### Usage
```
#./kconfig-hardened-check.py
-Usage: ./kconfig-hardened-check.py [-p | -c <config_file>]
- -p, --print
- print hardening preferences
- -c <config_file>, --config=<config_file>
- check the config_file against these preferences
+usage: kconfig-hardened-check.py [-h] [-p] [-c CONFIG] [--debug]
+
+Checks the hardening options in the Linux kernel config
+
+optional arguments:
+ -h, --help show this help message and exit
+ -p, --print print hardening preferences
+ -c CONFIG, --config CONFIG
+ check the config_file against these preferences
+ --debug enable internal debug mode
```
### Script output for `Ubuntu 18.04 (Bionic Beaver)` kernel config
```
-./kconfig-hardened-check.py -c ubuntu-bionic-generic.config
+./kconfig-hardened-check.py -c config_files/ubuntu-bionic-generic.config
[+] Checking "ubuntu-bionic-generic.config" against hardening preferences...
option name | desired val | decision | reason || check result
===========================================================================================================
CONFIG_DEBUG_CREDENTIALS | y | kspp | self_protection || FAIL: "is not set"
CONFIG_DEBUG_NOTIFIERS | y | kspp | self_protection || FAIL: "is not set"
CONFIG_MODULE_SIG_FORCE | y | kspp | self_protection || FAIL: "is not set"
- CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp | self_protection || FAIL: not found
+ CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp | self_protection || OK: not found
CONFIG_GCC_PLUGIN_STACKLEAK | y | my | self_protection || FAIL: not found
CONFIG_SLUB_DEBUG_ON | y | my | self_protection || FAIL: "is not set"
CONFIG_SECURITY_DMESG_RESTRICT | y | my | self_protection || FAIL: "is not set"
CONFIG_STATIC_USERMODEHELPER | y | my | self_protection || FAIL: "is not set"
- CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection || FAIL: not found
- CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection || FAIL: not found
+ CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection || OK: not found
+ CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection || OK: not found
CONFIG_SECURITY | y | ubuntu18 | security_policy || OK
CONFIG_SECURITY_YAMA | y | ubuntu18 | security_policy || OK
CONFIG_SECURITY_SELINUX_DISABLE | is not set | ubuntu18 | security_policy || OK
CONFIG_ZSMALLOC_STAT | is not set | ubuntu18 | cut_attack_surface || OK
CONFIG_PAGE_OWNER | is not set | ubuntu18 | cut_attack_surface || OK
CONFIG_DEBUG_KMEMLEAK | is not set | ubuntu18 | cut_attack_surface || OK
+ CONFIG_BINFMT_AOUT | is not set | ubuntu18 | cut_attack_surface || OK: not found
CONFIG_IO_STRICT_DEVMEM | y | kspp | cut_attack_surface || FAIL: "is not set"
CONFIG_LEGACY_VSYSCALL_NONE | y | kspp | cut_attack_surface || FAIL: "is not set"
CONFIG_BINFMT_MISC | is not set | kspp | cut_attack_surface || FAIL: "m"
CONFIG_ARCH_MMAP_RND_BITS | 32 | my |userspace_protection|| FAIL: "28"
CONFIG_LKDTM | m | my | feature_test || FAIL: "is not set"
-[-] config check is NOT PASSED: 55 errors
+[-] config check is NOT PASSED: 52 errors
```
__Go and fix them all!__
projects / kconfig-hardened-check.git / blobdiff