1 # kernel-hardening-checker
3 __(formerly kconfig-hardened-check)__<br /><br />
4 [](https://github.com/a13xp0p0v/kernel-hardening-checker/actions/workflows/functional_test.yml)
5 [](https://app.codecov.io/gh/a13xp0p0v/kernel-hardening-checker?flags%5B0%5D=functional_test)<br />
6 [](https://github.com/a13xp0p0v/kernel-hardening-checker/actions/workflows/engine_unit-test.yml)
7 [](https://app.codecov.io/gh/a13xp0p0v/kernel-hardening-checker?flags%5B0%5D=engine_unit-test)<br />
8 [](https://github.com/a13xp0p0v/kernel-hardening-checker/tags)
9 [](https://www.gnu.org/licenses/gpl-3.0)
13 There are plenty of security hardening options for the Linux kernel. A lot of them are
14 not enabled by the major distros. We have to enable these options ourselves to
15 make our systems more secure.
17 But nobody likes checking configs manually. So let the computers do their job!
19 __kernel-hardening-checker__ (formerly __kconfig-hardened-check__) is a tool for checking the security hardening options of the Linux kernel.
25 - At GitHub <https://github.com/a13xp0p0v/kernel-hardening-checker>
26 - At Codeberg: <https://codeberg.org/a13xp0p0v/kernel-hardening-checker> (go there if something goes wrong with GitHub)
27 - At GitFlic: <https://gitflic.ru/project/a13xp0p0v/kernel-hardening-checker>
31 `kernel-hardening-checker` supports checking:
33 - Kconfig options (compile-time)
34 - Kernel cmdline arguments (boot-time)
35 - Sysctl parameters (runtime)
37 Supported microarchitectures:
44 The security hardening recommendations are based on:
46 - [KSPP recommended settings][1]
47 - [CLIP OS kernel configuration][2]
48 - Last public [grsecurity][3] patch (options which they disable)
49 - [SECURITY_LOCKDOWN_LSM][5] patchset
50 - [Direct feedback from the Linux kernel maintainers][23]
52 I also created the [__Linux Kernel Defence Map__][4], which is a graphical representation of the
53 relationships between security hardening features and the corresponding vulnerability classes
54 or exploitation techniques.
58 Changing Linux kernel security parameters may also affect system performance
59 and functionality of userspace software. So for choosing these parameters, consider
60 the threat model of your Linux-based information system and perform thorough testing
61 of its typical workload.
65 You can install the package:
68 pip install git+https://github.com/a13xp0p0v/kernel-hardening-checker
71 or simply run `./bin/kernel-hardening-checker` from the cloned repository.
73 Some Linux distributions also provide `kernel-hardening-checker` as a package.
77 usage: kernel-hardening-checker [-h] [--version] [-m {verbose,json,show_ok,show_fail}]
78 [-c CONFIG] [-l CMDLINE] [-s SYSCTL] [-v KERNEL_VERSION]
79 [-p {X86_64,X86_32,ARM64,ARM}]
80 [-g {X86_64,X86_32,ARM64,ARM}]
82 A tool for checking the security hardening options of the Linux kernel
85 -h, --help show this help message and exit
86 --version show program's version number and exit
87 -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}
88 choose the report mode
89 -c CONFIG, --config CONFIG
90 check the security hardening options in the kernel Kconfig file
91 (also supports *.gz files)
92 -l CMDLINE, --cmdline CMDLINE
93 check the security hardening options in the kernel cmdline file
94 (contents of /proc/cmdline)
95 -s SYSCTL, --sysctl SYSCTL
96 check the security hardening options in the sysctl output file
97 (`sudo sysctl -a > file`)
98 -v KERNEL_VERSION, --kernel-version KERNEL_VERSION
99 extract the version from the kernel version file (contents of
101 -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
102 print the security hardening recommendations for the selected
104 -g {X86_64,X86_32,ARM64,ARM}, --generate {X86_64,X86_32,ARM64,ARM}
105 generate a Kconfig fragment with the security hardening options
106 for the selected microarchitecture
111 - no `-m` argument for the default output mode (see the example below)
