X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=README.md;h=0c9aaec6df95df3b290debd4259078232ebfa3e0;hb=558fe1761e5a64917e426dfa6926466065983ce4;hp=b0074b691d3d9d58af15254ca39a6d9c72d187e3;hpb=14e30b6913c393d4aa0ed5c70e9905ccdf5f1073;p=kconfig-hardened-check.git diff --git a/README.md b/README.md index b0074b6..0c9aaec 100644 --- a/README.md +++ b/README.md @@ -86,7 +86,6 @@ CONFIG_DEBUG_LIST | y | kspp | self_pr CONFIG_DEBUG_SG | y | kspp | self_protection | FAIL: "is not set" CONFIG_DEBUG_CREDENTIALS | y | kspp | self_protection | FAIL: "is not set" CONFIG_DEBUG_NOTIFIERS | y | kspp | self_protection | FAIL: "is not set" -CONFIG_PAGE_POISONING | y | kspp | self_protection | FAIL: "is not set" CONFIG_HARDENED_USERCOPY | y | kspp | self_protection | OK CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp | self_protection | OK: not found CONFIG_MODULE_SIG | y | kspp | self_protection | OK @@ -111,15 +110,15 @@ CONFIG_INTEL_IOMMU_SVM | y | clipos | self_pr CONFIG_INTEL_IOMMU_DEFAULT_ON | y | clipos | self_protection | FAIL: "is not set" CONFIG_SLUB_DEBUG_ON | y | my | self_protection | FAIL: "is not set" CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection | OK -CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection | FAIL: CONFIG_PAGE_POISONING is needed -CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection | FAIL: CONFIG_PAGE_POISONING is needed CONFIG_AMD_IOMMU_V2 | y | my | self_protection | FAIL: "m" CONFIG_SECURITY | y |defconfig | security_policy | OK +CONFIG_SECURITY_WRITABLE_HOOKS | is not set |defconfig | security_policy | OK CONFIG_SECURITY_YAMA | y | kspp | security_policy | OK CONFIG_SECURITY_LOADPIN | y | my | security_policy | FAIL: "is not set" CONFIG_SECURITY_LOCKDOWN_LSM | y | my | security_policy | FAIL: not found CONFIG_SECURITY_LOCKDOWN_LSM_EARLY | y | my | security_policy | FAIL: not found CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY| y | my | security_policy | FAIL: not found +CONFIG_SECURITY_SAFESETID | y | my | security_policy | FAIL: not found CONFIG_SECCOMP | y |defconfig | cut_attack_surface | OK CONFIG_SECCOMP_FILTER | y |defconfig | cut_attack_surface | OK CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface | OK @@ -176,9 +175,10 @@ CONFIG_IP_DCCP | is not set | my | cut_atta CONFIG_IP_SCTP | is not set | my | cut_attack_surface | FAIL: "m" CONFIG_FTRACE | is not set | my | cut_attack_surface | FAIL: "y" CONFIG_BPF_JIT | is not set | my | cut_attack_surface | FAIL: "y" +CONFIG_VIDEO_VIVID | is not set | my | cut_attack_surface | FAIL: "m" CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_hardening | FAIL: "28" -[+] config check is finished: 'OK' - 48 / 'FAIL' - 75 +[+] config check is finished: 'OK' - 49 / 'FAIL' - 74 ``` ## kconfig-hardened-check versioning @@ -212,6 +212,13 @@ __Q:__ Why `CONFIG_GCC_PLUGINS` is automatically disabled during the kernel comp __A:__ It means that your gcc doesn't support plugins. For example, if you have `gcc-7` on Ubuntu, try to install `gcc-7-plugin-dev` package, it should help. +
+ +__Q:__ KSPP and CLIP OS recommend `CONFIG_PANIC_ON_OOPS=y`. Why doesn't this tool do the same? + +__A:__ I personally don't support this recommendation because it provides easy denial-of-service +attacks for the whole system (kernel oops is not a rare situation). I think having `CONFIG_BUG` is enough here -- +if we have a kernel oops in the process context, the offending/attacking process is killed. [1]: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings [2]: https://docs.clip-os.org/clipos/kernel.html#configuration