## https://sploitus.com/exploit?id=D48E3E6B-808C-5343-AFF5-E8D23CDA69C0
# SSIA - System Structural Integrity Audit
A tool kit for discovering, diagnosing, and containing LPE (Local Privilege Escalation) vectors through the Linux Kernel Crypto API (`AF_ALG`).
## Overview
This repository provides two scripts that form a **diagnose โ contain โ verify** workflow against privilege escalation attacks via `AF_ALG` (`socket(38, 5, 0)`):
- **`check.sh`** โ Multi-layer security posture audit (runs unprivileged)
- **`solution.sh`** โ Force-evicts AF_ALG modules from memory + checks for physical module files (root required)
## Checks
| Check | What it examines | Severity |
|-------|------------------|----------|
| **Process Context** | Current UID/GID and effective capabilities | Low |
| **AF_ALG Crypto Socket** | Kernel Crypto API accessibility via `socket(AF_ALG, ...)` | High |
| **kptr_restrict** | Kernel pointer visibility to userspace | Medium |
| **dmesg_restrict** | Kernel ring buffer access restriction | Medium |
| **SELinux** | Enforcing / Permissive / Disabled state | Medium |
| **/proc hidepid** | Whether `/proc` hides other processes' info | Low |
## Usage
### Audit (unprivileged)
```bash
./check.sh
```
### Containment (root required)
```bash
sudo ./solution.sh
```
## โ ๏ธ WARNING
**Running `solution.sh` on a live system that actively uses AF_ALG (e.g., a system with IPsec, dm-crypt/LUKS, or any hardware crypto offload) will instantly break all kernel crypto operations.** This includes:
- IPsec VPN connections and WireGuard
- Disk encryption (LUKS/dm-crypt)
- TLS termination using kernel-backed crypto
- Any container or application relying on `algif_*` socket interfaces
The script force-unloads AF_ALG kernel modules. Kernel crypto operations will fail until reboot. This script is intended **only for air-gapped, non-production, or disposable systems** for testing and analysis purposes. Do not run it on production or critical infrastructure.
## Requirements
- Linux (any distribution)
- `check.sh` requires no dependencies beyond POSIX shell and `/proc`/`/sys`
- `solution.sh` requires root privileges
## Mitigation
To definitively close the AF_ALG attack vector:
1. **Blacklist the kernel module** (most reliable):
```bash
echo "blacklist af_alg" | sudo tee /etc/modprobe.d/af_alg-blacklist.conf
```
Or rename the physical file:
```bash
sudo mv /lib/modules/$(uname -r)/kernel/crypto/af_alg.ko.xz \
/lib/modules/$(uname -r)/kernel/crypto/af_alg.ko.xz.bak
```
2. **Disable AF_ALG via sysctl**:
```bash
sudo sysctl -w net.core.af_alg_disabled=1
```
3. **Block AF_ALG socket creation via SELinux / AppArmor policy**
4. **Disable unprivileged user namespaces** (container environments):
```bash
sudo sysctl -w kernel.unprivileged_userns_clone=0
```
## License
MIT