-# Kconfig hardened check
+# kconfig-hardened-check
+
+![functional test](https://github.com/a13xp0p0v/kconfig-hardened-check/workflows/functional%20test/badge.svg)
+[![Coverage Status](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check/graph/badge.svg)](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check)
## Motivation
- [KSPP recommended settings][1],
- [CLIP OS kernel configuration][2],
- - last public [grsecurity][3] patch (options which they disable).
+ - last public [grsecurity][3] patch (options which they disable),
+ - [SECURITY_LOCKDOWN_LSM][5] patchset,
+ - direct feedback from Linux kernel maintainers (Daniel Vetter in [issue #38][6]).
I also created [__Linux Kernel Defence Map__][4] that is a graphical representation of the
relationships between these hardening features and the corresponding vulnerability classes
- ARM64
- ARM
-## Script output examples
+## Installation
+
+You can install the package:
-### Usage
```
-usage: kconfig-hardened-check.py [-h] [-p {X86_64,X86_32,ARM64,ARM}]
- [-c CONFIG] [--debug] [--json]
+pip install git+https://github.com/a13xp0p0v/kconfig-hardened-check
+```
+
+or simply run `./bin/kconfig-hardened-check` from the cloned repository.
+
+## Usage
+```
+usage: kconfig-hardened-check [-h] [-p {X86_64,X86_32,ARM64,ARM}] [-c CONFIG]
+ [--debug] [--json] [--version]
Checks the hardening options in the Linux kernel config
check the config_file against these preferences
--debug enable verbose debug mode
--json print results in JSON format
+ --version show program's version number and exit
```
-### Script output for `Ubuntu 18.04 (Bionic Beaver with HWE)` kernel config
+## Output for `Ubuntu 18.04 (Bionic Beaver with HWE)` kernel config
```
-$ ./kconfig-hardened-check.py -c config_files/distros/ubuntu-bionic-generic.config
-[+] Trying to detect architecture in "config_files/distros/ubuntu-bionic-generic.config"...
+$ ./bin/kconfig-hardened-check -c kconfig_hardened_check/config_files/distros/ubuntu-bionic-generic.config
+[+] Trying to detect architecture in "kconfig_hardened_check/config_files/distros/ubuntu-bionic-generic.config"...
[+] Detected architecture: X86_64
-[+] Trying to detect kernel version in "config_files/distros/ubuntu-bionic-generic.config"...
+[+] Trying to detect kernel version in "kconfig_hardened_check/config_files/distros/ubuntu-bionic-generic.config"...
[+] Found version line: "# Linux/x86 5.3.0-28-generic Kernel Configuration"
[+] Detected kernel version: 5.3
-[+] Checking "config_files/distros/ubuntu-bionic-generic.config" against X86_64 hardening preferences...
+[+] Checking "kconfig_hardened_check/config_files/distros/ubuntu-bionic-generic.config" against X86_64 hardening preferences...
=========================================================================================================================
option name | desired val | decision | reason | check result
=========================================================================================================================
CONFIG_DEVPORT | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_DEBUG_FS | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_NOTIFIER_ERROR_INJECTION | is not set |grsecurity| cut_attack_surface | FAIL: "m"
+CONFIG_DRM_LEGACY | is not set |maintainer| cut_attack_surface | OK
+CONFIG_FB | is not set |maintainer| cut_attack_surface | FAIL: "y"
+CONFIG_VT | is not set |maintainer| cut_attack_surface | FAIL: "y"
CONFIG_ACPI_TABLE_UPGRADE | is not set | lockdown | cut_attack_surface | FAIL: "y"
CONFIG_X86_IOPL_IOPERM | is not set | lockdown | cut_attack_surface | OK: not found
CONFIG_EFI_TEST | is not set | lockdown | cut_attack_surface | FAIL: "m"
CONFIG_FTRACE | is not set | my | cut_attack_surface | FAIL: "y"
CONFIG_BPF_JIT | is not set | my | cut_attack_surface | FAIL: "y"
CONFIG_VIDEO_VIVID | is not set | my | cut_attack_surface | FAIL: "m"
+CONFIG_INPUT_EVBUG | is not set | my | cut_attack_surface | FAIL: "m"
CONFIG_INTEGRITY | y |defconfig |userspace_hardening | OK
CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_hardening | FAIL: "28"
-[+] config check is finished: 'OK' - 55 / 'FAIL' - 77
+[+] config check is finished: 'OK' - 56 / 'FAIL' - 80
```
## kconfig-hardened-check versioning
So the version of `kconfig-hardened-check` is associated with the corresponding version of the kernel.
-The version format is: __[major_number].[kernel_version]__
-
-The current version of `kconfig-hardened-check` is __0.5.3__, it's marked with the git tag.
+The version format is: __[major_number].[kernel_version].[kernel_patchlevel]__
## Questions and answers
__Q:__ How disabling `CONFIG_USER_NS` cuts the attack surface? It's needed for containers!
__A:__ Yes, the `CONFIG_USER_NS` option provides some isolation between the userspace programs,
-but the script recommends disabling it to cut the attack surface __of the kernel__.
+but the tool recommends disabling it to cut the attack surface __of the kernel__.
The rationale:
[2]: https://docs.clip-os.org/clipos/kernel.html#configuration
[3]: https://grsecurity.net/
[4]: https://github.com/a13xp0p0v/linux-kernel-defence-map
+[5]: https://lwn.net/Articles/791863/
+[6]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/38