===================================================================================================================
CONFIG_BUG | y |defconfig | self_protection || OK
CONFIG_STRICT_KERNEL_RWX | y |defconfig | self_protection || OK
- CONFIG_STACKPROTECTOR_STRONG | y |defconfig | self_protection ||CONFIG_CC_STACKPROTECTOR_STRONG: OK ("y")
+ CONFIG_STACKPROTECTOR_STRONG | y |defconfig | self_protection ||OK: CONFIG_CC_STACKPROTECTOR_STRONG "y"
CONFIG_SLUB_DEBUG | y |defconfig | self_protection || OK
CONFIG_STRICT_MODULE_RWX | y |defconfig | self_protection || OK
CONFIG_PAGE_TABLE_ISOLATION | y |defconfig | self_protection || OK
CONFIG_BUG_ON_DATA_CORRUPTION | y | kspp | self_protection || FAIL: "is not set"
CONFIG_DEBUG_WX | y | kspp | self_protection || OK
CONFIG_SCHED_STACK_END_CHECK | y | kspp | self_protection || OK
- CONFIG_PAGE_POISONING | y | kspp | self_protection || FAIL: "is not set"
CONFIG_SLAB_FREELIST_HARDENED | y | kspp | self_protection || OK
CONFIG_SLAB_FREELIST_RANDOM | y | kspp | self_protection || OK
- CONFIG_HARDENED_USERCOPY | y | kspp | self_protection || OK
- CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp | self_protection || OK: not found
CONFIG_FORTIFY_SOURCE | y | kspp | self_protection || OK
CONFIG_GCC_PLUGINS | y | kspp | self_protection || FAIL: "is not set"
CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection || FAIL: not found
CONFIG_DEBUG_SG | y | kspp | self_protection || FAIL: "is not set"
CONFIG_DEBUG_CREDENTIALS | y | kspp | self_protection || FAIL: "is not set"
CONFIG_DEBUG_NOTIFIERS | y | kspp | self_protection || FAIL: "is not set"
+ CONFIG_PAGE_POISONING | y | kspp | self_protection || FAIL: "is not set"
+ CONFIG_HARDENED_USERCOPY | y | kspp | self_protection || OK
+ CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp | self_protection || OK: not found
CONFIG_MODULE_SIG | y | kspp | self_protection || OK
CONFIG_MODULE_SIG_ALL | y | kspp | self_protection || OK
CONFIG_MODULE_SIG_SHA512 | y | kspp | self_protection || OK
CONFIG_STATIC_USERMODEHELPER | y | my | self_protection || FAIL: "is not set"
CONFIG_SECURITY_LOADPIN | y | my | self_protection || FAIL: "is not set"
CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection || OK
- CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection || OK: not found
- CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection || OK: not found
CONFIG_SLAB_MERGE_DEFAULT | is not set | my | self_protection || FAIL: "y"
+ CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection ||FAIL: CONFIG_PAGE_POISONING is needed
+ CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection ||FAIL: CONFIG_PAGE_POISONING is needed
CONFIG_SECURITY | y |defconfig | security_policy || OK
CONFIG_SECURITY_YAMA | y | kspp | security_policy || OK
CONFIG_SECURITY_SELINUX_DISABLE | is not set | kspp | security_policy || OK
CONFIG_SECCOMP | y |defconfig | cut_attack_surface || OK
CONFIG_SECCOMP_FILTER | y |defconfig | cut_attack_surface || OK
CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface || OK
+ CONFIG_MODULES | is not set | kspp | cut_attack_surface || FAIL: "y"
+ CONFIG_DEVMEM | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_IO_STRICT_DEVMEM | y | kspp | cut_attack_surface || FAIL: "is not set"
CONFIG_ACPI_CUSTOM_METHOD | is not set | kspp | cut_attack_surface || OK
CONFIG_COMPAT_BRK | is not set | kspp | cut_attack_surface || OK
CONFIG_BPF_JIT | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_ARCH_MMAP_RND_BITS | 32 | my |userspace_protection|| FAIL: "28"
-[-] config check is NOT PASSED: 56 errors
+[+] config check is finished: 'OK' - 43 / 'FAIL' - 60
```
-__Go and fix them all!__
+### Questions and answers
+
+__Q:__ How disabling `CONFIG_USER_NS` cuts the attack surface? It's needed for containers!
+
+__A:__ Yes, the `CONFIG_USER_NS` option provides some isolation between the userspace programs,
+but the script recommends disabling it to cut the attack surface __of the kernel__.
+
+The rationale:
+
+ - A nice LWN article about the corresponding LKML discussion: https://lwn.net/Articles/673597/
+
+ - A twitter thread about `CONFIG_USER_NS` and security: https://twitter.com/robertswiecki/status/1095447678949953541
+
+<br />
+
+__Q:__ Why `CONFIG_GCC_PLUGINS` is automatically disabled during the kernel compilation?
-N.B. If `CONFIG_GCC_PLUGIN*` options are automatically disabled during your kernel compilation,
-then your gcc doesn't support plugins. For example, if you have `gcc-7` on Ubuntu, try to install
-`gcc-7-plugin-dev` package, it should help.
+__A:__ It means that your gcc doesn't support plugins. For example, if you have `gcc-7` on Ubuntu,
+try to install `gcc-7-plugin-dev` package, it should help.
[1]: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings