-
Notifications
You must be signed in to change notification settings - Fork 11
/
sysctl-check
executable file
·30 lines (27 loc) · 1.25 KB
/
sysctl-check
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#!/bin/sh
# Critical sysctls (as of 5.13):
# ==============================
# protected_hardlinks = 0 no, *1 yes
# protected_symlinks = 0 no, *1 yes
# protected_fifos = 2
# protected_regular = 2
# suid_dumpable = *0 no, 1 yes
# perf_event_paranoid = *2 no events, 1 perf data, 0 everything
# randomize_va_space = *2 all, 1 mmap, 0 none
# ptrace_scope = 0 none, 1 trace child, *2 CAP_SYS_PTRACE, 3 none
# kexec_load_disabled = 0 no, *1 yes
# kptr_restrict = 0 no, *1 yes
# dmesg_restrict = 0 everyone, *1 restricted
# perf_event_paranoid = *2 no events, 1 perf data, 0 everything
# legacy_va_layout = 1 use legacy layout, *0 new layout
# max_user_namespaces =
# unprivileged_bpf_disabled = 1
# bpf_jit_harden = *2
# unprivileged_userfaultfd = 0
critical="protected_hardlinks|protected_symlinks|protected_fifos|protected_regular|suid_dumpable|perf_event_paranoid|randomize_va_space|ptrace_scope|kexec_load_disabled|kptr_restrict|dmesg_restrict|max_user_namespaces|unprivileged_bpf_disabled|bpf_jit_harden|unprivileged_userfaultfd"
other="usermodehelper.bset|usermodehelper.inheritable|kernel.*shield|cad_pid|mmap_rnd_"
if [ "$1" = "--critical" ] ; then
/usr/sbin/sysctl -a 2>/dev/null | grep -E "$critical"
else
/usr/sbin/sysctl -a 2>/dev/null | grep -E "$critical|$other"
fi