### Usage
```
#./kconfig-hardened-check.py
-Usage: ./kconfig-hardened-check.py [-p | -c <config_file>]
- -p, --print
- print hardening preferences
- -c <config_file>, --config=<config_file>
- check the config_file against these preferences
+usage: kconfig-hardened-check.py [-h] [-p] [-c CONFIG] [--debug]
+
+Checks the hardening options in the Linux kernel config
+
+optional arguments:
+ -h, --help show this help message and exit
+ -p, --print print hardening preferences
+ -c CONFIG, --config CONFIG
+ check the config_file against these preferences
+ --debug enable internal debug mode
```
### Script output for `Ubuntu 18.04 (Bionic Beaver)` kernel config
```
-./kconfig-hardened-check.py -c ubuntu-bionic-generic.config
+./kconfig-hardened-check.py -c config_files/ubuntu-bionic-generic.config
[+] Checking "ubuntu-bionic-generic.config" against hardening preferences...
option name | desired val | decision | reason || check result
===========================================================================================================
CONFIG_ZSMALLOC_STAT | is not set | ubuntu18 | cut_attack_surface || OK
CONFIG_PAGE_OWNER | is not set | ubuntu18 | cut_attack_surface || OK
CONFIG_DEBUG_KMEMLEAK | is not set | ubuntu18 | cut_attack_surface || OK
+ CONFIG_BINFMT_AOUT | is not set | ubuntu18 | cut_attack_surface || OK: not found
CONFIG_IO_STRICT_DEVMEM | y | kspp | cut_attack_surface || FAIL: "is not set"
CONFIG_LEGACY_VSYSCALL_NONE | y | kspp | cut_attack_surface || FAIL: "is not set"
CONFIG_BINFMT_MISC | is not set | kspp | cut_attack_surface || FAIL: "m"
projects / kconfig-hardened-check.git / blobdiff