projects / kconfig-hardened-check.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Improve the hackish refinement of the CONFIG_ARCH_MMAP_RND_BITS check
[kconfig-hardened-check.git] / README.md
diff --git a/README.md b/README.md
index 919654006c5b15cffad92e5cf0e3a59a194c70fe..36ecedca4b562607a0cc74159ea757accc6cb1ce 100644 (file)
--- a/README.md
+++ b/README.md
@@ -1,8 +1,11 @@
-# kconfig-hardened-check
+# kernel-hardening-checker
 
 
-![GitHub tag (latest by date)](https://img.shields.io/github/v/tag/a13xp0p0v/kconfig-hardened-check?label=release)
-![functional test](https://github.com/a13xp0p0v/kconfig-hardened-check/workflows/functional%20test/badge.svg)
-[![Coverage Status](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check/graph/badge.svg)](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check)
+__(formerly kconfig-hardened-check)__<br /><br />
+[![functional test](https://github.com/a13xp0p0v/kernel-hardening-checker/workflows/functional%20test/badge.svg)](https://github.com/a13xp0p0v/kernel-hardening-checker/actions/workflows/functional_test.yml)
+[![functional test coverage](https://codecov.io/gh/a13xp0p0v/kernel-hardening-checker/graph/badge.svg?flag=functional_test)](https://codecov.io/gh/a13xp0p0v/kernel-hardening-checker)<br />
+[![engine unit-test](https://github.com/a13xp0p0v/kernel-hardening-checker/workflows/engine%20unit-test/badge.svg)](https://github.com/a13xp0p0v/kernel-hardening-checker/actions/workflows/engine_unit-test.yml)
+[![unit-test coverage](https://codecov.io/gh/a13xp0p0v/kernel-hardening-checker/graph/badge.svg?flag=engine_unit-test)](https://codecov.io/gh/a13xp0p0v/kernel-hardening-checker)<br />
+[![GitHub tag (latest by date)](https://img.shields.io/github/v/tag/a13xp0p0v/kernel-hardening-checker?label=release)](https://github.com/a13xp0p0v/kernel-hardening-checker/tags)
 
 ## Motivation
 
 
 ## Motivation
 
@@ -12,8 +15,13 @@ make our systems more secure.
 
 But nobody likes checking configs manually. So let the computers do their job!
 
 
 But nobody likes checking configs manually. So let the computers do their job!
 
-__kconfig-hardened-check__ helps me to check the Linux kernel options
-against my security hardening preferences, which are based on the
+__kernel-hardening-checker__ (formerly __kconfig-hardened-check__) is a tool for checking the security hardening options of the Linux kernel. It supports checking:
+
+  - Kconfig options (compile-time)
+  - Kernel cmdline arguments (boot-time)
+  - Sysctl parameters (runtime)
+
+The security hardening recommendations are based on:
 
   - [KSPP recommended settings][1]
   - [CLIP OS kernel configuration][2]
 
   - [KSPP recommended settings][1]
   - [CLIP OS kernel configuration][2]
@@ -21,21 +29,20 @@ against my security hardening preferences, which are based on the
   - [SECURITY_LOCKDOWN_LSM][5] patchset
   - [Direct feedback from the Linux kernel maintainers][23]
 
   - [SECURITY_LOCKDOWN_LSM][5] patchset
   - [Direct feedback from the Linux kernel maintainers][23]
 
-This tool supports checking __Kconfig__ options and __kernel cmdline__ parameters.
-
 I also created the [__Linux Kernel Defence Map__][4], which is a graphical representation of the
 relationships between security hardening features and the corresponding vulnerability classes
 or exploitation techniques.
 
 __Attention!__ Changing Linux kernel security parameters may also affect system performance
 I also created the [__Linux Kernel Defence Map__][4], which is a graphical representation of the
 relationships between security hardening features and the corresponding vulnerability classes
 or exploitation techniques.
 
 __Attention!__ Changing Linux kernel security parameters may also affect system performance
-and functionality of userspace software. So for choosing these parameters consider
+and functionality of userspace software. So for choosing these parameters, consider
 the threat model of your Linux-based information system and perform thorough testing
 of its typical workload.
 
 the threat model of your Linux-based information system and perform thorough testing
 of its typical workload.
 
-## Repository mirrors
+## Repositories
 
 
- - At Codeberg: [https://codeberg.org/a13xp0p0v/kconfig-hardened-check](https://codeberg.org/a13xp0p0v/kconfig-hardened-check)
- - At GitFlic: [https://gitflic.ru/project/a13xp0p0v/kconfig-hardened-check](https://gitflic.ru/project/a13xp0p0v/kconfig-hardened-check)
+ - Main at GitHub <https://github.com/a13xp0p0v/kernel-hardening-checker>
+ - Mirror at Codeberg: <https://codeberg.org/a13xp0p0v/kernel-hardening-checker>
+ - Mirror at GitFlic: <https://gitflic.ru/project/a13xp0p0v/kernel-hardening-checker>
 
 ## Supported microarchitectures
 
 
 ## Supported microarchitectures
 
@@ -51,33 +58,45 @@ TODO: RISC-V (issue [#56][22])
 You can install the package:
 
 ```
 You can install the package:
 
 ```
-pip install git+https://github.com/a13xp0p0v/kconfig-hardened-check
+pip install git+https://github.com/a13xp0p0v/kernel-hardening-checker
 ```
 
 ```
 
-or simply run `./bin/kconfig-hardened-check` from the cloned repository.
+or simply run `./bin/kernel-hardening-checker` from the cloned repository.
 
