add KSPP compliance status to readme based on comment by @raja-grewal

https://github.com/Kicksecure/security-misc/issues/256#issuecomment-2330376651
2024-10-01 08:25:45 -04:00 · 2024-09-05 06:03:05 -04:00 · 2024-09-05 06:03:05 -04:00 · e914028be7
commit e914028be7
parent 40fb14c654
1 changed files with 42 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -194,6 +194,48 @@ Networking:

 - Optional - Disable the entire IPv6 stack to reduce attack surface.

+## Kernel Self Protection Project (KSPP) Compliance Status
+
+**Summary:***
+
+security-misc is in full compliance with KSPP as much as reasonable. In a few exception cases there is only partial compliance or non-compliance.
+
+* https://kspp.github.io/Recommended_Settings
+
+**Full compliance:**
+
+More than 30 kernel boot parameters and more than 30 sysctl settings are fully compliant with recommendations by KSPP.
+
+**Partial compliance:**
+
+1. `sysctl kernel.yama.ptrace_scope=3`
+
+Disable `ptrace()` entirely. Can easily enable.
+
+* https://github.com/Kicksecure/security-misc/pull/242
+
+2. `sysctl kernel.panic=-1`
+
+Force immediate reboot upon a kernel panic. Can enable but may cause system crashes.
+
+* https://github.com/Kicksecure/security-misc/pull/264
+* https://github.com/Kicksecure/security-misc/pull/268
+
+3. `sysctl user.max_user_namespaces=0`
+
+Disable user namespaces entirely. Unadvisable due to numerous potential breakages.
+
+* https://github.com/Kicksecure/security-misc/pull/263
+
+**Non-compliance:**
+
+4. `sysctl fs.binfmt_misc.status=0`
+
+Disable registering interpreters for miscellaneous binary formats. Currently unadvisable due to breakage with Firefox.
+
+* https://github.com/Kicksecure/security-misc/pull/249
+* https://github.com/Kicksecure/security-misc/issues/267
+
 ### mmap ASLR

 - The bits of entropy used for mmap ASLR are maxed out via