# kconfig-hardened-check
![functional test](https://github.com/a13xp0p0v/kconfig-hardened-check/workflows/functional%20test/badge.svg)
+[![Coverage Status](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check/graph/badge.svg)](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check)
## Motivation
- [KSPP recommended settings][1],
- [CLIP OS kernel configuration][2],
- - last public [grsecurity][3] patch (options which they disable).
+ - last public [grsecurity][3] patch (options which they disable),
+ - [SECURITY_LOCKDOWN_LSM][5] patchset,
+ - direct feedback from Linux kernel maintainers (Daniel Vetter in [issue #38][6]).
I also created [__Linux Kernel Defence Map__][4] that is a graphical representation of the
relationships between these hardening features and the corresponding vulnerability classes
## Usage
```
usage: kconfig-hardened-check [-h] [-p {X86_64,X86_32,ARM64,ARM}] [-c CONFIG]
- [--debug] [--json]
+ [--debug] [--json] [--version]
Checks the hardening options in the Linux kernel config
check the config_file against these preferences
--debug enable verbose debug mode
--json print results in JSON format
+ --version show program's version number and exit
```
## Output for `Ubuntu 18.04 (Bionic Beaver with HWE)` kernel config
CONFIG_DEVPORT | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_DEBUG_FS | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_NOTIFIER_ERROR_INJECTION | is not set |grsecurity| cut_attack_surface | FAIL: "m"
+CONFIG_DRM_LEGACY | is not set |maintainer| cut_attack_surface | OK
+CONFIG_FB | is not set |maintainer| cut_attack_surface | FAIL: "y"
+CONFIG_VT | is not set |maintainer| cut_attack_surface | FAIL: "y"
CONFIG_ACPI_TABLE_UPGRADE | is not set | lockdown | cut_attack_surface | FAIL: "y"
CONFIG_X86_IOPL_IOPERM | is not set | lockdown | cut_attack_surface | OK: not found
CONFIG_EFI_TEST | is not set | lockdown | cut_attack_surface | FAIL: "m"
CONFIG_INTEGRITY | y |defconfig |userspace_hardening | OK
CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_hardening | FAIL: "28"
-[+] config check is finished: 'OK' - 55 / 'FAIL' - 77
+[+] config check is finished: 'OK' - 56 / 'FAIL' - 79
```
## kconfig-hardened-check versioning
So the version of `kconfig-hardened-check` is associated with the corresponding version of the kernel.
-The version format is: __[major_number].[kernel_version]__
-
-The current version of `kconfig-hardened-check` is __0.5.5__, it's marked with the git tag.
+The version format is: __[major_number].[kernel_version].[kernel_patchlevel]__
## Questions and answers
[2]: https://docs.clip-os.org/clipos/kernel.html#configuration
[3]: https://grsecurity.net/
[4]: https://github.com/a13xp0p0v/linux-kernel-defence-map
+[5]: https://lwn.net/Articles/791863/
+[6]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/38