# kconfig-hardened-check
-![GitHub tag (latest by date)](https://img.shields.io/github/v/tag/a13xp0p0v/kconfig-hardened-check?label=release)
-![functional test](https://github.com/a13xp0p0v/kconfig-hardened-check/workflows/functional%20test/badge.svg)
-[![Coverage Status](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check/graph/badge.svg)](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check)
+[![GitHub tag (latest by date)](https://img.shields.io/github/v/tag/a13xp0p0v/kconfig-hardened-check?label=release)](https://github.com/a13xp0p0v/kconfig-hardened-check/tags)<br />
+[![functional test](https://github.com/a13xp0p0v/kconfig-hardened-check/workflows/functional%20test/badge.svg)](https://github.com/a13xp0p0v/kconfig-hardened-check/actions/workflows/functional_test.yml)
+[![functional test coverage](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check/graph/badge.svg?flag=functional_test)](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check)<br />
+[![engine unit-test](https://github.com/a13xp0p0v/kconfig-hardened-check/workflows/engine%20unit-test/badge.svg)](https://github.com/a13xp0p0v/kconfig-hardened-check/actions/workflows/engine_unit-test.yml)
+[![unit-test coverage](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check/graph/badge.svg?flag=engine_unit-test)](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check)
## Motivation
But nobody likes checking configs manually. So let the computers do their job!
-__kconfig-hardened-check__ helps me to check the Linux kernel options
-against my security hardening preferences, which are based on the
+__kconfig-hardened-check__ is a tool for checking the security hardening options of the Linux kernel.
+The recommendations are based on
- [KSPP recommended settings][1]
- [CLIP OS kernel configuration][2]
the threat model of your Linux-based information system and perform thorough testing
of its typical workload.
-## Repository mirrors
+## Repositories
- - At Codeberg: [https://codeberg.org/a13xp0p0v/kconfig-hardened-check](https://codeberg.org/a13xp0p0v/kconfig-hardened-check)
- - At GitFlic: [https://gitflic.ru/project/a13xp0p0v/kconfig-hardened-check](https://gitflic.ru/project/a13xp0p0v/kconfig-hardened-check)
+ - Main at GitHub <https://github.com/a13xp0p0v/kconfig-hardened-check>
+ - Mirror at Codeberg: <https://codeberg.org/a13xp0p0v/kconfig-hardened-check>
+ - Mirror at GitFlic: <https://gitflic.ru/project/a13xp0p0v/kconfig-hardened-check>
## Supported microarchitectures
## Usage
```
-usage: kconfig-hardened-check [-h] [--version] [-p {X86_64,X86_32,ARM64,ARM}]
- [-c CONFIG]
- [-l CMDLINE]
- [-m {verbose,json,show_ok,show_fail}]
+usage: kconfig-hardened-check [-h] [--version] [-p {X86_64,X86_32,ARM64,ARM}] [-c CONFIG]
+ [-l CMDLINE] [-m {verbose,json,show_ok,show_fail}]
A tool for checking the security hardening options of the Linux kernel
-optional arguments:
+options:
-h, --help show this help message and exit
--version show program's version number and exit
-p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
- print security hardening preferences for the selected architecture
+ print the security hardening recommendations for the selected
+ microarchitecture
-c CONFIG, --config CONFIG
- check the kernel kconfig file against these preferences
+ check the security hardening options in the kernel kconfig file (also
+ supports *.gz files)
-l CMDLINE, --cmdline CMDLINE
- check the kernel cmdline file against these preferences
+ check the security hardening options in the kernel cmdline file
-m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}
choose the report mode
```