- [KSPP recommended settings][1],
- [CLIP OS kernel configuration][2],
- - last public [grsecurity][3] patch (options which they disable),
+ - Last public [grsecurity][3] patch (options which they disable),
- [SECURITY_LOCKDOWN_LSM][5] patchset,
- - direct feedback from Linux kernel maintainers (Daniel Vetter in [issue #38][6]).
+ - Direct feedback from Linux kernel maintainers (see [#38][6], [#53][15], [#54][16]).
I also created [__Linux Kernel Defence Map__][4] that is a graphical representation of the
relationships between security hardening features and the corresponding vulnerability classes
CONFIG_PAGE_OWNER | is not set |grsecurity| cut_attack_surface | OK
CONFIG_DEBUG_KMEMLEAK | is not set |grsecurity| cut_attack_surface | OK
CONFIG_BINFMT_AOUT | is not set |grsecurity| cut_attack_surface | OK: not found
-CONFIG_KPROBES | is not set |grsecurity| cut_attack_surface | FAIL: "y"
-CONFIG_UPROBES | is not set |grsecurity| cut_attack_surface | FAIL: "y"
+CONFIG_KPROBE_EVENTS | is not set |grsecurity| cut_attack_surface | FAIL: "y"
+CONFIG_UPROBE_EVENTS | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_GENERIC_TRACER | is not set |grsecurity| cut_attack_surface | FAIL: "y"
+CONFIG_FUNCTION_TRACER | is not set |grsecurity| cut_attack_surface | FAIL: "y"
+CONFIG_STACK_TRACER | is not set |grsecurity| cut_attack_surface | FAIL: "y"
+CONFIG_HIST_TRIGGERS | is not set |grsecurity| cut_attack_surface | FAIL: "y"
+CONFIG_BLK_DEV_IO_TRACE | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_PROC_VMCORE | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_PROC_PAGE_MONITOR | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_USELIB | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_DEVPORT | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_DEBUG_FS | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_NOTIFIER_ERROR_INJECTION | is not set |grsecurity| cut_attack_surface | FAIL: "m"
-CONFIG_X86_PTDUMP | is not set |grsecurity| cut_attack_surface | OK
+CONFIG_FAIL_FUTEX | is not set |grsecurity| cut_attack_surface | OK: not found
+CONFIG_PUNIT_ATOM_DEBUG | is not set |grsecurity| cut_attack_surface | FAIL: "m"
+CONFIG_ACPI_CONFIGFS | is not set |grsecurity| cut_attack_surface | FAIL: "m"
+CONFIG_EDAC_DEBUG | is not set |grsecurity| cut_attack_surface | OK
+CONFIG_DRM_I915_DEBUG | is not set |grsecurity| cut_attack_surface | OK
+CONFIG_BCACHE_CLOSURES_DEBUG | is not set |grsecurity| cut_attack_surface | OK
+CONFIG_DVB_C8SECTPFE | is not set |grsecurity| cut_attack_surface | OK: not found
+CONFIG_MTD_SLRAM | is not set |grsecurity| cut_attack_surface | FAIL: "m"
+CONFIG_MTD_PHRAM | is not set |grsecurity| cut_attack_surface | FAIL: "m"
+CONFIG_IO_URING | is not set |grsecurity| cut_attack_surface | FAIL: "y"
+CONFIG_KCMP | is not set |grsecurity| cut_attack_surface | OK: not found
+CONFIG_RSEQ | is not set |grsecurity| cut_attack_surface | FAIL: "y"
+CONFIG_LATENCYTOP | is not set |grsecurity| cut_attack_surface | OK
+CONFIG_KCOV | is not set |grsecurity| cut_attack_surface | OK
+CONFIG_PROVIDE_OHCI1394_DMA_INIT | is not set |grsecurity| cut_attack_surface | OK
+CONFIG_SUNRPC_DEBUG | is not set |grsecurity| cut_attack_surface | FAIL: "y"
+CONFIG_PTDUMP_DEBUGFS | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_DRM_LEGACY | is not set |maintainer| cut_attack_surface | OK
CONFIG_FB | is not set |maintainer| cut_attack_surface | FAIL: "y"
CONFIG_VT | is not set |maintainer| cut_attack_surface | FAIL: "y"
CONFIG_USER_NS | is not set | clipos | cut_attack_surface | FAIL: "y"
CONFIG_X86_MSR | is not set | clipos | cut_attack_surface | FAIL: "m"
CONFIG_X86_CPUID | is not set | clipos | cut_attack_surface | FAIL: "m"
-CONFIG_IO_URING | is not set | clipos | cut_attack_surface | FAIL: "y"
CONFIG_X86_IOPL_IOPERM | is not set | clipos | cut_attack_surface | OK: not found
CONFIG_ACPI_TABLE_UPGRADE | is not set | clipos | cut_attack_surface | FAIL: "y"
CONFIG_EFI_CUSTOM_SSDT_OVERLAYS | is not set | clipos | cut_attack_surface | OK: not found
CONFIG_EFI_TEST | is not set | lockdown | cut_attack_surface | FAIL: "m"
CONFIG_BPF_SYSCALL | is not set | lockdown | cut_attack_surface | FAIL: "y"
CONFIG_MMIOTRACE_TEST | is not set | lockdown | cut_attack_surface | OK
+CONFIG_KPROBES | is not set | lockdown | cut_attack_surface | FAIL: "y"
CONFIG_TRIM_UNUSED_KSYMS | y | my | cut_attack_surface | FAIL: not found
CONFIG_MMIOTRACE | is not set | my | cut_attack_surface | FAIL: "y"
CONFIG_LIVEPATCH | is not set | my | cut_attack_surface | FAIL: "y"
CONFIG_INTEGRITY | y |defconfig |userspace_hardening | OK
CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_hardening | FAIL: "28"
-[+] Config check is finished: 'OK' - 59 / 'FAIL' - 85
+[+] Config check is finished: 'OK' - 68 / 'FAIL' - 96
```
## kconfig-hardened-check versioning
[12]: https://github.com/tych0
[13]: https://github.com/speed47/spectre-meltdown-checker
[14]: https://github.com/speed47
+[15]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/53
+[16]: https://github.com/a13xp0p0v/kconfig-hardened-check/pull/54