 
-Some Linux distributions also provide `kconfig-hardened-check` as a package.
+Some Linux distributions also provide `kernel-hardening-checker` as a package.
 
 ## Usage
 ```
 
 ## Usage
 ```
-usage: kconfig-hardened-check [-h] [--version] [-p {X86_64,X86_32,ARM64,ARM}]
-                              [-c CONFIG]
-                              [-l CMDLINE]
-                              [-m {verbose,json,show_ok,show_fail}]
+usage: kernel-hardening-checker [-h] [--version] [-m {verbose,json,show_ok,show_fail}]
+                                [-c CONFIG] [-l CMDLINE] [-s SYSCTL] [-v KERNEL_VERSION]
+                                [-p {X86_64,X86_32,ARM64,ARM}]
+                                [-g {X86_64,X86_32,ARM64,ARM}]
 
 A tool for checking the security hardening options of the Linux kernel
 
 
 A tool for checking the security hardening options of the Linux kernel
 
-optional arguments:
+options:
   -h, --help            show this help message and exit
   --version             show program's version number and exit
   -h, --help            show this help message and exit
   --version             show program's version number and exit
-  -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
-                        print security hardening preferences for the selected architecture
-  -c CONFIG, --config CONFIG
-                        check the kernel kconfig file against these preferences
-  -l CMDLINE, --cmdline CMDLINE
-                        check the kernel cmdline file against these preferences
   -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}
                         choose the report mode
   -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}
                         choose the report mode
+  -c CONFIG, --config CONFIG
+                        check the security hardening options in the kernel Kconfig file
+                        (also supports *.gz files)
+  -l CMDLINE, --cmdline CMDLINE
+                        check the security hardening options in the kernel cmdline file
+                        (contents of /proc/cmdline)
+  -s SYSCTL, --sysctl SYSCTL
+                        check the security hardening options in the sysctl output file
+                        (`sudo sysctl -a > file`)
+  -v KERNEL_VERSION, --kernel-version KERNEL_VERSION
+                        extract the version from the kernel version file (contents of
+                        /proc/version)
+  -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
+                        print the security hardening recommendations for the selected
+                        microarchitecture
+  -g {X86_64,X86_32,ARM64,ARM}, --generate {X86_64,X86_32,ARM64,ARM}
+                        generate a Kconfig fragment with the security hardening options
+                        for the selected microarchitecture
 ```
 
 ## Output modes
 ```
 
 ## Output modes
@@ -89,32 +108,33 @@ optional arguments:
 ```
 -------------------------------------------------------------------------------------------
     <<< OR >>>                                                                             
 ```
 -------------------------------------------------------------------------------------------
     <<< OR >>>                                                                             
-CONFIG_STRICT_DEVMEM                         |      y      |defconfig | cut_attack_surface 
-CONFIG_DEVMEM                                | is not set  |   kspp   | cut_attack_surface 
+CONFIG_STRICT_DEVMEM                    |kconfig|     y      |defconfig |cut_attack_surface
+CONFIG_DEVMEM                           |kconfig| is not set |   kspp   |cut_attack_surface
 -------------------------------------------------------------------------------------------
 ```
   - `-m show_fail` for showing only the failed checks
   - `-m show_ok` for showing only the successful checks
 -------------------------------------------------------------------------------------------
 ```
   - `-m show_fail` for showing only the failed checks
   - `-m show_ok` for showing only the successful checks
-  - `-m json` for printing the results in JSON format (for combining `kconfig-hardened-check` with other tools)
+  - `-m json` for printing the results in JSON format (for combining `kernel-hardening-checker` with other tools)
 
