Share
## https://sploitus.com/exploit?id=D48E3E6B-808C-5343-AFF5-E8D23CDA69C0
# SSIA - System Structural Integrity Audit

A tool kit for discovering, diagnosing, and containing LPE (Local Privilege Escalation) vectors through the Linux Kernel Crypto API (`AF_ALG`).

## Overview

This repository provides two scripts that form a **diagnose โ†’ contain โ†’ verify** workflow against privilege escalation attacks via `AF_ALG` (`socket(38, 5, 0)`):

- **`check.sh`** โ€” Multi-layer security posture audit (runs unprivileged)
- **`solution.sh`** โ€” Force-evicts AF_ALG modules from memory + checks for physical module files (root required)

## Checks

| Check | What it examines | Severity |
|-------|------------------|----------|
| **Process Context** | Current UID/GID and effective capabilities | Low |
| **AF_ALG Crypto Socket** | Kernel Crypto API accessibility via `socket(AF_ALG, ...)` | High |
| **kptr_restrict** | Kernel pointer visibility to userspace | Medium |
| **dmesg_restrict** | Kernel ring buffer access restriction | Medium |
| **SELinux** | Enforcing / Permissive / Disabled state | Medium |
| **/proc hidepid** | Whether `/proc` hides other processes' info | Low |

## Usage

### Audit (unprivileged)
```bash
./check.sh
```

### Containment (root required)

```bash
sudo ./solution.sh
```

## โš ๏ธ WARNING

**Running `solution.sh` on a live system that actively uses AF_ALG (e.g., a system with IPsec, dm-crypt/LUKS, or any hardware crypto offload) will instantly break all kernel crypto operations.** This includes:

- IPsec VPN connections and WireGuard
- Disk encryption (LUKS/dm-crypt)
- TLS termination using kernel-backed crypto
- Any container or application relying on `algif_*` socket interfaces

The script force-unloads AF_ALG kernel modules. Kernel crypto operations will fail until reboot. This script is intended **only for air-gapped, non-production, or disposable systems** for testing and analysis purposes. Do not run it on production or critical infrastructure.

## Requirements

- Linux (any distribution)
- `check.sh` requires no dependencies beyond POSIX shell and `/proc`/`/sys`
- `solution.sh` requires root privileges

## Mitigation

To definitively close the AF_ALG attack vector:

1. **Blacklist the kernel module** (most reliable):
   ```bash
   echo "blacklist af_alg" | sudo tee /etc/modprobe.d/af_alg-blacklist.conf
   ```
   Or rename the physical file:
   ```bash
   sudo mv /lib/modules/$(uname -r)/kernel/crypto/af_alg.ko.xz \
           /lib/modules/$(uname -r)/kernel/crypto/af_alg.ko.xz.bak
   ```

2. **Disable AF_ALG via sysctl**:
   ```bash
   sudo sysctl -w net.core.af_alg_disabled=1
   ```

3. **Block AF_ALG socket creation via SELinux / AppArmor policy**

4. **Disable unprivileged user namespaces** (container environments):
   ```bash
   sudo sysctl -w kernel.unprivileged_userns_clone=0
   ```

## License

MIT