# kernel.kptr_restrict=1
# lockdown=1
#
-# spectre_v2=on
-# pti=on
-# spec_store_bypass_disable=on
-# l1tf=full,force
-#
+# Mitigations of CPU vulnerabilities:
+# Аrch-independent:
+# mitigations=auto,nosmt
+# X86:
+# spectre_v2=on
+# pti=on
+# spec_store_bypass_disable=on
+# l1tf=full,force
+# mds=full,nosmt
+# ARM64:
+# ? CONFIG_HARDEN_BRANCH_PREDICTOR
+# kpti=on
+# ssbd=force-on
#
# N.B. Hardening sysctl's:
# net.core.bpf_jit_harden
+# kptr_restrict=2
import sys
from argparse import ArgumentParser
self.result = opt.result
return ret, self.result
elif not ret:
- # The requirement is not met. Skip the check.
- return False, ''
+ self.result = 'FAIL: CONFIG_{} is needed'.format(opt.name)
+ return False, self.result
sys.exit('[!] ERROR: invalid AND check')
page_poisoning_is_set))
if debug_mode or arch == 'X86_32':
checklist.append(OptCheck('PAGE_TABLE_ISOLATION', 'y', 'my', 'self_protection'))
+ if debug_mode or arch == 'ARM':
+ checklist.append(OptCheck('STACKPROTECTOR_PER_TASK', 'y', 'my', 'self_protection'))
if debug_mode or arch == 'X86_64' or arch == 'ARM64' or arch == 'X86_32':
- checklist.append(OptCheck('SECURITY', 'y', 'defconfig', 'security_policy'))
+ checklist.append(OptCheck('SECURITY', 'y', 'defconfig', 'security_policy')) # and choose your favourite LSM
if debug_mode or arch == 'ARM':
- checklist.append(OptCheck('SECURITY', 'y', 'kspp', 'security_policy'))
+ checklist.append(OptCheck('SECURITY', 'y', 'kspp', 'security_policy')) # and choose your favourite LSM
checklist.append(OptCheck('SECURITY_YAMA', 'y', 'kspp', 'security_policy'))
- checklist.append(OptCheck('SECURITY_SELINUX_DISABLE', 'is not set', 'kspp', 'security_policy'))
checklist.append(OptCheck('SECCOMP', 'y', 'defconfig', 'cut_attack_surface'))
checklist.append(OptCheck('SECCOMP_FILTER', 'y', 'defconfig', 'cut_attack_surface'))
checklist.append(OptCheck('BPF_SYSCALL', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
checklist.append(OptCheck('MMIOTRACE_TEST', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
+ checklist.append(OptCheck('KSM', 'is not set', 'clipos', 'cut_attack_surface')) # to prevent FLUSH+RELOAD attack
+ checklist.append(OptCheck('IKCONFIG', 'is not set', 'clipos', 'cut_attack_surface'))
+ checklist.append(OptCheck('KALLSYMS', 'is not set', 'clipos', 'cut_attack_surface'))
+ checklist.append(OptCheck('X86_VSYSCALL_EMULATION', 'is not set', 'clipos', 'cut_attack_surface'))
+ checklist.append(OptCheck('MAGIC_SYSRQ', 'is not set', 'clipos', 'cut_attack_surface'))
+
checklist.append(OptCheck('MMIOTRACE', 'is not set', 'my', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive)
checklist.append(OptCheck('KEXEC_FILE', 'is not set', 'my', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive)
checklist.append(OptCheck('LIVEPATCH', 'is not set', 'my', 'cut_attack_surface'))
if debug_mode or arch == 'X86_32':
checklist.append(OptCheck('MODIFY_LDT_SYSCALL', 'is not set', 'my', 'cut_attack_surface'))
+ if debug_mode or arch == 'ARM64':
+ checklist.append(OptCheck('ARM64_PTR_AUTH', 'y', 'defconfig', 'userspace_protection'))
if debug_mode or arch == 'X86_64' or arch == 'ARM64':
checklist.append(OptCheck('ARCH_MMAP_RND_BITS', '32', 'my', 'userspace_protection'))
if debug_mode or arch == 'X86_32' or arch == 'ARM':
def print_checklist(arch):
print('[+] Printing kernel hardening preferences for {}...'.format(arch))
- print(' {:<39}|{:^13}|{:^10}|{:^20}'.format(
+ print('{:^40}|{:^13}|{:^10}|{:^20}'.format(
'option name', 'desired val', 'decision', 'reason'))
- print(' ' + '=' * 86)
+ print('=' * 87)
for opt in checklist:
- print(' CONFIG_{:<32}|{:^13}|{:^10}|{:^20}'.format(
+ print('CONFIG_{:<33}|{:^13}|{:^10}|{:^20}'.format(
opt.name, opt.expected, opt.decision, opt.reason))
print()
def print_check_results():
- print(' {:<39}|{:^13}|{:^10}|{:^20}||{:^28}'.format(
+ print('{:^40}|{:^13}|{:^10}|{:^20}||{:^28}'.format(
'option name', 'desired val', 'decision', 'reason', 'check result'))
- print(' ' + '=' * 115)
+ print('=' * 116)
for opt in checklist:
- if opt.result:
- print(' CONFIG_{:<32}|{:^13}|{:^10}|{:^20}||{:^28}'.format(
- opt.name, opt.expected, opt.decision, opt.reason, opt.result))
+ print('CONFIG_{:<33}|{:^13}|{:^10}|{:^20}||{:^28}'.format(
+ opt.name, opt.expected, opt.decision, opt.reason, opt.result))
print()
construct_checklist(arch)
check_config_file(args.config)
- error_count = len(list(filter(lambda opt: opt.result and opt.result.startswith('FAIL'), checklist)))
- ok_count = len(list(filter(lambda opt: opt.result and opt.result.startswith('OK'), checklist)))
+ error_count = len(list(filter(lambda opt: opt.result.startswith('FAIL'), checklist)))
+ ok_count = len(list(filter(lambda opt: opt.result.startswith('OK'), checklist)))
if debug_mode:
sys.exit(0)
print('[+] config check is finished: \'OK\' - {} / \'FAIL\' - {}'.format(ok_count, error_count))
projects / kconfig-hardened-check.git / blobdiff