option, value = line[2:].split(' ', 1)
assert(value == 'is not set'), \
f'unexpected value of disabled Kconfig option "{line}"'
- elif line != '' and not line.startswith('#') and mode != 'json':
- print(f'[!] WARNING: strange line in Kconfig file: "{line}"')
+ elif line != '' and not line.startswith('#'):
+ sys.exit(f'[!] ERROR: unexpected line in Kconfig file: "{line}"')
if option in parsed_options:
sys.exit(f'[!] ERROR: Kconfig option "{line}" is found multiple times')
def parse_sysctl_file(mode, parsed_options, fname):
with open(fname, 'r', encoding='utf-8') as f:
- sysctl_pattern = re.compile("[a-zA-Z0-9\._-]+ =.*$")
+ sysctl_pattern = re.compile("[a-zA-Z0-9/\._-]+ =.*$")
for line in f.readlines():
line = line.strip()
if not sysctl_pattern.match(line):
- sys.exit(f'[!] ERROR: unexpected line in sysctl file: {line}')
+ sys.exit(f'[!] ERROR: unexpected line in sysctl file: "{line}"')
option, value = line.split('=', 1)
option = option.strip()
value = value.strip()
help='check the security hardening options in the kernel Kconfig file (also supports *.gz files)')
parser.add_argument('-l', '--cmdline',
help='check the security hardening options in the kernel cmdline file (contents of /proc/cmdline)')
-# parser.add_argument('-s', '--sysctl',
-# help='check the security hardening options in the sysctl output file (`sudo sysctl -a > file`)')
+ parser.add_argument('-s', '--sysctl',
+ help='check the security hardening options in the sysctl output file (`sudo sysctl -a > file`)')
parser.add_argument('-p', '--print', choices=supported_archs,
help='print the security hardening recommendations for the selected microarchitecture')
parser.add_argument('-g', '--generate', choices=supported_archs,
help='generate a Kconfig fragment with the security hardening options for the selected microarchitecture')
args = parser.parse_args()
- args.sysctl = None # FIXME
mode = None
if args.mode:
if args.config:
if args.print:
sys.exit('[!] ERROR: --config and --print can\'t be used together')
-
if args.generate:
sys.exit('[!] ERROR: --config and --generate can\'t be used together')
# finally print the results
print_checklist(mode, config_checklist, True)
-
sys.exit(0)
elif args.cmdline:
sys.exit('[!] ERROR: checking cmdline depends on checking Kconfig')
elif args.sysctl:
- # TODO: sysctl check should also work separately
- sys.exit('[!] ERROR: checking sysctl depends on checking Kconfig')
+ # separate sysctl checking (without kconfig)
+ assert(args.config is None and args.cmdline is None), 'unexpected args'
+ if args.print:
+ sys.exit('[!] ERROR: --sysctl and --print can\'t be used together')
+ if args.generate:
+ sys.exit('[!] ERROR: --sysctl and --generate can\'t be used together')
+
+ if mode != 'json':
+ print(f'[+] Sysctl output file to check: {args.sysctl}')
+
+ # add relevant sysctl checks to the checklist
+ add_sysctl_checks(config_checklist, None)
+
+ # populate the checklist with the parsed sysctl data
+ parsed_sysctl_options = OrderedDict()
+ parse_sysctl_file(mode, parsed_sysctl_options, args.sysctl)
+ populate_with_data(config_checklist, parsed_sysctl_options, 'sysctl')
+
+ # now everything is ready, perform the checks
+ perform_checks(config_checklist)
+
+ if mode == 'verbose':
+ # print the parsed options without the checks (for debugging)
+ print_unknown_options(config_checklist, parsed_sysctl_options)
+
+ # finally print the results
+ print_checklist(mode, config_checklist, True)
+ sys.exit(0)
if args.print:
assert(args.config is None and args.cmdline is None and args.sysctl is None), 'unexpected args'
+ if args.generate:
+ sys.exit('[!] ERROR: --print and --generate can\'t be used together')
if mode and mode not in ('verbose', 'json'):
sys.exit(f'[!] ERROR: wrong mode "{mode}" for --print')
arch = args.print
sys.exit(0)
if args.generate:
- assert(args.config is None and args.cmdline is None and args.sysctl is None), 'unexpected args'
+ assert(args.config is None and args.cmdline is None and args.sysctl is None and args.print is None), 'unexpected args'
if mode:
sys.exit(f'[!] ERROR: wrong mode "{mode}" for --generate')
arch = args.generate
projects / kconfig-hardened-check.git / blobdiff