models: add lockdown default configuration files #1530
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bcressey
reviewed
Apr 28, 2021
arnaldo2792
force-pushed
the
kernel-lockdown
branch
from
ef595e8
to
add9da6
Compare
|
samuelkarp
approved these changes
Apr 28, 2021
bcressey
approved these changes
Apr 28, 2021
arnaldo2792
force-pushed
the
kernel-lockdown
branch
from
add9da6
to
0a3cf3a
Compare
|
This commit adds default configuration files for the different values that can be used for the kernel lockdown setting.
This commit updates the security guidance document since the default kernel lockdown mode for newer variants is `integrity`
arnaldo2792
force-pushed
the
kernel-lockdown
branch
from
0a3cf3a
to
fc416bf
Compare
|
bcressey
approved these changes
Apr 28, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue number:
#813
Description of changes:
This commit updates the security guidance document since the default kernel lockdown mode for newer variants is
integrityThis commit adds default configuration files for the different values that can be used for the kernel lockdown setting. It also changes the lockdown mode for the ECS variant from
nonetointegrity.Testing done:
In aws-dev, aws-ecs, k8s 1.16, 1.17, 1.18, 1.19 x86_64:
systemctl status, no failing units/sys/kernel/security/lockdownin each variant:AWS dev:
AWS ECS:
AWS k8s 1.19:
AWS k8s 1.18:
AWS k8s 1.17:
AWS k8s 1.16:
VMWare dev:
Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.