 
-## Example output for `Fedora 36` kernel configuration
+## Example output for `Fedora 38` kernel configuration
 ```
 ```
-$ ./bin/kconfig-hardened-check -c /boot/config-6.0.18-200.fc36.x86_64 -l /proc/cmdline
-[+] Kconfig file to check: /boot/config-6.0.18-200.fc36.x86_64
+$ ./bin/kernel-hardening-checker -c kernel_hardening_checker/config_files/distros/fedora_38.config -l /proc/cmdline -s kernel_hardening_checker/config_files/distros/example_sysctls.txt
+[+] Kconfig file to check: kernel_hardening_checker/config_files/distros/fedora_38.config
 [+] Kernel cmdline file to check: /proc/cmdline
 [+] Kernel cmdline file to check: /proc/cmdline
-[+] Detected architecture: X86_64
-[+] Detected kernel version: 6.0
-[+] Detected compiler: GCC 120201
+[+] Sysctl output file to check: kernel_hardening_checker/config_files/distros/example_sysctls.txt
+[+] Detected microarchitecture: X86_64
+[+] Detected kernel version: 6.3
+[+] Detected compiler: GCC 130101
 =========================================================================================================================
               option name               | type  |desired val | decision |      reason      | check result
 =========================================================================================================================
 CONFIG_BUG                              |kconfig|     y      |defconfig | self_protection  | OK
 CONFIG_SLUB_DEBUG                       |kconfig|     y      |defconfig | self_protection  | OK
 CONFIG_THREAD_INFO_IN_TASK              |kconfig|     y      |defconfig | self_protection  | OK
 =========================================================================================================================
               option name               | type  |desired val | decision |      reason      | check result
 =========================================================================================================================
 CONFIG_BUG                              |kconfig|     y      |defconfig | self_protection  | OK
 CONFIG_SLUB_DEBUG                       |kconfig|     y      |defconfig | self_protection  | OK
 CONFIG_THREAD_INFO_IN_TASK              |kconfig|     y      |defconfig | self_protection  | OK
-CONFIG_GCC_PLUGINS                      |kconfig|     y      |defconfig | self_protection  | OK
+CONFIG_GCC_PLUGINS                      |kconfig|     y      |defconfig | self_protection  | FAIL: "is not set"
 CONFIG_IOMMU_SUPPORT                    |kconfig|     y      |defconfig | self_protection  | OK
 CONFIG_STACKPROTECTOR                   |kconfig|     y      |defconfig | self_protection  | OK
 CONFIG_IOMMU_SUPPORT                    |kconfig|     y      |defconfig | self_protection  | OK
 CONFIG_STACKPROTECTOR                   |kconfig|     y      |defconfig | self_protection  | OK
-CONFIG_STACKPROTECTOR_STRONG            |kconfig|     y      |defconfig | self_protection  | FAIL: "is not set"
+CONFIG_STACKPROTECTOR_STRONG            |kconfig|     y      |defconfig | self_protection  | OK
 CONFIG_STRICT_KERNEL_RWX                |kconfig|     y      |defconfig | self_protection  | OK
 CONFIG_STRICT_MODULE_RWX                |kconfig|     y      |defconfig | self_protection  | OK
 CONFIG_REFCOUNT_FULL                    |kconfig|     y      |defconfig | self_protection  | OK: version >= 5.5
 CONFIG_STRICT_KERNEL_RWX                |kconfig|     y      |defconfig | self_protection  | OK
 CONFIG_STRICT_MODULE_RWX                |kconfig|     y      |defconfig | self_protection  | OK
 CONFIG_REFCOUNT_FULL                    |kconfig|     y      |defconfig | self_protection  | OK: version >= 5.5
@@ -132,6 +152,7 @@ CONFIG_X86_SMAP                         |kconfig|     y      |defconfig | self_p
 CONFIG_X86_UMIP                         |kconfig|     y      |defconfig | self_protection  | OK
 CONFIG_PAGE_TABLE_ISOLATION             |kconfig|     y      |defconfig | self_protection  | OK
 CONFIG_RANDOMIZE_MEMORY                 |kconfig|     y      |defconfig | self_protection  | OK
 CONFIG_X86_UMIP                         |kconfig|     y      |defconfig | self_protection  | OK
 CONFIG_PAGE_TABLE_ISOLATION             |kconfig|     y      |defconfig | self_protection  | OK
 CONFIG_RANDOMIZE_MEMORY                 |kconfig|     y      |defconfig | self_protection  | OK
+CONFIG_X86_KERNEL_IBT                   |kconfig|     y      |defconfig | self_protection  | OK
 CONFIG_INTEL_IOMMU                      |kconfig|     y      |defconfig | self_protection  | OK
 CONFIG_AMD_IOMMU                        |kconfig|     y      |defconfig | self_protection  | OK
 CONFIG_BUG_ON_DATA_CORRUPTION           |kconfig|     y      |   kspp   | self_protection  | OK
 CONFIG_INTEL_IOMMU                      |kconfig|     y      |defconfig | self_protection  | OK
 CONFIG_AMD_IOMMU                        |kconfig|     y      |defconfig | self_protection  | OK
 CONFIG_BUG_ON_DATA_CORRUPTION           |kconfig|     y      |   kspp   | self_protection  | OK
@@ -150,12 +171,12 @@ CONFIG_KFENCE                           |kconfig|     y      |   kspp   | self_p
 CONFIG_ZERO_CALL_USED_REGS              |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
 CONFIG_HW_RANDOM_TPM                    |kconfig|     y      |   kspp   | self_protection  | OK
 CONFIG_STATIC_USERMODEHELPER            |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
 CONFIG_ZERO_CALL_USED_REGS              |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
 CONFIG_HW_RANDOM_TPM                    |kconfig|     y      |   kspp   | self_protection  | OK
 CONFIG_STATIC_USERMODEHELPER            |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
-CONFIG_RANDSTRUCT_FULL                  |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
+CONFIG_RANDSTRUCT_FULL                  |kconfig|     y      |   kspp   | self_protection  | FAIL: is not found
 CONFIG_RANDSTRUCT_PERFORMANCE           |kconfig| is not set |   kspp   | self_protection  | FAIL: CONFIG_RANDSTRUCT_FULL is not "y"