112 - `-m verbose` for printing additional info:
113 - config options without a corresponding check
114 - internals of complex checks with AND/OR, like this:
116 -------------------------------------------------------------------------------------------
118 CONFIG_STRICT_DEVMEM |kconfig| y |defconfig |cut_attack_surface
119 CONFIG_DEVMEM |kconfig| is not set | kspp |cut_attack_surface
120 -------------------------------------------------------------------------------------------
122 - `-m show_fail` for showing only the failed checks
123 - `-m show_ok` for showing only the successful checks
124 - `-m json` for printing the results in JSON format (for combining `kernel-hardening-checker` with other tools)
126 ## Example output for `Ubuntu 22.04` kernel configuration
128 $ ./bin/kernel-hardening-checker -c kernel_hardening_checker/config_files/distros/ubuntu-22.04.config -l /proc/cmdline -s kernel_hardening_checker/config_files/distros/example_sysctls.txt
129 [+] Kconfig file to check: kernel_hardening_checker/config_files/distros/ubuntu-22.04.config
130 [+] Kernel cmdline file to check: /proc/cmdline
131 [+] Sysctl output file to check: kernel_hardening_checker/config_files/distros/example_sysctls.txt
132 [+] Detected microarchitecture: X86_64
133 [+] Detected kernel version: (5, 15, 0)
134 [+] Detected compiler: GCC 110200
135 =========================================================================================================================
136 option_name | type |desired_val | decision | reason | check_result
137 =========================================================================================================================
138 CONFIG_BUG |kconfig| y |defconfig | self_protection | OK
139 CONFIG_SLUB_DEBUG |kconfig| y |defconfig | self_protection | OK
140 CONFIG_THREAD_INFO_IN_TASK |kconfig| y |defconfig | self_protection | OK
141 CONFIG_IOMMU_SUPPORT |kconfig| y |defconfig | self_protection | OK
142 CONFIG_STACKPROTECTOR |kconfig| y |defconfig | self_protection | OK
143 CONFIG_STACKPROTECTOR_STRONG |kconfig| y |defconfig | self_protection | OK
144 CONFIG_STRICT_KERNEL_RWX |kconfig| y |defconfig | self_protection | OK
145 CONFIG_STRICT_MODULE_RWX |kconfig| y |defconfig | self_protection | OK
146 CONFIG_REFCOUNT_FULL |kconfig| y |defconfig | self_protection | OK: version >= (5, 4, 208)
147 CONFIG_INIT_STACK_ALL_ZERO |kconfig| y |defconfig | self_protection | FAIL: is not found
148 CONFIG_RANDOMIZE_BASE |kconfig| y |defconfig | self_protection | OK
149 CONFIG_VMAP_STACK |kconfig| y |defconfig | self_protection | OK
150 CONFIG_SPECULATION_MITIGATIONS |kconfig| y |defconfig | self_protection | FAIL: is not found
151 CONFIG_DEBUG_WX |kconfig| y |defconfig | self_protection | OK
152 CONFIG_WERROR |kconfig| y |defconfig | self_protection | FAIL: "is not set"
153 CONFIG_X86_MCE |kconfig| y |defconfig | self_protection | OK
154 CONFIG_X86_MCE_INTEL |kconfig| y |defconfig | self_protection | OK
155 CONFIG_X86_MCE_AMD |kconfig| y |defconfig | self_protection | OK
156 CONFIG_RETPOLINE |kconfig| y |defconfig | self_protection | OK
157 CONFIG_SYN_COOKIES |kconfig| y |defconfig | self_protection | OK
158 CONFIG_MICROCODE |kconfig| y |defconfig | self_protection | OK
159 CONFIG_MICROCODE_INTEL |kconfig| y |defconfig | self_protection | OK
160 CONFIG_MICROCODE_AMD |kconfig| y |defconfig | self_protection | OK
161 CONFIG_X86_SMAP |kconfig| y |defconfig | self_protection | OK
162 CONFIG_X86_UMIP |kconfig| y |defconfig | self_protection | OK
163 CONFIG_PAGE_TABLE_ISOLATION |kconfig| y |defconfig | self_protection | OK
164 CONFIG_RANDOMIZE_MEMORY |kconfig| y |defconfig | self_protection | OK
165 CONFIG_X86_KERNEL_IBT |kconfig| y |defconfig | self_protection | FAIL: is not found
166 CONFIG_CPU_SRSO |kconfig| y |defconfig | self_protection | FAIL: is not found
167 CONFIG_INTEL_IOMMU |kconfig| y |defconfig | self_protection | OK
168 CONFIG_AMD_IOMMU |kconfig| y |defconfig | self_protection | OK
