X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=README.md;h=0b6127bf529e69fdc06ce0437bf83676171bd6d1;hb=60417eb581e21ac869917b40fbd9e511acc1ebf6;hp=4a8f2ed4ca3783361927e8a13db6ebd35ae5984e;hpb=60a83b77a98aeb52dd1cb262febee0e15a99f302;p=kconfig-hardened-check.git diff --git a/README.md b/README.md index 4a8f2ed..0b6127b 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,7 @@ optional arguments: =================================================================================================================== CONFIG_BUG | y |defconfig | self_protection || OK CONFIG_STRICT_KERNEL_RWX | y |defconfig | self_protection || OK - CONFIG_STACKPROTECTOR_STRONG | y |defconfig | self_protection ||CONFIG_CC_STACKPROTECTOR_STRONG: OK ("y") + CONFIG_STACKPROTECTOR_STRONG | y |defconfig | self_protection ||OK: CONFIG_CC_STACKPROTECTOR_STRONG "y" CONFIG_SLUB_DEBUG | y |defconfig | self_protection || OK CONFIG_STRICT_MODULE_RWX | y |defconfig | self_protection || OK CONFIG_PAGE_TABLE_ISOLATION | y |defconfig | self_protection || OK @@ -66,11 +66,8 @@ optional arguments: CONFIG_BUG_ON_DATA_CORRUPTION | y | kspp | self_protection || FAIL: "is not set" CONFIG_DEBUG_WX | y | kspp | self_protection || OK CONFIG_SCHED_STACK_END_CHECK | y | kspp | self_protection || OK - CONFIG_PAGE_POISONING | y | kspp | self_protection || FAIL: "is not set" CONFIG_SLAB_FREELIST_HARDENED | y | kspp | self_protection || OK CONFIG_SLAB_FREELIST_RANDOM | y | kspp | self_protection || OK - CONFIG_HARDENED_USERCOPY | y | kspp | self_protection || OK - CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp | self_protection || OK: not found CONFIG_FORTIFY_SOURCE | y | kspp | self_protection || OK CONFIG_GCC_PLUGINS | y | kspp | self_protection || FAIL: "is not set" CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection || FAIL: not found @@ -81,6 +78,9 @@ optional arguments: CONFIG_DEBUG_SG | y | kspp | self_protection || FAIL: "is not set" CONFIG_DEBUG_CREDENTIALS | y | kspp | self_protection || FAIL: "is not set" CONFIG_DEBUG_NOTIFIERS | y | kspp | self_protection || FAIL: "is not set" + CONFIG_PAGE_POISONING | y | kspp | self_protection || FAIL: "is not set" + CONFIG_HARDENED_USERCOPY | y | kspp | self_protection || OK + CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp | self_protection || OK: not found CONFIG_MODULE_SIG | y | kspp | self_protection || OK CONFIG_MODULE_SIG_ALL | y | kspp | self_protection || OK CONFIG_MODULE_SIG_SHA512 | y | kspp | self_protection || OK @@ -93,15 +93,18 @@ optional arguments: CONFIG_SECURITY_DMESG_RESTRICT | y | my | self_protection || FAIL: "is not set" CONFIG_STATIC_USERMODEHELPER | y | my | self_protection || FAIL: "is not set" CONFIG_SECURITY_LOADPIN | y | my | self_protection || FAIL: "is not set" - CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection || OK: not found - CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection || OK: not found + CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection || OK CONFIG_SLAB_MERGE_DEFAULT | is not set | my | self_protection || FAIL: "y" + CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection ||FAIL: CONFIG_PAGE_POISONING is needed + CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection ||FAIL: CONFIG_PAGE_POISONING is needed CONFIG_SECURITY | y |defconfig | security_policy || OK CONFIG_SECURITY_YAMA | y | kspp | security_policy || OK CONFIG_SECURITY_SELINUX_DISABLE | is not set | kspp | security_policy || OK CONFIG_SECCOMP | y |defconfig | cut_attack_surface || OK CONFIG_SECCOMP_FILTER | y |defconfig | cut_attack_surface || OK CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface || OK + CONFIG_MODULES | is not set | kspp | cut_attack_surface || FAIL: "y" + CONFIG_DEVMEM | is not set | kspp | cut_attack_surface || FAIL: "y" CONFIG_IO_STRICT_DEVMEM | y | kspp | cut_attack_surface || FAIL: "is not set" CONFIG_ACPI_CUSTOM_METHOD | is not set | kspp | cut_attack_surface || OK CONFIG_COMPAT_BRK | is not set | kspp | cut_attack_surface || OK @@ -150,15 +153,29 @@ optional arguments: CONFIG_BPF_JIT | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_ARCH_MMAP_RND_BITS | 32 | my |userspace_protection|| FAIL: "28" -[-] config check is NOT PASSED: 56 errors +[+] config check is finished: 'OK' - 43 / 'FAIL' - 60 ``` -__Go and fix them all!__ +### Questions and answers + +__Q:__ How disabling `CONFIG_USER_NS` cuts the attack surface? It's needed for containers! + +__A:__ Yes, the `CONFIG_USER_NS` option provides some isolation between the userspace programs, +but the script recommends disabling it to cut the attack surface __of the kernel__. + +The rationale: + + - A nice LWN article about the corresponding LKML discussion: https://lwn.net/Articles/673597/ + + - A twitter thread about `CONFIG_USER_NS` and security: https://twitter.com/robertswiecki/status/1095447678949953541 + +
+ +__Q:__ Why `CONFIG_GCC_PLUGINS` is automatically disabled during the kernel compilation? -N.B. If `CONFIG_GCC_PLUGIN*` options are automatically disabled during your kernel compilation, -then your gcc doesn't support plugins. For example, if you have `gcc-7` on Ubuntu, try to install -`gcc-7-plugin-dev` package, it should help. +__A:__ It means that your gcc doesn't support plugins. For example, if you have `gcc-7` on Ubuntu, +try to install `gcc-7-plugin-dev` package, it should help. [1]: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings