checklist.append(OptCheck('SLAB_FREELIST_RANDOM', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('FORTIFY_SOURCE', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('GCC_PLUGINS', 'y', 'kspp', 'self_protection'))
- checklist.append(OptCheck('GCC_PLUGIN_RANDSTRUCT', 'y', 'kspp', 'self_protection'))
+ randstruct_is_set = OptCheck('GCC_PLUGIN_RANDSTRUCT', 'y', 'kspp', 'self_protection')
+ checklist.append(randstruct_is_set)
checklist.append(OptCheck('GCC_PLUGIN_STRUCTLEAK', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('GCC_PLUGIN_LATENT_ENTROPY', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('SYN_COOKIES', 'y', 'kspp', 'self_protection')) # another reason?
checklist.append(OptCheck('DEFAULT_MMAP_MIN_ADDR', '32768', 'kspp', 'self_protection'))
+ checklist.append(OptCheck('DEBUG_VIRTUAL', 'y', 'clipos', 'self_protection'))
+ checklist.append(AND(OptCheck('GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set', 'clipos', 'self_protection'), \
+ randstruct_is_set))
+ if debug_mode or arch == 'X86_64' or arch == 'X86_32':
+ checklist.append(OptCheck('RANDOM_TRUST_CPU', 'is not set', 'clipos', 'self_protection'))
+ checklist.append(OptCheck('MICROCODE', 'y', 'clipos', 'self_protection')) # is needed for mitigating CPU bugs
+ checklist.append(OptCheck('X86_MSR', 'y', 'clipos', 'self_protection')) # is needed for mitigating CPU bugs
+ iommu_support_is_set = OptCheck('IOMMU_SUPPORT', 'y', 'clipos', 'self_protection') # is needed for mitigating DMA attacks
+ checklist.append(iommu_support_is_set)
+ checklist.append(AND(OptCheck('INTEL_IOMMU', 'y', 'clipos', 'self_protection'), \
+ iommu_support_is_set))
+ checklist.append(AND(OptCheck('INTEL_IOMMU_SVM', 'y', 'clipos', 'self_protection'), \
+ iommu_support_is_set))
+ checklist.append(AND(OptCheck('INTEL_IOMMU_DEFAULT_ON', 'y', 'clipos', 'self_protection'), \
+ iommu_support_is_set))
+
if debug_mode or arch == 'X86_64' or arch == 'ARM64' or arch == 'X86_32':
- checklist.append(OptCheck('GCC_PLUGIN_STACKLEAK', 'y', 'my', 'self_protection'))
+ stackleak_is_set = OptCheck('GCC_PLUGIN_STACKLEAK', 'y', 'my', 'self_protection')
+ checklist.append(stackleak_is_set)
+ checklist.append(AND(OptCheck('STACKLEAK_METRICS', 'is not set', 'my', 'self_protection'), \
+ stackleak_is_set))
+ checklist.append(AND(OptCheck('STACKLEAK_RUNTIME_DISABLE','is not set', 'my', 'self_protection'), \
+ stackleak_is_set))
checklist.append(OptCheck('LOCK_DOWN_KERNEL', 'y', 'my', 'self_protection')) # remember about LOCK_DOWN_MANDATORY
checklist.append(OptCheck('SLUB_DEBUG_ON', 'y', 'my', 'self_protection'))
checklist.append(OptCheck('SECURITY_DMESG_RESTRICT', 'y', 'my', 'self_protection'))
checklist.append(OptCheck('STACKPROTECTOR_PER_TASK', 'y', 'my', 'self_protection'))
if debug_mode or arch == 'X86_64' or arch == 'ARM64' or arch == 'X86_32':
- checklist.append(OptCheck('SECURITY', 'y', 'defconfig', 'security_policy'))
+ checklist.append(OptCheck('SECURITY', 'y', 'defconfig', 'security_policy')) # and choose your favourite LSM
if debug_mode or arch == 'ARM':
- checklist.append(OptCheck('SECURITY', 'y', 'kspp', 'security_policy'))
+ checklist.append(OptCheck('SECURITY', 'y', 'kspp', 'security_policy')) # and choose your favourite LSM
checklist.append(OptCheck('SECURITY_YAMA', 'y', 'kspp', 'security_policy'))
- checklist.append(OptCheck('SECURITY_SELINUX_DISABLE', 'is not set', 'kspp', 'security_policy'))
checklist.append(OptCheck('SECCOMP', 'y', 'defconfig', 'cut_attack_surface'))
checklist.append(OptCheck('SECCOMP_FILTER', 'y', 'defconfig', 'cut_attack_surface'))
checklist.append(OptCheck('BPF_SYSCALL', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
checklist.append(OptCheck('MMIOTRACE_TEST', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
+ checklist.append(OptCheck('KSM', 'is not set', 'clipos', 'cut_attack_surface')) # to prevent FLUSH+RELOAD attack
+ checklist.append(OptCheck('IKCONFIG', 'is not set', 'clipos', 'cut_attack_surface'))
+ checklist.append(OptCheck('KALLSYMS', 'is not set', 'clipos', 'cut_attack_surface'))
+ checklist.append(OptCheck('X86_VSYSCALL_EMULATION', 'is not set', 'clipos', 'cut_attack_surface'))
+ checklist.append(OptCheck('MAGIC_SYSRQ', 'is not set', 'clipos', 'cut_attack_surface'))
+
checklist.append(OptCheck('MMIOTRACE', 'is not set', 'my', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive)
checklist.append(OptCheck('KEXEC_FILE', 'is not set', 'my', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive)
checklist.append(OptCheck('LIVEPATCH', 'is not set', 'my', 'cut_attack_surface'))
def print_checklist(arch):
print('[+] Printing kernel hardening preferences for {}...'.format(arch))
- print(' {:<39}|{:^13}|{:^10}|{:^20}'.format(
+ print('{:^40}|{:^13}|{:^10}|{:^20}'.format(
'option name', 'desired val', 'decision', 'reason'))
- print(' ' + '=' * 86)
+ print('=' * 87)
for opt in checklist:
- print(' CONFIG_{:<32}|{:^13}|{:^10}|{:^20}'.format(
+ print('CONFIG_{:<33}|{:^13}|{:^10}|{:^20}'.format(
opt.name, opt.expected, opt.decision, opt.reason))
print()
def print_check_results():
- print(' {:<39}|{:^13}|{:^10}|{:^20}||{:^28}'.format(
+ print('{:^40}|{:^13}|{:^10}|{:^20}||{:^28}'.format(
'option name', 'desired val', 'decision', 'reason', 'check result'))
- print(' ' + '=' * 115)
+ print('=' * 116)
for opt in checklist:
- print(' CONFIG_{:<32}|{:^13}|{:^10}|{:^20}||{:^28}'.format(
+ print('CONFIG_{:<33}|{:^13}|{:^10}|{:^20}||{:^28}'.format(
opt.name, opt.expected, opt.decision, opt.reason, opt.result))
print()
projects / kconfig-hardened-check.git / blobdiff