169 CONFIG_BUG_ON_DATA_CORRUPTION |kconfig| y | kspp | self_protection | FAIL: "is not set"
170 CONFIG_SLAB_FREELIST_HARDENED |kconfig| y | kspp | self_protection | OK
171 CONFIG_SLAB_FREELIST_RANDOM |kconfig| y | kspp | self_protection | OK
172 CONFIG_SHUFFLE_PAGE_ALLOCATOR |kconfig| y | kspp | self_protection | OK
173 CONFIG_FORTIFY_SOURCE |kconfig| y | kspp | self_protection | OK
174 CONFIG_DEBUG_LIST |kconfig| y | kspp | self_protection | FAIL: "is not set"
175 CONFIG_DEBUG_VIRTUAL |kconfig| y | kspp | self_protection | FAIL: "is not set"
176 CONFIG_DEBUG_SG |kconfig| y | kspp | self_protection | FAIL: "is not set"
177 CONFIG_INIT_ON_ALLOC_DEFAULT_ON |kconfig| y | kspp | self_protection | OK
178 CONFIG_STATIC_USERMODEHELPER |kconfig| y | kspp | self_protection | FAIL: "is not set"
179 CONFIG_SCHED_CORE |kconfig| y | kspp | self_protection | OK
180 CONFIG_SECURITY_LOCKDOWN_LSM |kconfig| y | kspp | self_protection | OK
181 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY |kconfig| y | kspp | self_protection | OK
182 CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|kconfig| y | kspp | self_protection | FAIL: "is not set"
183 CONFIG_DEBUG_CREDENTIALS |kconfig| y | kspp | self_protection | FAIL: "is not set"
184 CONFIG_DEBUG_NOTIFIERS |kconfig| y | kspp | self_protection | FAIL: "is not set"
185 CONFIG_SCHED_STACK_END_CHECK |kconfig| y | kspp | self_protection | OK
186 CONFIG_KFENCE |kconfig| y | kspp | self_protection | OK
187 CONFIG_KFENCE_SAMPLE_INTERVAL |kconfig| is not off |a13xp0p0v | self_protection | FAIL: is off, "0"
188 CONFIG_RANDSTRUCT_FULL |kconfig| y | kspp | self_protection | FAIL: is not found
189 CONFIG_RANDSTRUCT_PERFORMANCE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_RANDSTRUCT_FULL is not "y"
190 CONFIG_HARDENED_USERCOPY |kconfig| y | kspp | self_protection | OK
191 CONFIG_HARDENED_USERCOPY_FALLBACK |kconfig| is not set | kspp | self_protection | OK
192 CONFIG_HARDENED_USERCOPY_PAGESPAN |kconfig| is not set | kspp | self_protection | OK
193 CONFIG_GCC_PLUGIN_LATENT_ENTROPY |kconfig| y | kspp | self_protection | FAIL: is not found
194 CONFIG_MODULE_SIG |kconfig| y | kspp | self_protection | OK
195 CONFIG_MODULE_SIG_ALL |kconfig| y | kspp | self_protection | OK
196 CONFIG_MODULE_SIG_SHA512 |kconfig| y | kspp | self_protection | OK
197 CONFIG_MODULE_SIG_FORCE |kconfig| y | kspp | self_protection | FAIL: "is not set"
198 CONFIG_INIT_ON_FREE_DEFAULT_ON |kconfig| y | kspp | self_protection | FAIL: "is not set"
199 CONFIG_EFI_DISABLE_PCI_DMA |kconfig| y | kspp | self_protection | FAIL: "is not set"
200 CONFIG_RESET_ATTACK_MITIGATION |kconfig| y | kspp | self_protection | OK
201 CONFIG_UBSAN_BOUNDS |kconfig| y | kspp | self_protection | OK
202 CONFIG_UBSAN_LOCAL_BOUNDS |kconfig| y | kspp | self_protection | OK: CONFIG_UBSAN_BOUNDS is "y"
203 CONFIG_UBSAN_TRAP |kconfig| y | kspp | self_protection | FAIL: CONFIG_UBSAN_ENUM is not "is not set"
204 CONFIG_UBSAN_SANITIZE_ALL |kconfig| y | kspp | self_protection | OK
205 CONFIG_GCC_PLUGIN_STACKLEAK |kconfig| y | kspp | self_protection | FAIL: is not found
206 CONFIG_STACKLEAK_METRICS |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is not "y"
207 CONFIG_STACKLEAK_RUNTIME_DISABLE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is not "y"
208 CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT |kconfig| y | kspp | self_protection | OK
209 CONFIG_CFI_CLANG |kconfig| y | kspp | self_protection | FAIL: CONFIG_CC_IS_CLANG is not "y"
210 CONFIG_CFI_PERMISSIVE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_CC_IS_CLANG is not "y"
211 CONFIG_HW_RANDOM_TPM |kconfig| y | kspp | self_protection | OK
212 CONFIG_DEFAULT_MMAP_MIN_ADDR |kconfig| 65536 | kspp | self_protection | OK
213 CONFIG_IOMMU_DEFAULT_DMA_STRICT |kconfig| y | kspp | self_protection | FAIL: "is not set"
214 CONFIG_IOMMU_DEFAULT_PASSTHROUGH |kconfig| is not set | kspp | self_protection | OK
