-#!/usr/bin/python3
+#!/usr/bin/env python3
"""
This tool is for checking the security hardening options of the Linux kernel.
def detect_arch(fname, archs):
with _open(fname, 'rt', encoding='utf-8') as f:
- arch_pattern = re.compile("CONFIG_[a-zA-Z0-9_]+=y$")
+ arch_pattern = re.compile(r"CONFIG_[a-zA-Z0-9_]+=y$")
arch = None
for line in f.readlines():
if arch_pattern.match(line):
def detect_kernel_version(fname):
with _open(fname, 'rt', encoding='utf-8') as f:
- ver_pattern = re.compile("# Linux/.+ Kernel Configuration$")
+ ver_pattern = re.compile(r"^# Linux/.+ Kernel Configuration$|^Linux version .+")
for line in f.readlines():
if ver_pattern.match(line):
line = line.strip()
sys.exit(f'[!] ERROR: invalid GCC_VERSION and CLANG_VERSION: {gcc_version} {clang_version}')
-def print_unknown_options(checklist, parsed_options):
+def print_unknown_options(checklist, parsed_options, opt_type):
known_options = []
for o1 in checklist:
for option, value in parsed_options.items():
if option not in known_options:
- print(f'[?] No check for option {option} ({value})')
+ print(f'[?] No check for {opt_type} option {option} ({value})')
def print_checklist(mode, checklist, with_results):
def parse_kconfig_file(mode, parsed_options, fname):
with _open(fname, 'rt', encoding='utf-8') as f:
- opt_is_on = re.compile("CONFIG_[a-zA-Z0-9_]+=.+$")
- opt_is_off = re.compile("# CONFIG_[a-zA-Z0-9_]+ is not set$")
+ opt_is_on = re.compile(r"CONFIG_[a-zA-Z0-9_]+=.+$")
+ opt_is_off = re.compile(r"# CONFIG_[a-zA-Z0-9_]+ is not set$")
for line in f.readlines():
line = line.strip()
def parse_sysctl_file(mode, parsed_options, fname):
with open(fname, 'r', encoding='utf-8') as f:
- sysctl_pattern = re.compile("[a-zA-Z0-9/\._-]+ =.*$")
+ sysctl_pattern = re.compile(r"[a-zA-Z0-9/\._-]+ =.*$")
for line in f.readlines():
line = line.strip()
if not sysctl_pattern.match(line):
help='check the security hardening options in the kernel cmdline file (contents of /proc/cmdline)')
parser.add_argument('-s', '--sysctl',
help='check the security hardening options in the sysctl output file (`sudo sysctl -a > file`)')
+ parser.add_argument('-v', '--kernel-version',
+ help='extract the version from the kernel version file (contents of /proc/version)')
parser.add_argument('-p', '--print', choices=supported_archs,
help='print the security hardening recommendations for the selected microarchitecture')
parser.add_argument('-g', '--generate', choices=supported_archs,
if mode != 'json':
print(f'[+] Detected microarchitecture: {arch}')
- kernel_version, msg = detect_kernel_version(args.config)
+ if args.kernel_version:
+ kernel_version, msg = detect_kernel_version(args.kernel_version)
+ else:
+ kernel_version, msg = detect_kernel_version(args.config)
if kernel_version is None:
+ if not args.kernel_version:
+ print('[!] Hint: provide the kernel version file through --kernel-version option')
sys.exit(f'[!] ERROR: {msg}')
if mode != 'json':
print(f'[+] Detected kernel version: {kernel_version[0]}.{kernel_version[1]}')
if mode == 'verbose':
# print the parsed options without the checks (for debugging)
- all_parsed_options = parsed_kconfig_options # assignment does not copy
+ print_unknown_options(config_checklist, parsed_kconfig_options, 'kconfig')
if args.cmdline:
- all_parsed_options.update(parsed_cmdline_options)
+ print_unknown_options(config_checklist, parsed_cmdline_options, 'cmdline')
if args.sysctl:
- all_parsed_options.update(parsed_sysctl_options)
- print_unknown_options(config_checklist, all_parsed_options)
+ print_unknown_options(config_checklist, parsed_sysctl_options, 'sysctl')
# finally print the results
print_checklist(mode, config_checklist, True)
if mode == 'verbose':
# print the parsed options without the checks (for debugging)
- print_unknown_options(config_checklist, parsed_sysctl_options)
+ print_unknown_options(config_checklist, parsed_sysctl_options, 'sysctl')
# finally print the results
print_checklist(mode, config_checklist, True)