X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=README.md;h=0b6127bf529e69fdc06ce0437bf83676171bd6d1;hb=60417eb581e21ac869917b40fbd9e511acc1ebf6;hp=95cd7013b712d7924db0a2aaf3dae16402e1edbe;hpb=478e5f266df05b5f75badef59914c8b0e71e3e0e;p=kconfig-hardened-check.git diff --git a/README.md b/README.md index 95cd701..0b6127b 100644 --- a/README.md +++ b/README.md @@ -9,104 +9,122 @@ make our systems more secure. But nobody likes checking configs manually. So let the computers do their job! __kconfig-hardened-check.py__ helps me to check the Linux kernel Kconfig option list -against my hardening preferences for `x86_64`, which are based on the +against my hardening preferences, which are based on the [KSPP recommended settings][1] and last public [grsecurity][2] patch (options which they disable). Please don't cry if my Python code looks like C. I'm just a kernel developer. +## Supported microarchitectures + + - X86_64 + - X86_32 + - ARM64 + - ARM + ## Script output examples ### Usage ``` -#./kconfig-hardened-check.py -usage: kconfig-hardened-check.py [-h] [-p] [-c CONFIG] [--debug] +#usage: kconfig-hardened-check.py [-h] [-p {X86_64,X86_32,ARM64,ARM}] + [-c CONFIG] [--debug] Checks the hardening options in the Linux kernel config optional arguments: -h, --help show this help message and exit - -p, --print print hardening preferences + -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM} + print hardening preferences for selected architecture -c CONFIG, --config CONFIG check the config_file against these preferences --debug enable internal debug mode + ``` ### Script output for `Ubuntu 18.04 (Bionic Beaver)` kernel config ``` -#./kconfig-hardened-check.py -c config_files/ubuntu-bionic-generic.config -[+] Checking "config_files/ubuntu-bionic-generic.config" against hardening preferences... +#./kconfig-hardened-check.py -c config_files/distros/ubuntu-bionic-generic.config +[+] Trying to detect architecture in "config_files/distros/ubuntu-bionic-generic.config"... +[+] Detected architecture: X86_64 +[+] Checking "config_files/distros/ubuntu-bionic-generic.config" against hardening preferences... option name | desired val | decision | reason || check result =================================================================================================================== - CONFIG_BUG | y | ubuntu18 | self_protection || OK - CONFIG_PAGE_TABLE_ISOLATION | y | ubuntu18 | self_protection || OK - CONFIG_RETPOLINE | y | ubuntu18 | self_protection || OK - CONFIG_X86_64 | y | ubuntu18 | self_protection || OK - CONFIG_STRICT_KERNEL_RWX | y | ubuntu18 | self_protection || OK - CONFIG_DEBUG_WX | y | ubuntu18 | self_protection || OK - CONFIG_RANDOMIZE_BASE | y | ubuntu18 | self_protection || OK - CONFIG_RANDOMIZE_MEMORY | y | ubuntu18 | self_protection || OK - CONFIG_STACKPROTECTOR_STRONG | y | ubuntu18 | self_protection ||CONFIG_CC_STACKPROTECTOR_STRONG: OK ("y") - CONFIG_VMAP_STACK | y | ubuntu18 | self_protection || OK - CONFIG_THREAD_INFO_IN_TASK | y | ubuntu18 | self_protection || OK - CONFIG_SCHED_STACK_END_CHECK | y | ubuntu18 | self_protection || OK - CONFIG_SLUB_DEBUG | y | ubuntu18 | self_protection || OK - CONFIG_SLAB_FREELIST_HARDENED | y | ubuntu18 | self_protection || OK - CONFIG_SLAB_FREELIST_RANDOM | y | ubuntu18 | self_protection || OK - CONFIG_HARDENED_USERCOPY | y | ubuntu18 | self_protection || OK - CONFIG_FORTIFY_SOURCE | y | ubuntu18 | self_protection || OK - CONFIG_STRICT_MODULE_RWX | y | ubuntu18 | self_protection || OK - CONFIG_MODULE_SIG | y | ubuntu18 | self_protection || OK - CONFIG_MODULE_SIG_ALL | y | ubuntu18 | self_protection || OK - CONFIG_MODULE_SIG_SHA512 | y | ubuntu18 | self_protection || OK - CONFIG_SYN_COOKIES | y | ubuntu18 | self_protection || OK - CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | ubuntu18 | self_protection || OK + CONFIG_BUG | y |defconfig | self_protection || OK + CONFIG_STRICT_KERNEL_RWX | y |defconfig | self_protection || OK + CONFIG_STACKPROTECTOR_STRONG | y |defconfig | self_protection ||OK: CONFIG_CC_STACKPROTECTOR_STRONG "y" + CONFIG_SLUB_DEBUG | y |defconfig | self_protection || OK + CONFIG_STRICT_MODULE_RWX | y |defconfig | self_protection || OK + CONFIG_PAGE_TABLE_ISOLATION | y |defconfig | self_protection || OK + CONFIG_RANDOMIZE_MEMORY | y |defconfig | self_protection || OK + CONFIG_RANDOMIZE_BASE | y |defconfig | self_protection || OK + CONFIG_RETPOLINE | y |defconfig | self_protection || OK + CONFIG_X86_SMAP | y |defconfig | self_protection || OK + CONFIG_X86_INTEL_UMIP | y |defconfig | self_protection || OK + CONFIG_SYN_COOKIES | y |defconfig | self_protection || OK + CONFIG_VMAP_STACK | y |defconfig | self_protection || OK + CONFIG_THREAD_INFO_IN_TASK | y |defconfig | self_protection || OK CONFIG_BUG_ON_DATA_CORRUPTION | y | kspp | self_protection || FAIL: "is not set" - CONFIG_PAGE_POISONING | y | kspp | self_protection || FAIL: "is not set" + CONFIG_DEBUG_WX | y | kspp | self_protection || OK + CONFIG_SCHED_STACK_END_CHECK | y | kspp | self_protection || OK + CONFIG_SLAB_FREELIST_HARDENED | y | kspp | self_protection || OK + CONFIG_SLAB_FREELIST_RANDOM | y | kspp | self_protection || OK + CONFIG_FORTIFY_SOURCE | y | kspp | self_protection || OK CONFIG_GCC_PLUGINS | y | kspp | self_protection || FAIL: "is not set" CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection || FAIL: not found CONFIG_GCC_PLUGIN_STRUCTLEAK | y | kspp | self_protection || FAIL: not found CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL | y | kspp | self_protection || FAIL: not found CONFIG_GCC_PLUGIN_LATENT_ENTROPY | y | kspp | self_protection || FAIL: not found - CONFIG_REFCOUNT_FULL | y | kspp | self_protection || FAIL: "is not set" CONFIG_DEBUG_LIST | y | kspp | self_protection || FAIL: "is not set" CONFIG_DEBUG_SG | y | kspp | self_protection || FAIL: "is not set" CONFIG_DEBUG_CREDENTIALS | y | kspp | self_protection || FAIL: "is not set" CONFIG_DEBUG_NOTIFIERS | y | kspp | self_protection || FAIL: "is not set" - CONFIG_MODULE_SIG_FORCE | y | kspp | self_protection || FAIL: "is not set" + CONFIG_PAGE_POISONING | y | kspp | self_protection || FAIL: "is not set" + CONFIG_HARDENED_USERCOPY | y | kspp | self_protection || OK CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp | self_protection || OK: not found + CONFIG_MODULE_SIG | y | kspp | self_protection || OK + CONFIG_MODULE_SIG_ALL | y | kspp | self_protection || OK + CONFIG_MODULE_SIG_SHA512 | y | kspp | self_protection || OK + CONFIG_MODULE_SIG_FORCE | y | kspp | self_protection || FAIL: "is not set" + CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | kspp | self_protection || OK + CONFIG_REFCOUNT_FULL | y | kspp | self_protection || FAIL: "is not set" CONFIG_GCC_PLUGIN_STACKLEAK | y | my | self_protection || FAIL: not found + CONFIG_LOCK_DOWN_KERNEL | y | my | self_protection || OK CONFIG_SLUB_DEBUG_ON | y | my | self_protection || FAIL: "is not set" CONFIG_SECURITY_DMESG_RESTRICT | y | my | self_protection || FAIL: "is not set" CONFIG_STATIC_USERMODEHELPER | y | my | self_protection || FAIL: "is not set" - CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection || OK: not found - CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection || OK: not found - CONFIG_SECURITY | y | ubuntu18 | security_policy || OK - CONFIG_SECURITY_YAMA | y | ubuntu18 | security_policy || OK - CONFIG_SECURITY_SELINUX_DISABLE | is not set | ubuntu18 | security_policy || OK - CONFIG_SECCOMP | y | ubuntu18 | cut_attack_surface || OK - CONFIG_SECCOMP_FILTER | y | ubuntu18 | cut_attack_surface || OK - CONFIG_STRICT_DEVMEM | y | ubuntu18 | cut_attack_surface || OK - CONFIG_ACPI_CUSTOM_METHOD | is not set | ubuntu18 | cut_attack_surface || OK - CONFIG_COMPAT_BRK | is not set | ubuntu18 | cut_attack_surface || OK - CONFIG_DEVKMEM | is not set | ubuntu18 | cut_attack_surface || OK - CONFIG_COMPAT_VDSO | is not set | ubuntu18 | cut_attack_surface || OK - CONFIG_X86_PTDUMP | is not set | ubuntu18 | cut_attack_surface || OK - CONFIG_ZSMALLOC_STAT | is not set | ubuntu18 | cut_attack_surface || OK - CONFIG_PAGE_OWNER | is not set | ubuntu18 | cut_attack_surface || OK - CONFIG_DEBUG_KMEMLEAK | is not set | ubuntu18 | cut_attack_surface || OK - CONFIG_BINFMT_AOUT | is not set | ubuntu18 | cut_attack_surface || OK: not found + CONFIG_SECURITY_LOADPIN | y | my | self_protection || FAIL: "is not set" + CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection || OK + CONFIG_SLAB_MERGE_DEFAULT | is not set | my | self_protection || FAIL: "y" + CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection ||FAIL: CONFIG_PAGE_POISONING is needed + CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection ||FAIL: CONFIG_PAGE_POISONING is needed + CONFIG_SECURITY | y |defconfig | security_policy || OK + CONFIG_SECURITY_YAMA | y | kspp | security_policy || OK + CONFIG_SECURITY_SELINUX_DISABLE | is not set | kspp | security_policy || OK + CONFIG_SECCOMP | y |defconfig | cut_attack_surface || OK + CONFIG_SECCOMP_FILTER | y |defconfig | cut_attack_surface || OK + CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface || OK + CONFIG_MODULES | is not set | kspp | cut_attack_surface || FAIL: "y" + CONFIG_DEVMEM | is not set | kspp | cut_attack_surface || FAIL: "y" CONFIG_IO_STRICT_DEVMEM | y | kspp | cut_attack_surface || FAIL: "is not set" - CONFIG_LEGACY_VSYSCALL_NONE | y | kspp | cut_attack_surface || FAIL: "is not set" + CONFIG_ACPI_CUSTOM_METHOD | is not set | kspp | cut_attack_surface || OK + CONFIG_COMPAT_BRK | is not set | kspp | cut_attack_surface || OK + CONFIG_DEVKMEM | is not set | kspp | cut_attack_surface || OK + CONFIG_COMPAT_VDSO | is not set | kspp | cut_attack_surface || OK CONFIG_BINFMT_MISC | is not set | kspp | cut_attack_surface || FAIL: "m" CONFIG_INET_DIAG | is not set | kspp | cut_attack_surface || FAIL: "m" CONFIG_KEXEC | is not set | kspp | cut_attack_surface || FAIL: "y" CONFIG_PROC_KCORE | is not set | kspp | cut_attack_surface || FAIL: "y" CONFIG_LEGACY_PTYS | is not set | kspp | cut_attack_surface || FAIL: "y" + CONFIG_HIBERNATION | is not set | kspp | cut_attack_surface || FAIL: "y" + CONFIG_LEGACY_VSYSCALL_NONE | y | kspp | cut_attack_surface || FAIL: "is not set" CONFIG_IA32_EMULATION | is not set | kspp | cut_attack_surface || FAIL: "y" CONFIG_X86_X32 | is not set | kspp | cut_attack_surface || FAIL: "y" CONFIG_MODIFY_LDT_SYSCALL | is not set | kspp | cut_attack_surface || FAIL: "y" - CONFIG_HIBERNATION | is not set | kspp | cut_attack_surface || FAIL: "y" + CONFIG_X86_PTDUMP | is not set |grsecurity| cut_attack_surface || OK + CONFIG_ZSMALLOC_STAT | is not set |grsecurity| cut_attack_surface || OK + CONFIG_PAGE_OWNER | is not set |grsecurity| cut_attack_surface || OK + CONFIG_DEBUG_KMEMLEAK | is not set |grsecurity| cut_attack_surface || OK + CONFIG_BINFMT_AOUT | is not set |grsecurity| cut_attack_surface || OK: not found CONFIG_KPROBES | is not set |grsecurity| cut_attack_surface || FAIL: "y" CONFIG_UPROBES | is not set |grsecurity| cut_attack_surface || FAIL: "y" CONFIG_GENERIC_TRACER | is not set |grsecurity| cut_attack_surface || FAIL: "y" @@ -120,27 +138,45 @@ optional arguments: CONFIG_DEVPORT | is not set |grsecurity| cut_attack_surface || FAIL: "y" CONFIG_DEBUG_FS | is not set |grsecurity| cut_attack_surface || FAIL: "y" CONFIG_NOTIFIER_ERROR_INJECTION | is not set |grsecurity| cut_attack_surface || FAIL: "m" + CONFIG_ACPI_TABLE_UPGRADE | is not set | lockdown | cut_attack_surface || FAIL: "y" + CONFIG_ACPI_APEI_EINJ | is not set | lockdown | cut_attack_surface || FAIL: "m" + CONFIG_PROFILING | is not set | lockdown | cut_attack_surface || FAIL: "y" + CONFIG_BPF_SYSCALL | is not set | lockdown | cut_attack_surface || FAIL: "y" + CONFIG_MMIOTRACE_TEST | is not set | lockdown | cut_attack_surface || OK + CONFIG_MMIOTRACE | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_KEXEC_FILE | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_LIVEPATCH | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_USER_NS | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_IP_DCCP | is not set | my | cut_attack_surface || FAIL: "m" CONFIG_IP_SCTP | is not set | my | cut_attack_surface || FAIL: "m" CONFIG_FTRACE | is not set | my | cut_attack_surface || FAIL: "y" - CONFIG_PROFILING | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_BPF_JIT | is not set | my | cut_attack_surface || FAIL: "y" - CONFIG_BPF_SYSCALL | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_ARCH_MMAP_RND_BITS | 32 | my |userspace_protection|| FAIL: "28" -[-] config check is NOT PASSED: 51 errors +[+] config check is finished: 'OK' - 43 / 'FAIL' - 60 ``` -N.B. If `CONFIG_GCC_PLUGIN*` options are automatically disabled during your kernel compilation, -that means that your gcc doesn't support plugins. For example, if you have `gcc-7` on Ubuntu, -try to install `gcc-7-plugin-dev` package, it should help. +### Questions and answers + +__Q:__ How disabling `CONFIG_USER_NS` cuts the attack surface? It's needed for containers! + +__A:__ Yes, the `CONFIG_USER_NS` option provides some isolation between the userspace programs, +but the script recommends disabling it to cut the attack surface __of the kernel__. + +The rationale: + - A nice LWN article about the corresponding LKML discussion: https://lwn.net/Articles/673597/ + + - A twitter thread about `CONFIG_USER_NS` and security: https://twitter.com/robertswiecki/status/1095447678949953541 + +
+ +__Q:__ Why `CONFIG_GCC_PLUGINS` is automatically disabled during the kernel compilation? + +__A:__ It means that your gcc doesn't support plugins. For example, if you have `gcc-7` on Ubuntu, +try to install `gcc-7-plugin-dev` package, it should help. -__Go and fix them all!__ [1]: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings [2]: https://grsecurity.net/