215 CONFIG_INTEL_IOMMU_DEFAULT_ON |kconfig| y | kspp | self_protection | OK
216 CONFIG_SLS |kconfig| y | kspp | self_protection | FAIL: is not found
217 CONFIG_INTEL_IOMMU_SVM |kconfig| y | kspp | self_protection | OK
218 CONFIG_AMD_IOMMU_V2 |kconfig| y | kspp | self_protection | FAIL: "m"
219 CONFIG_SLAB_MERGE_DEFAULT |kconfig| is not set | clipos | self_protection | FAIL: "y"
220 CONFIG_LIST_HARDENED |kconfig| y |a13xp0p0v | self_protection | FAIL: is not found
221 CONFIG_RANDOM_KMALLOC_CACHES |kconfig| y |a13xp0p0v | self_protection | FAIL: is not found
222 CONFIG_SECURITY |kconfig| y |defconfig | security_policy | OK
223 CONFIG_SECURITY_YAMA |kconfig| y | kspp | security_policy | OK
224 CONFIG_SECURITY_LANDLOCK |kconfig| y | kspp | security_policy | OK
225 CONFIG_SECURITY_SELINUX_DISABLE |kconfig| is not set | kspp | security_policy | OK
226 CONFIG_SECURITY_SELINUX_BOOTPARAM |kconfig| is not set | kspp | security_policy | FAIL: "y"
227 CONFIG_SECURITY_SELINUX_DEVELOP |kconfig| is not set | kspp | security_policy | FAIL: "y"
228 CONFIG_SECURITY_WRITABLE_HOOKS |kconfig| is not set | kspp | security_policy | OK: is not found
229 CONFIG_SECURITY_SELINUX_DEBUG |kconfig| is not set |a13xp0p0v | security_policy | OK: is not found
230 CONFIG_SECURITY_SELINUX |kconfig| y |a13xp0p0v | security_policy | OK
231 CONFIG_SECCOMP |kconfig| y |defconfig |cut_attack_surface| OK
232 CONFIG_SECCOMP_FILTER |kconfig| y |defconfig |cut_attack_surface| OK
233 CONFIG_BPF_UNPRIV_DEFAULT_OFF |kconfig| y |defconfig |cut_attack_surface| OK
234 CONFIG_STRICT_DEVMEM |kconfig| y |defconfig |cut_attack_surface| OK
235 CONFIG_X86_INTEL_TSX_MODE_OFF |kconfig| y |defconfig |cut_attack_surface| OK
236 CONFIG_SECURITY_DMESG_RESTRICT |kconfig| y | kspp |cut_attack_surface| OK
237 CONFIG_ACPI_CUSTOM_METHOD |kconfig| is not set | kspp |cut_attack_surface| OK
238 CONFIG_COMPAT_BRK |kconfig| is not set | kspp |cut_attack_surface| OK
239 CONFIG_DEVKMEM |kconfig| is not set | kspp |cut_attack_surface| OK: is not found
240 CONFIG_BINFMT_MISC |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m"
241 CONFIG_INET_DIAG |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m"
242 CONFIG_KEXEC |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
243 CONFIG_PROC_KCORE |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
244 CONFIG_LEGACY_PTYS |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
245 CONFIG_HIBERNATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
246 CONFIG_COMPAT |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
247 CONFIG_IA32_EMULATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
248 CONFIG_X86_X32 |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
249 CONFIG_X86_X32_ABI |kconfig| is not set | kspp |cut_attack_surface| OK: is not found
250 CONFIG_MODIFY_LDT_SYSCALL |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
251 CONFIG_OABI_COMPAT |kconfig| is not set | kspp |cut_attack_surface| OK: is not found
252 CONFIG_X86_MSR |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m"
253 CONFIG_LEGACY_TIOCSTI |kconfig| is not set | kspp |cut_attack_surface| OK: is not found
254 CONFIG_MODULES |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
255 CONFIG_DEVMEM |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
256 CONFIG_IO_STRICT_DEVMEM |kconfig| y | kspp |cut_attack_surface| FAIL: "is not set"
257 CONFIG_LDISC_AUTOLOAD |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
258 CONFIG_COMPAT_VDSO |kconfig| is not set | kspp |cut_attack_surface| OK
259 CONFIG_X86_VSYSCALL_EMULATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
260 CONFIG_ZSMALLOC_STAT |kconfig| is not set | grsec |cut_attack_surface| OK
261 CONFIG_PAGE_OWNER |kconfig| is not set | grsec |cut_attack_surface| OK
262 CONFIG_DEBUG_KMEMLEAK |kconfig| is not set | grsec |cut_attack_surface| OK
263 CONFIG_BINFMT_AOUT |kconfig| is not set | grsec |cut_attack_surface| OK: is not found
264 CONFIG_KPROBE_EVENTS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