 CONFIG_HARDENED_USERCOPY                |kconfig|     y      |   kspp   | self_protection  | OK
 CONFIG_HARDENED_USERCOPY_FALLBACK       |kconfig| is not set |   kspp   | self_protection  | OK: is not found
 CONFIG_HARDENED_USERCOPY_PAGESPAN       |kconfig| is not set |   kspp   | self_protection  | OK: is not found
 CONFIG_RANDSTRUCT_PERFORMANCE           |kconfig| is not set |   kspp   | self_protection  | FAIL: CONFIG_RANDSTRUCT_FULL is not "y"
 CONFIG_HARDENED_USERCOPY                |kconfig|     y      |   kspp   | self_protection  | OK
 CONFIG_HARDENED_USERCOPY_FALLBACK       |kconfig| is not set |   kspp   | self_protection  | OK: is not found
 CONFIG_HARDENED_USERCOPY_PAGESPAN       |kconfig| is not set |   kspp   | self_protection  | OK: is not found
-CONFIG_GCC_PLUGIN_LATENT_ENTROPY        |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
+CONFIG_GCC_PLUGIN_LATENT_ENTROPY        |kconfig|     y      |   kspp   | self_protection  | FAIL: CONFIG_GCC_PLUGINS is not "y"
 CONFIG_MODULE_SIG                       |kconfig|     y      |   kspp   | self_protection  | OK
 CONFIG_MODULE_SIG_ALL                   |kconfig|     y      |   kspp   | self_protection  | OK
 CONFIG_MODULE_SIG_SHA512                |kconfig|     y      |   kspp   | self_protection  | OK
 CONFIG_MODULE_SIG                       |kconfig|     y      |   kspp   | self_protection  | OK
 CONFIG_MODULE_SIG_ALL                   |kconfig|     y      |   kspp   | self_protection  | OK
 CONFIG_MODULE_SIG_SHA512                |kconfig|     y      |   kspp   | self_protection  | OK
@@ -168,9 +189,9 @@ CONFIG_UBSAN_BOUNDS                     |kconfig|     y      |   kspp   | self_p
 CONFIG_UBSAN_LOCAL_BOUNDS               |kconfig|     y      |   kspp   | self_protection  | FAIL: is not found
 CONFIG_UBSAN_TRAP                       |kconfig|     y      |   kspp   | self_protection  | FAIL: CONFIG_UBSAN_BOUNDS is not "y"
 CONFIG_UBSAN_SANITIZE_ALL               |kconfig|     y      |   kspp   | self_protection  | FAIL: CONFIG_UBSAN_BOUNDS is not "y"
 CONFIG_UBSAN_LOCAL_BOUNDS               |kconfig|     y      |   kspp   | self_protection  | FAIL: is not found
 CONFIG_UBSAN_TRAP                       |kconfig|     y      |   kspp   | self_protection  | FAIL: CONFIG_UBSAN_BOUNDS is not "y"
 CONFIG_UBSAN_SANITIZE_ALL               |kconfig|     y      |   kspp   | self_protection  | FAIL: CONFIG_UBSAN_BOUNDS is not "y"
-CONFIG_GCC_PLUGIN_STACKLEAK             |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
-CONFIG_STACKLEAK_METRICS                |kconfig| is not set |   kspp   | self_protection  | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is not "y"
-CONFIG_STACKLEAK_RUNTIME_DISABLE        |kconfig| is not set |   kspp   | self_protection  | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is not "y"
+CONFIG_GCC_PLUGIN_STACKLEAK             |kconfig|     y      |   kspp   | self_protection  | FAIL: CONFIG_GCC_PLUGINS is not "y"
+CONFIG_STACKLEAK_METRICS                |kconfig| is not set |   kspp   | self_protection  | FAIL: CONFIG_GCC_PLUGINS is not "y"
+CONFIG_STACKLEAK_RUNTIME_DISABLE        |kconfig| is not set |   kspp   | self_protection  | FAIL: CONFIG_GCC_PLUGINS is not "y"
 CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT  |kconfig|     y      |   kspp   | self_protection  | OK
 CONFIG_CFI_CLANG                        |kconfig|     y      |   kspp   | self_protection  | FAIL: is not found
 CONFIG_CFI_PERMISSIVE                   |kconfig| is not set |   kspp   | self_protection  | FAIL: CONFIG_CFI_CLANG is not "y"
 CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT  |kconfig|     y      |   kspp   | self_protection  | OK
 CONFIG_CFI_CLANG                        |kconfig|     y      |   kspp   | self_protection  | FAIL: is not found
 CONFIG_CFI_PERMISSIVE                   |kconfig| is not set |   kspp   | self_protection  | FAIL: CONFIG_CFI_CLANG is not "y"
@@ -193,6 +214,7 @@ CONFIG_SECURITY_LOCKDOWN_LSM            |kconfig|     y      |   kspp   | securi
 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY      |kconfig|     y      |   kspp   | security_policy  | OK
 CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|kconfig|     y      |   kspp   | security_policy  | FAIL: "is not set"
 CONFIG_SECURITY_WRITABLE_HOOKS          |kconfig| is not set |   kspp   | security_policy  | OK: is not found
 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY      |kconfig|     y      |   kspp   | security_policy  | OK
 CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|kconfig|     y      |   kspp   | security_policy  | FAIL: "is not set"
 CONFIG_SECURITY_WRITABLE_HOOKS          |kconfig| is not set |   kspp   | security_policy  | OK: is not found
+CONFIG_SECURITY_SELINUX                 |kconfig|     y      |    my    | security_policy  | OK
 CONFIG_SECCOMP                          |kconfig|     y      |defconfig |cut_attack_surface| OK
 CONFIG_SECCOMP_FILTER                   |kconfig|     y      |defconfig |cut_attack_surface| OK
 CONFIG_BPF_UNPRIV_DEFAULT_OFF           |kconfig|     y      |defconfig |cut_attack_surface| OK
 CONFIG_SECCOMP                          |kconfig|     y      |defconfig |cut_attack_surface| OK
 CONFIG_SECCOMP_FILTER                   |kconfig|     y      |defconfig |cut_attack_surface| OK
 CONFIG_BPF_UNPRIV_DEFAULT_OFF           |kconfig|     y      |defconfig |cut_attack_surface| OK
@@ -202,7 +224,6 @@ CONFIG_SECURITY_DMESG_RESTRICT          |kconfig|     y      |   kspp   |cut_att
 CONFIG_ACPI_CUSTOM_METHOD               |kconfig| is not set |   kspp   |cut_attack_surface| OK
 CONFIG_COMPAT_BRK                       |kconfig| is not set |   kspp   |cut_attack_surface| OK
 CONFIG_DEVKMEM                          |kconfig| is not set |   kspp   |cut_attack_surface| OK: is not found
 CONFIG_ACPI_CUSTOM_METHOD               |kconfig| is not set |   kspp   |cut_attack_surface| OK
