__kconfig-hardened-check__ helps me to check the Linux kernel options
against my security hardening preferences, which are based on the
- - [KSPP recommended settings][1],
- - [CLIP OS kernel configuration][2],
- - Last public [grsecurity][3] patch (options which they disable),
- - [SECURITY_LOCKDOWN_LSM][5] patchset,
- - [Direct feedback from the Linux kernel maintainers][23].
+ - [KSPP recommended settings][1]
+ - [CLIP OS kernel configuration][2]
+ - Last public [grsecurity][3] patch (options which they disable)
+ - [SECURITY_LOCKDOWN_LSM][5] patchset
+ - [Direct feedback from the Linux kernel maintainers][23]
This tool supports checking __Kconfig__ options and __kernel cmdline__ parameters.
-I also created [__Linux Kernel Defence Map__][4] that is a graphical representation of the
+I also created the [__Linux Kernel Defence Map__][4], which is a graphical representation of the
relationships between security hardening features and the corresponding vulnerability classes
or exploitation techniques.
+__Attention!__ Changing Linux kernel security parameters may also affect system performance
+and functionality of userspace software. So for choosing these parameters consider
+the threat model of your Linux-based information system and perform thorough testing
+of its typical workload.
+
## Supported microarchitectures
- X86_64
- ARM64
- ARM
-TODO: RISC-V (the issue [#56][22])
+TODO: RISC-V (issue [#56][22])
## Installation
CONFIG_IOMMU_SUPPORT |kconfig| y |defconfig | self_protection | OK
CONFIG_RANDOMIZE_BASE |kconfig| y |defconfig | self_protection | OK
CONFIG_VMAP_STACK |kconfig| y |defconfig | self_protection | OK
+CONFIG_X86_MCE |kconfig| y |defconfig | self_protection | OK
+CONFIG_X86_MCE_INTEL |kconfig| y |defconfig | self_protection | OK
+CONFIG_X86_MCE_AMD |kconfig| y |defconfig | self_protection | OK
CONFIG_MICROCODE |kconfig| y |defconfig | self_protection | OK
CONFIG_RETPOLINE |kconfig| y |defconfig | self_protection | OK
CONFIG_X86_SMAP |kconfig| y |defconfig | self_protection | OK: version >= 5.19
CONFIG_STATIC_USERMODEHELPER |kconfig| y | clipos | self_protection | FAIL: "is not set"
CONFIG_EFI_DISABLE_PCI_DMA |kconfig| y | clipos | self_protection | FAIL: "is not set"
CONFIG_SLAB_MERGE_DEFAULT |kconfig| is not set | clipos | self_protection | OK
+CONFIG_HW_RANDOM_TPM |kconfig| y | clipos | self_protection | OK
CONFIG_RANDOM_TRUST_BOOTLOADER |kconfig| is not set | clipos | self_protection | FAIL: "y"
CONFIG_RANDOM_TRUST_CPU |kconfig| is not set | clipos | self_protection | FAIL: "y"
CONFIG_RANDSTRUCT_PERFORMANCE |kconfig| is not set | clipos | self_protection | FAIL: CONFIG_RANDSTRUCT_FULL not "y"
CONFIG_SECURITY_YAMA |kconfig| y | kspp | security_policy | OK
CONFIG_SECURITY_LANDLOCK |kconfig| y | kspp | security_policy | OK
CONFIG_SECURITY_SELINUX_DISABLE |kconfig| is not set | kspp | security_policy | OK
+CONFIG_SECURITY_SELINUX_BOOTPARAM |kconfig| is not set | clipos | security_policy | FAIL: "y"
+CONFIG_SECURITY_SELINUX_DEVELOP |kconfig| is not set | clipos | security_policy | FAIL: "y"
CONFIG_SECURITY_LOCKDOWN_LSM |kconfig| y | clipos | security_policy | OK
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY |kconfig| y | clipos | security_policy | OK
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|kconfig| y | clipos | security_policy | FAIL: "is not set"
CONFIG_SECURITY_WRITABLE_HOOKS |kconfig| is not set | my | security_policy | OK: not found
-CONFIG_SECURITY_SAFESETID |kconfig| y | my | security_policy | FAIL: "is not set"
-CONFIG_SECURITY_LOADPIN |kconfig| y | my | security_policy | FAIL: "is not set"
-CONFIG_SECURITY_LOADPIN_ENFORCE |kconfig| y | my | security_policy | FAIL: CONFIG_SECURITY_LOADPIN not "y"
CONFIG_BPF_UNPRIV_DEFAULT_OFF |kconfig| y |defconfig |cut_attack_surface| OK
CONFIG_SECCOMP |kconfig| y |defconfig |cut_attack_surface| OK
CONFIG_SECCOMP_FILTER |kconfig| y |defconfig |cut_attack_surface| OK
CONFIG_X86_IOPL_IOPERM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
CONFIG_ACPI_TABLE_UPGRADE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
CONFIG_EFI_CUSTOM_SSDT_OVERLAYS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
+CONFIG_COREDUMP |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
CONFIG_LDISC_AUTOLOAD |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
CONFIG_X86_INTEL_TSX_MODE_OFF |kconfig| y | clipos |cut_attack_surface| OK
CONFIG_BPF_SYSCALL |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
vsyscall |cmdline| none | kspp |cut_attack_surface| FAIL: not found
debugfs |cmdline| off | grsec |cut_attack_surface| FAIL: not found
-[+] Config check is finished: 'OK' - 97 / 'FAIL' - 101
+[+] Config check is finished: 'OK' - 101 / 'FAIL' - 101
```
## kconfig-hardened-check versioning
## Questions and answers
+__Q:__ How all these kernel parameters influence the Linux kernel security?