265 CONFIG_UPROBE_EVENTS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
266 CONFIG_GENERIC_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
267 CONFIG_FUNCTION_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
268 CONFIG_STACK_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
269 CONFIG_HIST_TRIGGERS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
270 CONFIG_BLK_DEV_IO_TRACE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
271 CONFIG_PROC_VMCORE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
272 CONFIG_PROC_PAGE_MONITOR |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
273 CONFIG_USELIB |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
274 CONFIG_CHECKPOINT_RESTORE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
275 CONFIG_USERFAULTFD |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
276 CONFIG_HWPOISON_INJECT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
277 CONFIG_MEM_SOFT_DIRTY |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
278 CONFIG_DEVPORT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
279 CONFIG_DEBUG_FS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
280 CONFIG_NOTIFIER_ERROR_INJECTION |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
281 CONFIG_FAIL_FUTEX |kconfig| is not set | grsec |cut_attack_surface| OK: is not found
282 CONFIG_PUNIT_ATOM_DEBUG |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
283 CONFIG_ACPI_CONFIGFS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
284 CONFIG_EDAC_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK
285 CONFIG_DRM_I915_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK
286 CONFIG_BCACHE_CLOSURES_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK
287 CONFIG_DVB_C8SECTPFE |kconfig| is not set | grsec |cut_attack_surface| OK: is not found
288 CONFIG_MTD_SLRAM |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
289 CONFIG_MTD_PHRAM |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
290 CONFIG_IO_URING |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
291 CONFIG_KCMP |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
292 CONFIG_RSEQ |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
293 CONFIG_LATENCYTOP |kconfig| is not set | grsec |cut_attack_surface| OK
294 CONFIG_KCOV |kconfig| is not set | grsec |cut_attack_surface| OK
295 CONFIG_PROVIDE_OHCI1394_DMA_INIT |kconfig| is not set | grsec |cut_attack_surface| OK
296 CONFIG_SUNRPC_DEBUG |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
297 CONFIG_PTDUMP_DEBUGFS |kconfig| is not set | grsec |cut_attack_surface| OK
298 CONFIG_DRM_LEGACY |kconfig| is not set |maintainer|cut_attack_surface| OK
299 CONFIG_FB |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
300 CONFIG_VT |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
301 CONFIG_BLK_DEV_FD |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "m"
302 CONFIG_BLK_DEV_FD_RAWCMD |kconfig| is not set |maintainer|cut_attack_surface| OK: is not found
303 CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT |kconfig| is not set |maintainer|cut_attack_surface| OK
304 CONFIG_STAGING |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
305 CONFIG_KSM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
306 CONFIG_KALLSYMS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
307 CONFIG_MAGIC_SYSRQ |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
308 CONFIG_KEXEC_FILE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
309 CONFIG_USER_NS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
310 CONFIG_X86_CPUID |kconfig| is not set | clipos |cut_attack_surface| FAIL: "m"
311 CONFIG_X86_IOPL_IOPERM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
312 CONFIG_ACPI_TABLE_UPGRADE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
313 CONFIG_EFI_CUSTOM_SSDT_OVERLAYS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
314 CONFIG_AIO |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
315 CONFIG_EFI_TEST |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "m"
316 CONFIG_MMIOTRACE_TEST |kconfig| is not set | lockdown |cut_attack_surface| OK
317 CONFIG_KPROBES |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
318 CONFIG_BPF_SYSCALL |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
319 CONFIG_MMIOTRACE |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "y"
320 CONFIG_LIVEPATCH |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "y"
321 CONFIG_IP_DCCP |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "m"
322 CONFIG_IP_SCTP |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "m"
323 CONFIG_FTRACE |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "y"
324 CONFIG_VIDEO_VIVID |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "m"
325 CONFIG_INPUT_EVBUG |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "m"
326 CONFIG_KGDB |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "y"
327 CONFIG_CORESIGHT |kconfig| is not set |a13xp0p0v |cut_attack_surface| OK: is not found
328 CONFIG_XFS_SUPPORT_V4 |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "y"
329 CONFIG_TRIM_UNUSED_KSYMS |kconfig| y |a13xp0p0v |cut_attack_surface| FAIL: "is not set"
330 CONFIG_MODULE_FORCE_LOAD |kconfig| is not set |a13xp0p0v |cut_attack_surface| OK
331 CONFIG_COREDUMP |kconfig| is not set | clipos | harden_userspace | FAIL: "y"
332 CONFIG_ARCH_MMAP_RND_BITS |kconfig| 32 |a13xp0p0v | harden_userspace | FAIL: "28"
333 nosmep |cmdline| is not set |defconfig | self_protection | OK: is not found
334 nosmap |cmdline| is not set |defconfig | self_protection | OK: is not found
335 nokaslr |cmdline| is not set |defconfig | self_protection | OK: is not found
336 nopti |cmdline| is not set |defconfig | self_protection | OK: is not found
337 nospectre_v1 |cmdline| is not set |defconfig | self_protection | OK: is not found
338 nospectre_v2 |cmdline| is not set |defconfig | self_protection | OK: is not found
339 nospectre_bhb |cmdline| is not set |defconfig | self_protection | OK: is not found
340 nospec_store_bypass_disable |cmdline| is not set |defconfig | self_protection | OK: is not found
341 dis_ucode_ldr |cmdline| is not set |defconfig | self_protection | OK: is not found
342 arm64.nobti |cmdline| is not set |defconfig | self_protection | OK: is not found
343 arm64.nopauth |cmdline| is not set |defconfig | self_protection | OK: is not found
344 arm64.nomte |cmdline| is not set |defconfig | self_protection | OK: is not found
345 spectre_v2 |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
346 spectre_v2_user |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
347 spec_store_bypass_disable |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
348 l1tf |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
349 mds |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
350 tsx_async_abort |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
351 srbds |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
352 mmio_stale_data |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
353 retbleed |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
354 spec_rstack_overflow |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
355 gather_data_sampling |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
356 rodata |cmdline| on |defconfig | self_protection | OK: rodata is not found
357 mitigations |cmdline| auto,nosmt | kspp | self_protection | FAIL: is not found
358 slab_merge |cmdline| is not set | kspp | self_protection | OK: is not found
359 slub_merge |cmdline| is not set | kspp | self_protection | OK: is not found
360 page_alloc.shuffle |cmdline| 1 | kspp | self_protection | FAIL: is not found
361 slab_nomerge |cmdline| is present | kspp | self_protection | FAIL: is not present
362 init_on_alloc |cmdline| 1 | kspp | self_protection | OK: CONFIG_INIT_ON_ALLOC_DEFAULT_ON is "y"
363 init_on_free |cmdline| 1 | kspp | self_protection | FAIL: is not found
364 hardened_usercopy |cmdline| 1 | kspp | self_protection | OK: CONFIG_HARDENED_USERCOPY is "y"
365 slab_common.usercopy_fallback |cmdline| is not set | kspp | self_protection | OK: is not found
366 iommu.strict |cmdline| 1 | kspp | self_protection | FAIL: is not found
367 iommu.passthrough |cmdline| 0 | kspp | self_protection | OK: CONFIG_IOMMU_DEFAULT_PASSTHROUGH is "is not set"
368 randomize_kstack_offset |cmdline| 1 | kspp | self_protection | OK: CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT is "y"
369 pti |cmdline| on | kspp | self_protection | FAIL: is not found
370 iommu |cmdline| force | clipos | self_protection | FAIL: is not found
371 kfence.sample_interval |cmdline| is not off |a13xp0p0v | self_protection | FAIL: is off, not found
372 tsx |cmdline| off |defconfig |cut_attack_surface| OK: CONFIG_X86_INTEL_TSX_MODE_OFF is "y"
373 nosmt |cmdline| is present | kspp |cut_attack_surface| FAIL: is not present
374 vsyscall |cmdline| none | kspp |cut_attack_surface| FAIL: is not found
375 vdso32 |cmdline| 0 | kspp |cut_attack_surface| OK: CONFIG_COMPAT_VDSO is "is not set"
376 debugfs |cmdline| off | grsec |cut_attack_surface| FAIL: is not found
377 sysrq_always_enabled |cmdline| is not set |a13xp0p0v |cut_attack_surface| OK: is not found
378 ia32_emulation |cmdline| 0 |a13xp0p0v |cut_attack_surface| FAIL: is not found
379 norandmaps |cmdline| is not set |defconfig | harden_userspace | OK: is not found
380 net.core.bpf_jit_harden |sysctl | 2 | kspp | self_protection | FAIL: "0"
381 kernel.dmesg_restrict |sysctl | 1 | kspp |cut_attack_surface| OK
382 kernel.perf_event_paranoid |sysctl | 3 | kspp |cut_attack_surface| FAIL: "4"
383 kernel.kexec_load_disabled |sysctl | 1 | kspp |cut_attack_surface| FAIL: "0"
384 user.max_user_namespaces |sysctl | 0 | kspp |cut_attack_surface| FAIL: "31231"
385 dev.tty.ldisc_autoload |sysctl | 0 | kspp |cut_attack_surface| FAIL: "1"
386 kernel.unprivileged_bpf_disabled |sysctl | 1 | kspp |cut_attack_surface| FAIL: "2"
387 kernel.kptr_restrict |sysctl | 2 | kspp |cut_attack_surface| FAIL: "1"
388 dev.tty.legacy_tiocsti |sysctl | 0 | kspp |cut_attack_surface| FAIL: is not found
389 vm.unprivileged_userfaultfd |sysctl | 0 | kspp |cut_attack_surface| OK
390 kernel.modules_disabled |sysctl | 1 | clipos |cut_attack_surface| FAIL: "0"
391 fs.protected_symlinks |sysctl | 1 | kspp | harden_userspace | OK
392 fs.protected_hardlinks |sysctl | 1 | kspp | harden_userspace | OK
393 fs.protected_fifos |sysctl | 2 | kspp | harden_userspace | FAIL: "1"
394 fs.protected_regular |sysctl | 2 | kspp | harden_userspace | OK
395 fs.suid_dumpable |sysctl | 0 | kspp | harden_userspace | FAIL: "2"
396 kernel.randomize_va_space |sysctl | 2 | kspp | harden_userspace | OK
397 kernel.yama.ptrace_scope |sysctl | 3 | kspp | harden_userspace | FAIL: "1"
399 [+] Config check is finished: 'OK' - 121 / 'FAIL' - 139
402 ## Generating a Kconfig fragment with the security hardening options
404 With the `-g` argument, the tool generates a Kconfig fragment with the security hardening options for the selected microarchitecture.
406 This Kconfig fragment can be merged with the existing Linux kernel config:
408 $ ./bin/kernel-hardening-checker -g X86_64 > /tmp/fragment
410 $ ./scripts/kconfig/merge_config.sh .config /tmp/fragment
411 Using .config as base
412 Merging /tmp/fragment
413 Value of CONFIG_BUG_ON_DATA_CORRUPTION is redefined by fragment /tmp/fragment:
414 Previous value: # CONFIG_BUG_ON_DATA_CORRUPTION is not set
415 New value: CONFIG_BUG_ON_DATA_CORRUPTION=y
419 ## Questions and answers
421 __Q:__ How all these kernel parameters influence the Linux kernel security?
423 __A:__ To answer this question, you can use the `kernel-hardening-checker` [sources of recommendations][24]
424 and the [Linux Kernel Defence Map][4] with its references.
428 __Q:__ How disabling `CONFIG_USER_NS` cuts the attack surface? It's needed for containers!