 CONFIG_COMPAT_BRK                       |kconfig| is not set |   kspp   |cut_attack_surface| OK
 CONFIG_DEVKMEM                          |kconfig| is not set |   kspp   |cut_attack_surface| OK: is not found
-CONFIG_COMPAT_VDSO                      |kconfig| is not set |   kspp   |cut_attack_surface| OK
 CONFIG_BINFMT_MISC                      |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "m"
 CONFIG_INET_DIAG                        |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"
 CONFIG_KEXEC                            |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"
 CONFIG_BINFMT_MISC                      |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "m"
 CONFIG_INET_DIAG                        |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"
 CONFIG_KEXEC                            |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"
@@ -220,7 +241,7 @@ CONFIG_MODULES                          |kconfig| is not set |   kspp   |cut_att
 CONFIG_DEVMEM                           |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"
 CONFIG_IO_STRICT_DEVMEM                 |kconfig|     y      |   kspp   |cut_attack_surface| OK
 CONFIG_LDISC_AUTOLOAD                   |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"
 CONFIG_DEVMEM                           |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"
 CONFIG_IO_STRICT_DEVMEM                 |kconfig|     y      |   kspp   |cut_attack_surface| OK
 CONFIG_LDISC_AUTOLOAD                   |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"
-CONFIG_LEGACY_VSYSCALL_NONE             |kconfig|     y      |   kspp   |cut_attack_surface| FAIL: "is not set"
+CONFIG_COMPAT_VDSO                      |kconfig| is not set |   kspp   |cut_attack_surface| OK
 CONFIG_ZSMALLOC_STAT                    |kconfig| is not set |  grsec   |cut_attack_surface| OK
 CONFIG_PAGE_OWNER                       |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"
 CONFIG_DEBUG_KMEMLEAK                   |kconfig| is not set |  grsec   |cut_attack_surface| OK
 CONFIG_ZSMALLOC_STAT                    |kconfig| is not set |  grsec   |cut_attack_surface| OK
 CONFIG_PAGE_OWNER                       |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"
 CONFIG_DEBUG_KMEMLEAK                   |kconfig| is not set |  grsec   |cut_attack_surface| OK
@@ -264,10 +285,10 @@ CONFIG_FB                               |kconfig| is not set |maintainer|cut_att
 CONFIG_VT                               |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
 CONFIG_BLK_DEV_FD                       |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "m"
 CONFIG_BLK_DEV_FD_RAWCMD                |kconfig| is not set |maintainer|cut_attack_surface| OK
 CONFIG_VT                               |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
 CONFIG_BLK_DEV_FD                       |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "m"
 CONFIG_BLK_DEV_FD_RAWCMD                |kconfig| is not set |maintainer|cut_attack_surface| OK
+CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT       |kconfig| is not set |maintainer|cut_attack_surface| OK: is not found
 CONFIG_STAGING                          |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
 CONFIG_KSM                              |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
 CONFIG_KALLSYMS                         |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
 CONFIG_STAGING                          |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
 CONFIG_KSM                              |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
 CONFIG_KALLSYMS                         |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
-CONFIG_X86_VSYSCALL_EMULATION           |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
 CONFIG_MAGIC_SYSRQ                      |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
 CONFIG_KEXEC_FILE                       |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
 CONFIG_USER_NS                          |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
 CONFIG_MAGIC_SYSRQ                      |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
 CONFIG_KEXEC_FILE                       |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
 CONFIG_USER_NS                          |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
@@ -276,21 +297,25 @@ CONFIG_X86_IOPL_IOPERM                  |kconfig| is not set |  clipos  |cut_att
 CONFIG_ACPI_TABLE_UPGRADE               |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
 CONFIG_EFI_CUSTOM_SSDT_OVERLAYS         |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
 CONFIG_COREDUMP                         |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
 CONFIG_ACPI_TABLE_UPGRADE               |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
 CONFIG_EFI_CUSTOM_SSDT_OVERLAYS         |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
 CONFIG_COREDUMP                         |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
+CONFIG_X86_VSYSCALL_EMULATION           |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
 CONFIG_EFI_TEST                         |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "m"
 CONFIG_MMIOTRACE_TEST                   |kconfig| is not set | lockdown |cut_attack_surface| OK
 CONFIG_KPROBES                          |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
 CONFIG_BPF_SYSCALL                      |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
 CONFIG_EFI_TEST                         |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "m"
 CONFIG_MMIOTRACE_TEST                   |kconfig| is not set | lockdown |cut_attack_surface| OK
 CONFIG_KPROBES                          |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
 CONFIG_BPF_SYSCALL                      |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
+CONFIG_LEGACY_TIOCSTI                   |kconfig| is not set |    my    |cut_attack_surface| OK
 CONFIG_MMIOTRACE                        |kconfig| is not set |    my    |cut_attack_surface| FAIL: "y"
 CONFIG_LIVEPATCH                        |kconfig| is not set |    my    |cut_attack_surface| FAIL: "y"
 CONFIG_IP_DCCP                          |kconfig| is not set |    my    |cut_attack_surface| OK
 CONFIG_IP_SCTP                          |kconfig| is not set |    my    |cut_attack_surface| FAIL: "m"
 CONFIG_FTRACE                           |kconfig| is not set |    my    |cut_attack_surface| FAIL: "y"
 CONFIG_MMIOTRACE                        |kconfig| is not set |    my    |cut_attack_surface| FAIL: "y"
 CONFIG_LIVEPATCH                        |kconfig| is not set |    my    |cut_attack_surface| FAIL: "y"
 CONFIG_IP_DCCP                          |kconfig| is not set |    my    |cut_attack_surface| OK
 CONFIG_IP_SCTP                          |kconfig| is not set |    my    |cut_attack_surface| FAIL: "m"
 CONFIG_FTRACE                           |kconfig| is not set |    my    |cut_attack_surface| FAIL: "y"
-CONFIG_VIDEO_VIVID                      |kconfig| is not set |    my    |cut_attack_surface| OK: is not found
+CONFIG_VIDEO_VIVID                      |kconfig| is not set |    my    |cut_attack_surface| FAIL: "m"
 CONFIG_INPUT_EVBUG                      |kconfig| is not set |    my    |cut_attack_surface| OK
 CONFIG_KGDB                             |kconfig| is not set |    my    |cut_attack_surface| FAIL: "y"
 CONFIG_INPUT_EVBUG                      |kconfig| is not set |    my    |cut_attack_surface| OK
 CONFIG_KGDB                             |kconfig| is not set |    my    |cut_attack_surface| FAIL: "y"
+CONFIG_AIO                              |kconfig| is not set |    my    |cut_attack_surface| FAIL: "y"
+CONFIG_CORESIGHT                        |kconfig| is not set |    my    |cut_attack_surface| OK: is not found
+CONFIG_XFS_SUPPORT_V4                   |kconfig| is not set |    my    |cut_attack_surface| FAIL: "y"
 CONFIG_TRIM_UNUSED_KSYMS                |kconfig|     y      |    my    |cut_attack_surface| FAIL: is not found
 CONFIG_TRIM_UNUSED_KSYMS                |kconfig|     y      |    my    |cut_attack_surface| FAIL: is not found
-CONFIG_INTEGRITY                        |kconfig|     y      |defconfig | harden_userspace | OK
-CONFIG_ARCH_MMAP_RND_BITS               |kconfig|     32     |  clipos  | harden_userspace | FAIL: "28"
+CONFIG_ARCH_MMAP_RND_BITS               |kconfig|     32     |    my    | harden_userspace | FAIL: "28"
 nosmep                                  |cmdline| is not set |defconfig | self_protection  | OK: is not found
 nosmap                                  |cmdline| is not set |defconfig | self_protection  | OK: is not found
 nokaslr                                 |cmdline| is not set |defconfig | self_protection  | OK: is not found
 nosmep                                  |cmdline| is not set |defconfig | self_protection  | OK: is not found
 nosmap                                  |cmdline| is not set |defconfig | self_protection  | OK: is not found
 nokaslr                                 |cmdline| is not set |defconfig | self_protection  | OK: is not found
@@ -302,53 +327,70 @@ nospec_store_bypass_disable             |cmdline| is not set |defconfig | self_p
 arm64.nobti                             |cmdline| is not set |defconfig | self_protection  | OK: is not found
 arm64.nopauth                           |cmdline| is not set |defconfig | self_protection  | OK: is not found
 arm64.nomte                             |cmdline| is not set |defconfig | self_protection  | OK: is not found
 arm64.nobti                             |cmdline| is not set |defconfig | self_protection  | OK: is not found
 arm64.nopauth                           |cmdline| is not set |defconfig | self_protection  | OK: is not found
 arm64.nomte                             |cmdline| is not set |defconfig | self_protection  | OK: is not found
-mitigations                             |cmdline| is not off |defconfig | self_protection  | OK: mitigations is not found
-spectre_v2                              |cmdline| is not off |defconfig | self_protection  | OK: spectre_v2 is not found
-spectre_v2_user                         |cmdline| is not off |defconfig | self_protection  | OK: spectre_v2_user is not found
-spec_store_bypass_disable               |cmdline| is not off |defconfig | self_protection  | OK: spec_store_bypass_disable is not found
-l1tf                                    |cmdline| is not off |defconfig | self_protection  | OK: l1tf is not found
-mds                                     |cmdline| is not off |defconfig | self_protection  | OK: mds is not found
-tsx_async_abort                         |cmdline| is not off |defconfig | self_protection  | OK: tsx_async_abort is not found
-srbds                                   |cmdline| is not off |defconfig | self_protection  | OK: srbds is not found
-mmio_stale_data                         |cmdline| is not off |defconfig | self_protection  | OK: mmio_stale_data is not found
-retbleed                                |cmdline| is not off |defconfig | self_protection  | OK: retbleed is not found
-kpti                                    |cmdline| is not off |defconfig | self_protection  | OK: kpti is not found
-kvm.nx_huge_pages                       |cmdline| is not off |defconfig | self_protection  | OK: kvm.nx_huge_pages is not found
-rodata                                  |cmdline|     1      |defconfig | self_protection  | OK: rodata is not found
+spectre_v2                              |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found
+spectre_v2_user                         |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found
+spec_store_bypass_disable               |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found
+l1tf                                    |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found
