Add the 'dev.tty.legacy_tiocsti' check
[kconfig-hardened-check.git] / README.md
index 93307f99e3e725ac21c7ec9c95aa117d81508eaa..48aa1b0d1581380db073a223b209010c4dbe65f1 100644 (file)
--- a/README.md
+++ b/README.md
@@ -1,10 +1,11 @@
-# kernel-hardening-checker (formerly kconfig-hardened-check)
+# kernel-hardening-checker
 
-[![GitHub tag (latest by date)](https://img.shields.io/github/v/tag/a13xp0p0v/kernel-hardening-checker?label=release)](https://github.com/a13xp0p0v/kernel-hardening-checker/tags)<br />
+__(formerly kconfig-hardened-check)__<br /><br />
 [![functional test](https://github.com/a13xp0p0v/kernel-hardening-checker/workflows/functional%20test/badge.svg)](https://github.com/a13xp0p0v/kernel-hardening-checker/actions/workflows/functional_test.yml)
 [![functional test coverage](https://codecov.io/gh/a13xp0p0v/kernel-hardening-checker/graph/badge.svg?flag=functional_test)](https://codecov.io/gh/a13xp0p0v/kernel-hardening-checker)<br />
 [![engine unit-test](https://github.com/a13xp0p0v/kernel-hardening-checker/workflows/engine%20unit-test/badge.svg)](https://github.com/a13xp0p0v/kernel-hardening-checker/actions/workflows/engine_unit-test.yml)
-[![unit-test coverage](https://codecov.io/gh/a13xp0p0v/kernel-hardening-checker/graph/badge.svg?flag=engine_unit-test)](https://codecov.io/gh/a13xp0p0v/kernel-hardening-checker)
+[![unit-test coverage](https://codecov.io/gh/a13xp0p0v/kernel-hardening-checker/graph/badge.svg?flag=engine_unit-test)](https://codecov.io/gh/a13xp0p0v/kernel-hardening-checker)<br />
+[![GitHub tag (latest by date)](https://img.shields.io/github/v/tag/a13xp0p0v/kernel-hardening-checker?label=release)](https://github.com/a13xp0p0v/kernel-hardening-checker/tags)
 
 ## Motivation
 
@@ -14,7 +15,7 @@ make our systems more secure.
 
 But nobody likes checking configs manually. So let the computers do their job!
 
-__kernel-hardening-checker__ is a tool for checking the security hardening options of the Linux kernel. It supports checking:
+__kernel-hardening-checker__ (formerly __kconfig-hardened-check__) is a tool for checking the security hardening options of the Linux kernel. It supports checking:
 
   - Kconfig options (compile-time)
   - Kernel cmdline arguments (boot-time)
@@ -114,7 +115,7 @@ CONFIG_DEVMEM                           |kconfig| is not set |   kspp   |cut_att
 
 ## Example output for `Fedora 38` kernel configuration
 ```
-$ ./bin/kernel-hardening-checker -c kernel_hardening_checker/config_files/distros/fedora_38.config -l /proc/cmdline -s kernel_hardening_checker/config_files/distros/example_sysctls.txt 
+$ ./bin/kernel-hardening-checker -c kernel_hardening_checker/config_files/distros/fedora_38.config -l /proc/cmdline -s kernel_hardening_checker/config_files/distros/example_sysctls.txt
 [+] Kconfig file to check: kernel_hardening_checker/config_files/distros/fedora_38.config
 [+] Kernel cmdline file to check: /proc/cmdline
 [+] Sysctl output file to check: kernel_hardening_checker/config_files/distros/example_sysctls.txt
@@ -332,7 +333,6 @@ tsx_async_abort                         |cmdline| is not off |defconfig | self_p
 srbds                                   |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found
 mmio_stale_data                         |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found
 retbleed                                |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found
-kpti                                    |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found
 rodata                                  |cmdline|     on     |defconfig | self_protection  | OK: rodata is not found
 nosmt                                   |cmdline| is present |   kspp   | self_protection  | FAIL: is not present
 mitigations                             |cmdline| auto,nosmt |   kspp   | self_protection  | FAIL: is not found
@@ -341,10 +341,10 @@ slub_merge                              |cmdline| is not set |   kspp   | self_p
 slab_nomerge                            |cmdline| is present |   kspp   | self_protection  | OK: CONFIG_SLAB_MERGE_DEFAULT is "is not set"
 init_on_alloc                           |cmdline|     1      |   kspp   | self_protection  | FAIL: is not found
 init_on_free                            |cmdline|     1      |   kspp   | self_protection  | FAIL: is not found
-iommu.strict                            |cmdline|     1      |   kspp   | self_protection  | FAIL: is not found
-iommu.passthrough                       |cmdline|     0      |   kspp   | self_protection  | OK: CONFIG_IOMMU_DEFAULT_PASSTHROUGH is "is not set"
 hardened_usercopy                       |cmdline|     1      |   kspp   | self_protection  | OK: CONFIG_HARDENED_USERCOPY is "y"
 slab_common.usercopy_fallback           |cmdline|     0      |   kspp   | self_protection  | OK: CONFIG_HARDENED_USERCOPY_FALLBACK is not found
+iommu.strict                            |cmdline|     1      |   kspp   | self_protection  | FAIL: is not found
+iommu.passthrough                       |cmdline|     0      |   kspp   | self_protection  | OK: CONFIG_IOMMU_DEFAULT_PASSTHROUGH is "is not set"
 randomize_kstack_offset                 |cmdline|     1      |   kspp   | self_protection  | OK: CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT is "y"
 pti                                     |cmdline|     on     |   kspp   | self_protection  | FAIL: is not found
 page_alloc.shuffle                      |cmdline|     1      |  clipos  | self_protection  | FAIL: is not found
@@ -362,10 +362,8 @@ kernel.kexec_load_disabled              |sysctl |     1      |   kspp   |cut_att
 user.max_user_namespaces                |sysctl |     0      |   kspp   |cut_attack_surface| FAIL: "31021"
 dev.tty.ldisc_autoload                  |sysctl |     0      |   kspp   |cut_attack_surface| FAIL: "1"
 kernel.unprivileged_bpf_disabled        |sysctl |     1      |   kspp   |cut_attack_surface| OK
-kernel.kptr_restrict                    |sysctl |     1      |   kspp   |cut_attack_surface| FAIL: "0"
-kernel.yama.ptrace_scope                |sysctl |     1      |   kspp   |cut_attack_surface| FAIL: "0"
 
-[+] Config check is finished: 'OK' - 118 / 'FAIL' - 122
+[+] Config check is finished: 'OK' - 118 / 'FAIL' - 119
 ```
 
 ## Generating a Kconfig fragment with the security hardening options