from collections import OrderedDict
import re
import json
+from .__about__ import __version__
# debug_mode enables:
# - reporting about unknown kernel options in the config,
print('| {}'.format(self.result), end='')
+class PresenceCheck:
+ def __init__(self, name):
+ self.name = name
+ self.state = None
+ self.result = None
+
+ def check(self):
+ if self.state is None:
+ self.result = 'FAIL: not present'
+ return False, self.result
+ else:
+ self.result = 'OK: is present'
+ return True, self.result
+
+ def table_print(self, with_results):
+ print('CONFIG_{:<84}'.format(self.name + ' is present'), end='')
+ if with_results:
+ print('| {}'.format(self.result), end='')
+
+
class ComplexOptCheck:
def __init__(self, *opts):
self.opts = opts
o.table_print(with_results)
else:
o = self.opts[0]
- o.table_print(with_results)
+ o.table_print(False)
+ if with_results:
+ print('| {}'.format(self.result), end='')
class OR(ComplexOptCheck):
checklist.append(OptCheck('DEBUG_FS', 'is not set', 'grsecurity', 'cut_attack_surface')) # refers to LOCKDOWN
checklist.append(OptCheck('NOTIFIER_ERROR_INJECTION','is not set', 'grsecurity', 'cut_attack_surface'))
+ checklist.append(OptCheck('DRM_LEGACY', 'is not set', 'maintainer', 'cut_attack_surface'))
+ checklist.append(OptCheck('FB', 'is not set', 'maintainer', 'cut_attack_surface'))
+ checklist.append(OptCheck('VT', 'is not set', 'maintainer', 'cut_attack_surface'))
+
checklist.append(OptCheck('ACPI_TABLE_UPGRADE', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN
checklist.append(OptCheck('X86_IOPL_IOPERM', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN
checklist.append(OptCheck('EFI_TEST', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN
checklist.append(OptCheck('X86_MSR', 'is not set', 'clipos', 'cut_attack_surface')) # refers to LOCKDOWN
checklist.append(OptCheck('X86_CPUID', 'is not set', 'clipos', 'cut_attack_surface'))
checklist.append(AND(OptCheck('LDISC_AUTOLOAD', 'is not set', 'clipos', 'cut_attack_surface'), \
- VerCheck((5, 1)))) # LDISC_AUTOLOAD can be disabled since v5.1
+ PresenceCheck('LDISC_AUTOLOAD')))
checklist.append(OptCheck('AIO', 'is not set', 'grapheneos', 'cut_attack_surface'))
checklist.append(OptCheck('FTRACE', 'is not set', 'my', 'cut_attack_surface')) # refers to LOCKDOWN
checklist.append(OptCheck('BPF_JIT', 'is not set', 'my', 'cut_attack_surface'))
checklist.append(OptCheck('VIDEO_VIVID', 'is not set', 'my', 'cut_attack_surface'))
+ checklist.append(OptCheck('INPUT_EVBUG', 'is not set', 'my', 'cut_attack_surface')) # Can be used as a keylogger
checklist.append(OptCheck('INTEGRITY', 'y', 'defconfig', 'userspace_hardening'))
if arch == 'ARM64':
config_checklist = []
- parser = ArgumentParser(description='Checks the hardening options in the Linux kernel config')
+ parser = ArgumentParser(prog='kconfig-hardened-check',
+ description='Checks the hardening options in the Linux kernel config')
parser.add_argument('-p', '--print', choices=supported_archs,
help='print hardening preferences for selected architecture')
parser.add_argument('-c', '--config',
help='enable verbose debug mode')
parser.add_argument('--json', action='store_true',
help='print results in JSON format')
+ parser.add_argument('--version', action='version', version='%(prog)s ' + __version__)
args = parser.parse_args()
if args.debug:
projects / kconfig-hardened-check.git / blobdiff