+mds                                     |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found
+tsx_async_abort                         |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found
+srbds                                   |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found
+mmio_stale_data                         |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found
+retbleed                                |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found
+rodata                                  |cmdline|     on     |defconfig | self_protection  | OK: rodata is not found
 nosmt                                   |cmdline| is present |   kspp   | self_protection  | FAIL: is not present
 nosmt                                   |cmdline| is present |   kspp   | self_protection  | FAIL: is not present
+mitigations                             |cmdline| auto,nosmt |   kspp   | self_protection  | FAIL: is not found
+slab_merge                              |cmdline| is not set |   kspp   | self_protection  | OK: is not found
+slub_merge                              |cmdline| is not set |   kspp   | self_protection  | OK: is not found
+slab_nomerge                            |cmdline| is present |   kspp   | self_protection  | OK: CONFIG_SLAB_MERGE_DEFAULT is "is not set"
 init_on_alloc                           |cmdline|     1      |   kspp   | self_protection  | FAIL: is not found
 init_on_free                            |cmdline|     1      |   kspp   | self_protection  | FAIL: is not found
 init_on_alloc                           |cmdline|     1      |   kspp   | self_protection  | FAIL: is not found
 init_on_free                            |cmdline|     1      |   kspp   | self_protection  | FAIL: is not found
-slab_nomerge                            |cmdline| is present |   kspp   | self_protection  | OK: CONFIG_SLAB_MERGE_DEFAULT is "is not set"
-iommu.strict                            |cmdline|     1      |   kspp   | self_protection  | FAIL: is not found
-iommu.passthrough                       |cmdline|     0      |   kspp   | self_protection  | OK: CONFIG_IOMMU_DEFAULT_PASSTHROUGH is "is not set"
 hardened_usercopy                       |cmdline|     1      |   kspp   | self_protection  | OK: CONFIG_HARDENED_USERCOPY is "y"
 slab_common.usercopy_fallback           |cmdline|     0      |   kspp   | self_protection  | OK: CONFIG_HARDENED_USERCOPY_FALLBACK is not found
 hardened_usercopy                       |cmdline|     1      |   kspp   | self_protection  | OK: CONFIG_HARDENED_USERCOPY is "y"
 slab_common.usercopy_fallback           |cmdline|     0      |   kspp   | self_protection  | OK: CONFIG_HARDENED_USERCOPY_FALLBACK is not found
+iommu.strict                            |cmdline|     1      |   kspp   | self_protection  | FAIL: is not found
+iommu.passthrough                       |cmdline|     0      |   kspp   | self_protection  | OK: CONFIG_IOMMU_DEFAULT_PASSTHROUGH is "is not set"
 randomize_kstack_offset                 |cmdline|     1      |   kspp   | self_protection  | OK: CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT is "y"
 pti                                     |cmdline|     on     |   kspp   | self_protection  | FAIL: is not found
 page_alloc.shuffle                      |cmdline|     1      |  clipos  | self_protection  | FAIL: is not found
 iommu                                   |cmdline|   force    |  clipos  | self_protection  | FAIL: is not found
 tsx                                     |cmdline|    off     |defconfig |cut_attack_surface| OK: CONFIG_X86_INTEL_TSX_MODE_OFF is "y"
 vsyscall                                |cmdline|    none    |   kspp   |cut_attack_surface| FAIL: is not found
 randomize_kstack_offset                 |cmdline|     1      |   kspp   | self_protection  | OK: CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT is "y"
 pti                                     |cmdline|     on     |   kspp   | self_protection  | FAIL: is not found
 page_alloc.shuffle                      |cmdline|     1      |  clipos  | self_protection  | FAIL: is not found
 iommu                                   |cmdline|   force    |  clipos  | self_protection  | FAIL: is not found
 tsx                                     |cmdline|    off     |defconfig |cut_attack_surface| OK: CONFIG_X86_INTEL_TSX_MODE_OFF is "y"
 vsyscall                                |cmdline|    none    |   kspp   |cut_attack_surface| FAIL: is not found
+vdso32                                  |cmdline|     1      |    my    |cut_attack_surface| OK: CONFIG_COMPAT_VDSO is "is not set"
 debugfs                                 |cmdline|    off     |  grsec   |cut_attack_surface| FAIL: is not found
 sysrq_always_enabled                    |cmdline| is not set |    my    |cut_attack_surface| OK: is not found
 debugfs                                 |cmdline|    off     |  grsec   |cut_attack_surface| FAIL: is not found
 sysrq_always_enabled                    |cmdline| is not set |    my    |cut_attack_surface| OK: is not found
-
-[+] Config check is finished: 'OK' - 122 / 'FAIL' - 101
+norandmaps                              |cmdline| is not set |defconfig | harden_userspace | OK: is not found
+net.core.bpf_jit_harden                 |sysctl |     2      |   kspp   | self_protection  | FAIL: "0"
+kernel.dmesg_restrict                   |sysctl |     1      |   kspp   |cut_attack_surface| FAIL: "0"
+kernel.perf_event_paranoid              |sysctl |     3      |   kspp   |cut_attack_surface| FAIL: "2"
+kernel.kexec_load_disabled              |sysctl |     1      |   kspp   |cut_attack_surface| FAIL: "0"
+user.max_user_namespaces                |sysctl |     0      |   kspp   |cut_attack_surface| FAIL: "31021"
+dev.tty.ldisc_autoload                  |sysctl |     0      |   kspp   |cut_attack_surface| FAIL: "1"
+kernel.unprivileged_bpf_disabled        |sysctl |     1      |   kspp   |cut_attack_surface| OK
+
+[+] Config check is finished: 'OK' - 118 / 'FAIL' - 119
 ```
 
