Skip to content

Commit 5ab4f51

Browse files
authored
Merge pull request #35 from Harvester57/Harvester57/issue34
Add support for KASAN
2 parents 29d9b33 + 01ae577 commit 5ab4f51

File tree

4 files changed

+42
-4
lines changed

4 files changed

+42
-4
lines changed

AdditionalHardening.admx

Lines changed: 22 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
<?xml version="1.0" encoding="utf-8"?>
22
<!--
33
Author: Florian Stosse <florian.stosse@gmail.com>
4-
Version: 1.0.36
5-
Date: 2024-11-03
4+
Version: 1.0.37
5+
Date: 2024-11-12
66
-->
77
<policyDefinitions xmlns:xsd="http://www.w3.org/2001/XMLSchema"
88
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0"
@@ -13,8 +13,9 @@
1313
</policyNamespaces>
1414
<resources minRequiredRevision="1.0" />
1515
<categories>
16-
<!-- Main category -->
16+
<!-- Main categories -->
1717
<category name="Cat_AddHard" displayName="$(string.Cat_AddHard)" />
18+
<category name="Cat_Debug" displayName="$(string.Cat_Debug)" />
1819
<!-- Subcategories -->
1920
<category name="Network" displayName="$(string.Network)">
2021
<parentCategory ref="Cat_AddHard" />
@@ -70,6 +71,23 @@
7071
</categories>
7172
<policies>
7273
<!-- Hardening policies section -->
74+
<!--
75+
76+
77+
DEBUG SETTINGS
78+
79+
80+
-->
81+
<policy name="EnableKASAN" class="Machine" displayName="$(string.EnableKASAN)" explainText="$(string.EnableKASAN_Explain)" key="SYSTEM\CurrentControlSet\Control\Session Manager\Kernel" valueName="KasanEnabled">
82+
<parentCategory ref="Cat_Debug" />
83+
<supportedOn ref="windows:SUPPORTED_Windows_10_0" />
84+
<enabledValue>
85+
<decimal value="1" />
86+
</enabledValue>
87+
<disabledValue>
88+
<decimal value="0" />
89+
</disabledValue>
90+
</policy>
7391
<!--
7492
7593
@@ -78,7 +96,7 @@
7896
7997
-->
8098
<!-- Launch VBS in Mandatory mode -->
81-
<policy name="MandatoryVBS" class="Machine" displayName="$(string.MandatoryVBS)" explainText="$(string.MandatoryVBS_Explain)" key="CurrentControlSet\Control\DeviceGuard" valueName="Mandatory">
99+
<policy name="MandatoryVBS" class="Machine" displayName="$(string.MandatoryVBS)" explainText="$(string.MandatoryVBS_Explain)" key="SYSTEM\CurrentControlSet\Control\DeviceGuard" valueName="Mandatory">
82100
<parentCategory ref="System" />
83101
<supportedOn ref="windows:SUPPORTED_Windows_10_0" />
84102
<enabledValue>

CHANGELOG.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,12 @@ All notable changes to this project will be documented in this file.
33

44
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
55

6+
## [v1.0.37] - 2024-11-12
7+
### Added
8+
- New policy to enable or disable the support for KASAN
9+
### Fixed
10+
- Fix the Registry path for the Mandatory VBS flag introduced in v1.0.36
11+
612
## [v1.0.36] - 2024-11-03
713
### Added
814
- New policy to configure the Mandatory mode for Virtualization-Based Security

en-US/AdditionalHardening.adml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
At least Windows Server 2008 SP2 or Windows Vista SP2 with KB3174644</string>
1313
<!-- CATEGORIES -->
1414
<string id="Cat_AddHard">Additional hardening settings</string>
15+
<string id="Cat_Debug">Additional debug-related settings</string>
1516
<string id="System">Additional system hardening settings</string>
1617
<string id="Network">Additional network hardening settings</string>
1718
<string id="DomainControllers">Additional Domain Controllers hardening settings</string>
@@ -347,6 +348,12 @@ Enabling this policy will set the Mandatory flag and force the verification of t
347348
Enabling this policy with UEFI Lock already enabled wil do nothing.
348349

349350
Disabling this policy will disable the verification of the components, only if the UEFI Lock is not enabled. Otherwise, disabling this policy will do nothing.</string>
351+
<string id="EnableKASAN">Enable Kernel Address Sanitizer</string>
352+
<string id="EnableKASAN_Explain">The Kernel Address Sanitizer (KASAN) is a bug detection technology supported on Windows kernel drivers that enables you to detect several classes of illegal memory accesses, such as buffer overflows and use-after-free events.
353+
354+
It requires you to enable KASAN on your system, and recompile your kernel driver with a specific MSVC compiler flag.
355+
356+
This policy controls the support of KASAN in the kernel. Enabling this polic will enable the support of KASAN. Disabling this policy will disable the support of KASAN.</string>
350357
<string id="CoInstallers">Block drivers co-installers applications</string>
351358
<string id="CoInstallers_Help">A co-installer is a user-mode Win32 DLL that typically writes additional configuration information to the registry, or performs other installation tasks that require information that is not available when an INF is written.
352359

fr-FR/AdditionalHardening.adml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@
1111
Au moins Windows Server 2008 SP2 ou Windows Vista SP2 avec KB3174644</string>
1212
<!-- CATEGORIES -->
1313
<string id="Cat_AddHard">Paramètres de durcissement supplémentaires</string>
14+
<string id="Cat_Debug">Paramètres de débuggage supplémentaires</string>
1415
<string id="System">Paramètres de durcissement système</string>
1516
<string id="Network">Paramètres de durcissement réseau</string>
1617
<string id="DomainControllers">Paramètres de durcissement pour contrôleurs de domaine</string>
@@ -349,6 +350,12 @@ Activer cette politique activera le mode Obligatoire et forcera la vérification
349350
Activer cette politique si le verrouillage UEFI est actif est sans effet.
350351

351352
Désactiver cette politique désactivera le mode Obligatoire, seulement si le verrouillage UEFI n'est pas activé. Autrement, désactiver cette politique est sans effet.</string>
353+
<string id="EnableKASAN">Activer l'assainisseur d'adresses du noyau (KASAN)</string>
354+
<string id="EnableKASAN_Explain">L'assainisseur d'adresses du noyau (KASAN) est une technologie de détection de bogues prise en charge sur les pilotes de noyau Windows qui vous permet de détecter plusieurs classes d'accès à la mémoire illégale, telles que les dépassements de mémoire tampon et les événements sans utilisation.
355+
356+
Il vous oblige à activer KASAN sur votre système et à recompiler votre pilote de noyau avec un paramètre de compilation MSVC spécifique.
357+
358+
Cette politique contrôle le support de KASAN au niveau du noyau. Activer cette politique activera le support de KASAN. Désactiver cette politique désactivera le support de KASAN.</string>
352359
<string id="CoInstallers">Bloquer l'installation des co-installeurs des pilotes matériels</string>
353360
<string id="CoInstallers_Help">Un co-installeur est une librairie Win32 en espace utilisateur qui complète l'installation d'un driver en effectuant des tâches de configuration annexes (écriture Registre, installation d'application additionnelle, etc) non disponibles dans un fichier INF standard.
354361

0 commit comments

Comments
 (0)