYS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
378 CONFIG_AIO |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
379 CONFIG_KPROBES |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
380 CONFIG_BPF_SYSCALL |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
381 CONFIG_IP_DCCP |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "m"
382 CONFIG_IP_SCTP |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "m"
383 CONFIG_FTRACE |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "y"
384 CONFIG_INPUT_EVBUG |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "m"
385 CONFIG_XFS_SUPPORT_V4 |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "y"
386 CONFIG_TRIM_UNUSED_KSYMS |kconfig| y |a13xp0p0v |cut_attack_surface| FAIL: "is not set"
387 CONFIG_COREDUMP |kconfig| is not set | clipos | harden_userspace | FAIL: "y"
388 CONFIG_ARCH_MMAP_RND_BITS |kconfig| 32 |a13xp0p0v | harden_userspace | FAIL: "28"
389 CONFIG_X86_USER_SHADOW_STACK |kconfig| y |a13xp0p0v | harden_userspace | FAIL: is not found
390 */
391 }