 ```
 
-## kconfig-hardened-check versioning
-
-I usually update the kernel security hardening recommendations every few kernel releases.
+## Generating a Kconfig fragment with the security hardening options
 
 
-So the version of `kconfig-hardened-check` is associated with the corresponding version of the kernel.
-
-The version format is: __[major_number].[kernel_version].[kernel_patchlevel]__
+With the `-g` argument, the tool generates a Kconfig fragment with the security hardening options for the selected microarchitecture.
 
 
+This Kconfig fragment can be merged with the existing Linux kernel config:
+```
+$ ./bin/kernel-hardening-checker -g X86_64 > /tmp/fragment
+$ cd ~/linux-src/
+$ ./scripts/kconfig/merge_config.sh .config /tmp/fragment
+Using .config as base
+Merging /tmp/fragment
+Value of CONFIG_BUG_ON_DATA_CORRUPTION is redefined by fragment /tmp/fragment:
+Previous value: # CONFIG_BUG_ON_DATA_CORRUPTION is not set
+New value: CONFIG_BUG_ON_DATA_CORRUPTION=y
+ ...
+```
 
 ## Questions and answers
 
 __Q:__ How all these kernel parameters influence the Linux kernel security?
 
 
 ## Questions and answers
 
 __Q:__ How all these kernel parameters influence the Linux kernel security?
 
-__A:__ To answer this question, you can use the `kconfig-hardened-check` [sources of recommendations][24]
+__A:__ To answer this question, you can use the `kernel-hardening-checker` [sources of recommendations][24]
 and the [Linux Kernel Defence Map][4] with its references.
 
 <br />
 and the [Linux Kernel Defence Map][4] with its references.
 
 <br />
@@ -422,7 +464,7 @@ try to install `gcc-7-plugin-dev` package, it should help.
 [3]: https://grsecurity.net/
 [4]: https://github.com/a13xp0p0v/linux-kernel-defence-map
 [5]: https://lwn.net/Articles/791863/
 [3]: https://grsecurity.net/
 [4]: https://github.com/a13xp0p0v/linux-kernel-defence-map
 [5]: https://lwn.net/Articles/791863/
-[6]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/38
+[6]: https://github.com/a13xp0p0v/kernel-hardening-checker/issues/38
 [7]: https://github.com/BlackIkeEagle
 [8]: https://blog.herecura.eu/blog/2020-05-30-kconfig-hardening-tests/
 [9]: https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html
 [7]: https://github.com/BlackIkeEagle
 [8]: https://blog.herecura.eu/blog/2020-05-30-kconfig-hardening-tests/
 [9]: https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html
@@ -431,13 +473,13 @@ try to install `gcc-7-plugin-dev` package, it should help.
 [12]: https://github.com/tych0
 [13]: https://github.com/speed47/spectre-meltdown-checker
 [14]: https://github.com/speed47
 [12]: https://github.com/tych0
 [13]: https://github.com/speed47/spectre-meltdown-checker
 [14]: https://github.com/speed47
-[15]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/53
-[16]: https://github.com/a13xp0p0v/kconfig-hardened-check/pull/54
-[17]: https://github.com/a13xp0p0v/kconfig-hardened-check/pull/62
+[15]: https://github.com/a13xp0p0v/kernel-hardening-checker/issues/53
+[16]: https://github.com/a13xp0p0v/kernel-hardening-checker/pull/54
+[17]: https://github.com/a13xp0p0v/kernel-hardening-checker/pull/62
 [18]: https://cateee.net/lkddb/web-lkddb/
 [19]: https://github.com/cateee/lkddb
 [20]: https://kernel.org/
 [18]: https://cateee.net/lkddb/web-lkddb/
 [19]: https://github.com/cateee/lkddb
 [20]: https://kernel.org/
-[21]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/66
-[22]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/56
-[23]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues?q=label%3Akernel_maintainer_feedback
-[24]: https://github.com/a13xp0p0v/kconfig-hardened-check#motivation
+[21]: https://github.com/a13xp0p0v/kernel-hardening-checker/issues/66
+[22]: https://github.com/a13xp0p0v/kernel-hardening-checker/issues/56
+[23]: https://github.com/a13xp0p0v/kernel-hardening-checker/issues?q=label%3Akernel_maintainer_feedback
+[24]: https://github.com/a13xp0p0v/kernel-hardening-checker#motivation
kconfig-hardened-check