+
+__A:__ To answer this question, you can use the `kconfig-hardened-check` [sources of recommendations][24]
+and the [Linux Kernel Defence Map][4] with its references.
+
+<br />
+
__Q:__ How disabling `CONFIG_USER_NS` cuts the attack surface? It's needed for containers!
__A:__ Yes, the `CONFIG_USER_NS` option provides some isolation between the userspace programs,
The rationale:
- - A nice LWN article about the corresponding LKML discussion: https://lwn.net/Articles/673597/
+ - An LWN article about the corresponding LKML discussion: https://lwn.net/Articles/673597/
- A twitter thread about `CONFIG_USER_NS` and security: https://twitter.com/robertswiecki/status/1095447678949953541
<br />
-__Q:__ Why `CONFIG_GCC_PLUGINS` is automatically disabled during the kernel compilation?
-
-__A:__ It means that your gcc doesn't support plugins. For example, if you have `gcc-7` on Ubuntu,
-try to install `gcc-7-plugin-dev` package, it should help.
-
-<br />
-
__Q:__ KSPP and CLIP OS recommend `CONFIG_PANIC_ON_OOPS=y`. Why doesn't this tool do the same?
__A:__ I personally don't support this recommendation because:
- It decreases system safety (kernel oops is still not a rare situation)
- - It allows easier denial-of-service attacks for the whole system.
+ - It allows easier denial-of-service attacks for the whole system
I think having `CONFIG_BUG` is enough here.
If a kernel oops happens in the process context, the offending/attacking process is killed.
-In other cases the kernel panics, which is similar to `CONFIG_PANIC_ON_OOPS=y`.
+In other cases, the kernel panics, which is similar to `CONFIG_PANIC_ON_OOPS=y`.
+
+<br />
+
+__Q:__ Why enabling `CONFIG_STATIC_USERMODEHELPER` breaks various things in my GNU/Linux system?
+Do I really need that feature?
+
+__A:__ Linux kernel usermode helpers can be used for privilege escalation in kernel exploits
+([example 1][9], [example 2][10]). `CONFIG_STATIC_USERMODEHELPER` prevents that method. But it
+requires the corresponding support in the userspace: see the [example implementation][11] by
+Tycho Andersen [@tych0][12].
<br />
__Q:__ Can I easily check which kernel versions support some Kconfig option?
-__A:__ Yes, see the [LKDDb][18] project (Linux Kernel Driver Database) by Giacomo Catenazzi [@cateee][19].
+__A:__ Yes. See the [LKDDb][18] project (Linux Kernel Driver Database) by Giacomo Catenazzi [@cateee][19].
You can use it for the `mainline` or `stable` tree from [kernel.org][20] or for your custom kernel sources.
<br />
-__Q:__ Why enabling `CONFIG_STATIC_USERMODEHELPER` breaks various things in my GNU/Linux system?
-Do I really need that feature?
+__Q:__ Does my kernel have all those mitigations of Transient Execution Vulnerabilities in my hardware?
-__A:__ Linux kernel usermode helpers can be used for privilege escalation in kernel exploits
-([example 1][9], [example 2][10]). `CONFIG_STATIC_USERMODEHELPER` prevents that method. But it
-requires the corresponding support in the userspace: see the [example implementation][11] by
-Tycho Andersen [@tych0][12].
+__A:__ Checking the kernel config is not enough to answer this question.
+I highly recommend using [spectre-meltdown-checker][13] tool maintained by Stéphane Lesimple [@speed47][14].
<br />
-__Q:__ Does my kernel have all those mitigations of Transient Execution Vulnerabilities in my hardware?
+__Q:__ Why the `CONFIG_GCC_PLUGINS` option is automatically disabled during the kernel compilation?
-__A:__ Checking the kernel config is not enough to answer this question.
-I highly recommend using [spectre-meltdown-checker][13] tool maintained by Stéphane Lesimple [@speed47][14].
+__A:__ It means that your gcc doesn't support plugins. For example, if you have `gcc-7` on Ubuntu,
+try to install `gcc-7-plugin-dev` package, it should help.
[1]: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
[21]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/66
[22]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/56
[23]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues?q=label%3Akernel_maintainer_feedback
+[24]: https://github.com/a13xp0p0v/kconfig-hardened-check#motivation
projects / kconfig-hardened-check.git / blobdiff