__kconfig-hardened-check.py__ helps me to check the Linux kernel Kconfig option list
against my hardening preferences, which are based on the
__kconfig-hardened-check.py__ helps me to check the Linux kernel Kconfig option list
against my hardening preferences, which are based on the
-[KSPP recommended settings][1] and last public [grsecurity][2] patch (options
-which they disable).
+
+ - [KSPP recommended settings][1],
+ - [CLIP OS kernel configuration][2],
+ - last public [grsecurity][3] patch (options which they disable).
-#usage: kconfig-hardened-check.py [-h] [-p {X86_64,X86_32,ARM64,ARM}]
- [-c CONFIG] [--debug]
+usage: kconfig-hardened-check.py [-h] [-p {X86_64,X86_32,ARM64,ARM}]
+ [-c CONFIG] [--debug] [--json]
-c CONFIG, --config CONFIG
check the config_file against these preferences
--debug enable internal debug mode
-c CONFIG, --config CONFIG
check the config_file against these preferences
--debug enable internal debug mode
CONFIG_STATIC_USERMODEHELPER | y | clipos | self_protection || FAIL: "is not set"
CONFIG_SLAB_MERGE_DEFAULT | is not set | clipos | self_protection || FAIL: "y"
CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE| is not set | clipos | self_protection ||FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT is needed
CONFIG_STATIC_USERMODEHELPER | y | clipos | self_protection || FAIL: "is not set"
CONFIG_SLAB_MERGE_DEFAULT | is not set | clipos | self_protection || FAIL: "y"
CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE| is not set | clipos | self_protection ||FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT is needed
CONFIG_RANDOM_TRUST_CPU | is not set | clipos | self_protection || OK: not found
CONFIG_MICROCODE | y | clipos | self_protection || OK
CONFIG_RANDOM_TRUST_CPU | is not set | clipos | self_protection || OK: not found
CONFIG_MICROCODE | y | clipos | self_protection || OK
CONFIG_IOMMU_SUPPORT | y | clipos | self_protection || OK
CONFIG_INTEL_IOMMU | y | clipos | self_protection || OK
CONFIG_INTEL_IOMMU_SVM | y | clipos | self_protection || OK
CONFIG_INTEL_IOMMU_DEFAULT_ON | y | clipos | self_protection || FAIL: "is not set"
CONFIG_AMD_IOMMU | y | my | self_protection || OK
CONFIG_AMD_IOMMU_V2 | y | my | self_protection || FAIL: "m"
CONFIG_IOMMU_SUPPORT | y | clipos | self_protection || OK
CONFIG_INTEL_IOMMU | y | clipos | self_protection || OK
CONFIG_INTEL_IOMMU_SVM | y | clipos | self_protection || OK
CONFIG_INTEL_IOMMU_DEFAULT_ON | y | clipos | self_protection || FAIL: "is not set"
CONFIG_AMD_IOMMU | y | my | self_protection || OK
CONFIG_AMD_IOMMU_V2 | y | my | self_protection || FAIL: "m"
CONFIG_SLUB_DEBUG_ON | y | my | self_protection || FAIL: "is not set"
CONFIG_SECURITY_LOADPIN | y | my | self_protection || FAIL: "is not set"
CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection || OK
CONFIG_SLUB_DEBUG_ON | y | my | self_protection || FAIL: "is not set"
CONFIG_SECURITY_LOADPIN | y | my | self_protection || FAIL: "is not set"
CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection || OK
CONFIG_X86_VSYSCALL_EMULATION | is not set | clipos | cut_attack_surface || FAIL: "y"
CONFIG_MAGIC_SYSRQ | is not set | clipos | cut_attack_surface || FAIL: "y"
CONFIG_KEXEC_FILE | is not set | clipos | cut_attack_surface || FAIL: "y"
CONFIG_X86_VSYSCALL_EMULATION | is not set | clipos | cut_attack_surface || FAIL: "y"
CONFIG_MAGIC_SYSRQ | is not set | clipos | cut_attack_surface || FAIL: "y"
CONFIG_KEXEC_FILE | is not set | clipos | cut_attack_surface || FAIL: "y"
CONFIG_MMIOTRACE | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_LIVEPATCH | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_MMIOTRACE | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_LIVEPATCH | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_IP_DCCP | is not set | my | cut_attack_surface || FAIL: "m"
CONFIG_IP_SCTP | is not set | my | cut_attack_surface || FAIL: "m"
CONFIG_FTRACE | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_BPF_JIT | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_IP_DCCP | is not set | my | cut_attack_surface || FAIL: "m"
CONFIG_IP_SCTP | is not set | my | cut_attack_surface || FAIL: "m"
CONFIG_FTRACE | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_BPF_JIT | is not set | my | cut_attack_surface || FAIL: "y"