__kconfig-hardened-check.py__ helps me to check the Linux kernel Kconfig option list
against my hardening preferences, which are based on the
-[KSPP recommended settings][1] and last public [grsecurity][2] patch (options
-which they disable).
+
+ - [KSPP recommended settings][1],
+ - [CLIP OS kernel configuration][2],
+ - last public [grsecurity][3] patch (options which they disable).
Please don't cry if my Python code looks like C. I'm just a kernel developer.
### Usage
```
-#usage: kconfig-hardened-check.py [-h] [-p {X86_64,X86_32,ARM64,ARM}]
- [-c CONFIG] [--debug]
+usage: kconfig-hardened-check.py [-h] [-p {X86_64,X86_32,ARM64,ARM}]
+ [-c CONFIG] [--debug] [--json]
Checks the hardening options in the Linux kernel config
-c CONFIG, --config CONFIG
check the config_file against these preferences
--debug enable internal debug mode
+ --json print results in JSON format
```
CONFIG_SCHED_STACK_END_CHECK | y | kspp | self_protection || OK
CONFIG_SLAB_FREELIST_HARDENED | y | kspp | self_protection || OK
CONFIG_SLAB_FREELIST_RANDOM | y | kspp | self_protection || OK
+CONFIG_SHUFFLE_PAGE_ALLOCATOR | y | kspp | self_protection || FAIL: not found
CONFIG_FORTIFY_SOURCE | y | kspp | self_protection || OK
CONFIG_GCC_PLUGINS | y | kspp | self_protection || FAIL: "is not set"
CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection || FAIL: not found
-CONFIG_GCC_PLUGIN_STRUCTLEAK | y | kspp | self_protection || FAIL: not found
-CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL | y | kspp | self_protection || FAIL: not found
CONFIG_GCC_PLUGIN_LATENT_ENTROPY | y | kspp | self_protection || FAIL: not found
CONFIG_DEBUG_LIST | y | kspp | self_protection || FAIL: "is not set"
CONFIG_DEBUG_SG | y | kspp | self_protection || FAIL: "is not set"
CONFIG_STATIC_USERMODEHELPER | y | clipos | self_protection || FAIL: "is not set"
CONFIG_SLAB_MERGE_DEFAULT | is not set | clipos | self_protection || FAIL: "y"
CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE| is not set | clipos | self_protection ||FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT is needed
+CONFIG_GCC_PLUGIN_STACKLEAK | y | clipos | self_protection || FAIL: not found
+CONFIG_STACKLEAK_METRICS | is not set | clipos | self_protection ||FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed
+CONFIG_STACKLEAK_RUNTIME_DISABLE | is not set | clipos | self_protection ||FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed
CONFIG_RANDOM_TRUST_CPU | is not set | clipos | self_protection || OK: not found
CONFIG_MICROCODE | y | clipos | self_protection || OK
-CONFIG_X86_MSR | y | clipos | self_protection || FAIL: "m"
CONFIG_IOMMU_SUPPORT | y | clipos | self_protection || OK
CONFIG_INTEL_IOMMU | y | clipos | self_protection || OK
CONFIG_INTEL_IOMMU_SVM | y | clipos | self_protection || OK
CONFIG_INTEL_IOMMU_DEFAULT_ON | y | clipos | self_protection || FAIL: "is not set"
-CONFIG_AMD_IOMMU | y | my | self_protection || OK
-CONFIG_AMD_IOMMU_V2 | y | my | self_protection || FAIL: "m"
-CONFIG_GCC_PLUGIN_STACKLEAK | y | my | self_protection || FAIL: not found
-CONFIG_STACKLEAK_METRICS | is not set | my | self_protection ||FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed
-CONFIG_STACKLEAK_RUNTIME_DISABLE | is not set | my | self_protection ||FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed
+CONFIG_INIT_STACK_ALL | y | my | self_protection || FAIL: not found
CONFIG_SLUB_DEBUG_ON | y | my | self_protection || FAIL: "is not set"
CONFIG_SECURITY_LOADPIN | y | my | self_protection || FAIL: "is not set"
CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection || OK
CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection ||FAIL: CONFIG_PAGE_POISONING is needed
CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection ||FAIL: CONFIG_PAGE_POISONING is needed
+CONFIG_AMD_IOMMU | y | my | self_protection || OK
+CONFIG_AMD_IOMMU_V2 | y | my | self_protection || FAIL: "m"
CONFIG_SECURITY | y |defconfig | security_policy || OK
CONFIG_SECURITY_YAMA | y | kspp | security_policy || OK
CONFIG_SECCOMP | y |defconfig | cut_attack_surface || OK
CONFIG_X86_VSYSCALL_EMULATION | is not set | clipos | cut_attack_surface || FAIL: "y"
CONFIG_MAGIC_SYSRQ | is not set | clipos | cut_attack_surface || FAIL: "y"
CONFIG_KEXEC_FILE | is not set | clipos | cut_attack_surface || FAIL: "y"
+CONFIG_USER_NS | is not set | clipos | cut_attack_surface || FAIL: "y"
+CONFIG_LDISC_AUTOLOAD | is not set | clipos | cut_attack_surface || OK: not found
CONFIG_MMIOTRACE | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_LIVEPATCH | is not set | my | cut_attack_surface || FAIL: "y"
-CONFIG_USER_NS | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_IP_DCCP | is not set | my | cut_attack_surface || FAIL: "m"
CONFIG_IP_SCTP | is not set | my | cut_attack_surface || FAIL: "m"
CONFIG_FTRACE | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_BPF_JIT | is not set | my | cut_attack_surface || FAIL: "y"
-CONFIG_ARCH_MMAP_RND_BITS | 32 | my |userspace_protection|| FAIL: "28"
+CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_protection|| FAIL: "28"
-[+] config check is finished: 'OK' - 49 / 'FAIL' - 71
+[+] config check is finished: 'OK' - 50 / 'FAIL' - 70
```
+## kconfig-hardened-check versioning
+
+I usually update the kernel hardening recommendations after each Linux kernel release.
+
+So the version of `kconfig-hardened-check` is associated with the corresponding version of the kernel.
+
+The version format is: __[major_number].[kernel_version]__
+
+The current version of `kconfig-hardened-check` is __0.5.2__, it's marked with the git tag.
+
-### Questions and answers
+## Questions and answers
__Q:__ How disabling `CONFIG_USER_NS` cuts the attack surface? It's needed for containers!
[1]: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
-[2]: https://grsecurity.net/
+[2]: https://docs.clip-os.org/clipos/kernel.html#configuration
+[3]: https://grsecurity.net/