430 __A:__ Yes, the `CONFIG_USER_NS` option provides some isolation between the userspace programs,
431 but the tool recommends disabling it to cut the attack surface __of the kernel__.
435 - An LWN article about the corresponding LKML discussion: https://lwn.net/Articles/673597/
437 - A twitter thread about `CONFIG_USER_NS` and security: https://twitter.com/robertswiecki/status/1095447678949953541
439 - A good overview of the trade-off between having user namespaces enabled, disabled and available only for root: https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
443 __Q:__ KSPP and CLIP OS recommend `CONFIG_PANIC_ON_OOPS=y`. Why doesn't this tool do the same?
445 __A:__ I personally don't support this recommendation because:
446 - It decreases system safety (kernel oops is still not a rare situation)
447 - It allows easier denial-of-service attacks for the whole system
449 I think having `CONFIG_BUG` is enough here.
450 If a kernel oops happens in the process context, the offending/attacking process is killed.
451 In other cases, the kernel panics, which is similar to `CONFIG_PANIC_ON_OOPS=y`.
455 __Q:__ Why enabling `CONFIG_STATIC_USERMODEHELPER` breaks various things in my GNU/Linux system?
456 Do I really need that feature?
458 __A:__ Linux kernel usermode helpers can be used for privilege escalation in kernel exploits
459 ([example 1][9], [example 2][10]). `CONFIG_STATIC_USERMODEHELPER` prevents that method. But it
460 requires the corresponding support in the userspace: see the [example implementation][11] by
461 Tycho Andersen [@tych0][12].
465 __Q:__ What about performance impact of these security hardening options?
467 __A:__ Ike Devolder [@BlackIkeEagle][7] made some performance tests and described the results in [this article][8].
468 A more detailed evaluation is in the TODO list (the issue [#66][21]).
472 __Q:__ Can I easily check which kernel versions support some Kconfig option?
474 __A:__ Yes. See the [LKDDb][18] project (Linux Kernel Driver Database) by Giacomo Catenazzi [@cateee][19].
475 You can use it for the `mainline` or `stable` tree from [kernel.org][20] or for your custom kernel sources.
479 __Q:__ Does my kernel have all those mitigations of Transient Execution Vulnerabilities in my hardware?
481 __A:__ Checking the kernel config is not enough to answer this question.
482 I highly recommend using [spectre-meltdown-checker][13] tool maintained by Stéphane Lesimple [@speed47][14].
486 __Q:__ Why the `CONFIG_GCC_PLUGINS` option is automatically disabled during the kernel compilation?
488 __A:__ It means that your gcc doesn't support plugins. For example, if you have `gcc-7` on Ubuntu,
489 try to install `gcc-7-plugin-dev` package, it should help.
492 [1]: https://kspp.github.io/Recommended_Settings
493 [2]: https://docs.clip-os.org/clipos/kernel.html#configuration
494 [3]: https://grsecurity.net/
495 [4]: https://github.com/a13xp0p0v/linux-kernel-defence-map
496 [5]: https://lwn.net/Articles/791863/
497 [6]: https://github.com/a13xp0p0v/kernel-hardening-checker/issues/38
498 [7]: https://github.com/BlackIkeEagle
499 [8]: https://blog.herecura.eu/blog/2020-05-30-kconfig-hardening-tests/
500 [9]: https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html
501 [10]: https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html
502 [11]: https://github.com/tych0/huldufolk
503 [12]: https://github.com/tych0
504 [13]: https://github.com/speed47/spectre-meltdown-checker
505 [14]: https://github.com/speed47
506 [15]: https://github.com/a13xp0p0v/kernel-hardening-checker/issues/53
507 [16]: https://github.com/a13xp0p0v/kernel-hardening-checker/pull/54
508 [17]: https://github.com/a13xp0p0v/kernel-hardening-checker/pull/62
509 [18]: https://cateee.net/lkddb/web-lkddb/
510 [19]: https://github.com/cateee/lkddb
511 [20]: https://kernel.org/
512 [21]: https://github.com/a13xp0p0v/kernel-hardening-checker/issues/66
513 [22]: https://github.com/a13xp0p0v/kernel-hardening-checker/issues/56
514 [23]: https://github.com/a13xp0p0v/kernel-hardening-checker/issues?q=label%3Akernel_maintainer_feedback
515 [24]: https://github.com/a13xp0p0v/kernel-hardening-checker#motivation
projects / kconfig-hardened-check.git / blob