X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=README.md;h=0e18940c5919fc37431fcecde5135f30e6dc0198;hb=cb1d79b05f9ab8660ddfdbedc56cf84447a9f27f;hp=b918ebba46c879d12f3afa9bfd2e63526ca6d5f5;hpb=3630552c4a7cb10c3fb449b1f38d629744a3f91a;p=kconfig-hardened-check.git diff --git a/README.md b/README.md index b918ebb..0e18940 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,7 @@ -# Kconfig hardened check +# kconfig-hardened-check + +![functional test](https://github.com/a13xp0p0v/kconfig-hardened-check/workflows/functional%20test/badge.svg) +[![Coverage Status](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check/graph/badge.svg)](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check) ## Motivation @@ -13,7 +16,9 @@ against my hardening preferences, which are based on the - [KSPP recommended settings][1], - [CLIP OS kernel configuration][2], - - last public [grsecurity][3] patch (options which they disable). + - last public [grsecurity][3] patch (options which they disable), + - [SECURITY_LOCKDOWN_LSM][5] patchset, + - direct feedback from Linux kernel maintainers (Daniel Vetter in [issue #38][6]). I also created [__Linux Kernel Defence Map__][4] that is a graphical representation of the relationships between these hardening features and the corresponding vulnerability classes @@ -26,12 +31,20 @@ or exploitation techniques. - ARM64 - ARM -## Script output examples +## Installation + +You can install the package: -### Usage ``` -usage: kconfig-hardened-check.py [-h] [-p {X86_64,X86_32,ARM64,ARM}] - [-c CONFIG] [--debug] [--json] +pip install git+https://github.com/a13xp0p0v/kconfig-hardened-check +``` + +or simply run `./bin/kconfig-hardened-check` from the cloned repository. + +## Usage +``` +usage: kconfig-hardened-check [-h] [-p {X86_64,X86_32,ARM64,ARM}] [-c CONFIG] + [--debug] [--json] [--version] Checks the hardening options in the Linux kernel config @@ -41,17 +54,21 @@ optional arguments: print hardening preferences for selected architecture -c CONFIG, --config CONFIG check the config_file against these preferences - --debug enable internal debug mode + --debug enable verbose debug mode --json print results in JSON format - + --version show program's version number and exit ``` -### Script output for `Ubuntu 18.04 (Bionic Beaver with HWE)` kernel config +## Output for `Ubuntu 18.04 (Bionic Beaver with HWE)` kernel config ``` -$ ./kconfig-hardened-check.py -c config_files/distros/ubuntu-bionic-generic.config -[+] Trying to detect architecture in "config_files/distros/ubuntu-bionic-generic.config"... +$ ./bin/kconfig-hardened-check -c kconfig_hardened_check/config_files/distros/ubuntu-bionic-generic.config +[+] Trying to detect architecture in "kconfig_hardened_check/config_files/distros/ubuntu-bionic-generic.config"... [+] Detected architecture: X86_64 -[+] Checking "config_files/distros/ubuntu-bionic-generic.config" against hardening preferences... +[+] Trying to detect kernel version in "kconfig_hardened_check/config_files/distros/ubuntu-bionic-generic.config"... +[+] Found version line: "# Linux/x86 5.3.0-28-generic Kernel Configuration" +[+] Detected kernel version: 5.3 +[+] Checking "kconfig_hardened_check/config_files/distros/ubuntu-bionic-generic.config" against X86_64 hardening preferences... +========================================================================================================================= option name | desired val | decision | reason | check result ========================================================================================================================= CONFIG_BUG | y |defconfig | self_protection | OK @@ -59,11 +76,13 @@ CONFIG_STRICT_KERNEL_RWX | y |defconfig | self_pr CONFIG_STACKPROTECTOR_STRONG | y |defconfig | self_protection | OK CONFIG_SLUB_DEBUG | y |defconfig | self_protection | OK CONFIG_STRICT_MODULE_RWX | y |defconfig | self_protection | OK +CONFIG_GCC_PLUGINS | y |defconfig | self_protection | FAIL: not found +CONFIG_REFCOUNT_FULL | y |defconfig | self_protection | FAIL: "is not set" +CONFIG_IOMMU_SUPPORT | y |defconfig | self_protection | OK CONFIG_MICROCODE | y |defconfig | self_protection | OK CONFIG_RETPOLINE | y |defconfig | self_protection | OK CONFIG_X86_SMAP | y |defconfig | self_protection | OK CONFIG_X86_UMIP | y |defconfig | self_protection | OK: CONFIG_X86_INTEL_UMIP "y" -CONFIG_IOMMU_SUPPORT | y |defconfig | self_protection | OK CONFIG_SYN_COOKIES | y |defconfig | self_protection | OK CONFIG_PAGE_TABLE_ISOLATION | y |defconfig | self_protection | OK CONFIG_RANDOMIZE_MEMORY | y |defconfig | self_protection | OK @@ -79,7 +98,6 @@ CONFIG_SLAB_FREELIST_HARDENED | y | kspp | self_pr CONFIG_SLAB_FREELIST_RANDOM | y | kspp | self_protection | OK CONFIG_SHUFFLE_PAGE_ALLOCATOR | y | kspp | self_protection | OK CONFIG_FORTIFY_SOURCE | y | kspp | self_protection | OK -CONFIG_GCC_PLUGINS | y | kspp | self_protection | FAIL: not found CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection | FAIL: not found CONFIG_GCC_PLUGIN_LATENT_ENTROPY | y | kspp | self_protection | FAIL: not found CONFIG_DEBUG_LIST | y | kspp | self_protection | FAIL: "is not set" @@ -92,19 +110,19 @@ CONFIG_MODULE_SIG | y | kspp | self_pr CONFIG_MODULE_SIG_ALL | y | kspp | self_protection | OK CONFIG_MODULE_SIG_SHA512 | y | kspp | self_protection | OK CONFIG_MODULE_SIG_FORCE | y | kspp | self_protection | FAIL: "is not set" +CONFIG_INIT_STACK_ALL | y | kspp | self_protection | FAIL: not found +CONFIG_INIT_ON_ALLOC_DEFAULT_ON | y | kspp | self_protection | OK +CONFIG_INIT_ON_FREE_DEFAULT_ON | y | kspp | self_protection | OK: CONFIG_PAGE_POISONING "y" +CONFIG_GCC_PLUGIN_STACKLEAK | y | kspp | self_protection | FAIL: not found +CONFIG_STACKLEAK_METRICS | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed +CONFIG_STACKLEAK_RUNTIME_DISABLE | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | kspp | self_protection | OK -CONFIG_REFCOUNT_FULL | y | kspp | self_protection | FAIL: "is not set" -CONFIG_INIT_STACK_ALL | y | clipos | self_protection | FAIL: not found -CONFIG_INIT_ON_ALLOC_DEFAULT_ON | y | clipos | self_protection | OK -CONFIG_INIT_ON_FREE_DEFAULT_ON | y | clipos | self_protection | OK: CONFIG_PAGE_POISONING "y" CONFIG_SECURITY_DMESG_RESTRICT | y | clipos | self_protection | FAIL: "is not set" CONFIG_DEBUG_VIRTUAL | y | clipos | self_protection | FAIL: "is not set" CONFIG_STATIC_USERMODEHELPER | y | clipos | self_protection | FAIL: "is not set" CONFIG_SLAB_MERGE_DEFAULT | is not set | clipos | self_protection | FAIL: "y" CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT is needed -CONFIG_GCC_PLUGIN_STACKLEAK | y | clipos | self_protection | FAIL: not found -CONFIG_STACKLEAK_METRICS | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed -CONFIG_STACKLEAK_RUNTIME_DISABLE | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed +CONFIG_RANDOM_TRUST_BOOTLOADER | is not set | clipos | self_protection | OK: not found CONFIG_RANDOM_TRUST_CPU | is not set | clipos | self_protection | FAIL: "y" CONFIG_INTEL_IOMMU_SVM | y | clipos | self_protection | OK CONFIG_INTEL_IOMMU_DEFAULT_ON | y | clipos | self_protection | FAIL: "is not set" @@ -112,12 +130,13 @@ CONFIG_SLUB_DEBUG_ON | y | my | self_pr CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection | OK CONFIG_AMD_IOMMU_V2 | y | my | self_protection | FAIL: "m" CONFIG_SECURITY | y |defconfig | security_policy | OK -CONFIG_SECURITY_WRITABLE_HOOKS | is not set |defconfig | security_policy | OK: not found CONFIG_SECURITY_YAMA | y | kspp | security_policy | OK +CONFIG_SECURITY_WRITABLE_HOOKS | is not set | my | security_policy | OK: not found +CONFIG_SECURITY_LOCKDOWN_LSM | y | clipos | security_policy | FAIL: not found +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY | y | clipos | security_policy | FAIL: not found +CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY| y | clipos | security_policy | FAIL: not found CONFIG_SECURITY_LOADPIN | y | my | security_policy | FAIL: "is not set" -CONFIG_SECURITY_LOCKDOWN_LSM | y | my | security_policy | FAIL: not found -CONFIG_SECURITY_LOCKDOWN_LSM_EARLY | y | my | security_policy | FAIL: not found -CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY| y | my | security_policy | FAIL: not found +CONFIG_SECURITY_LOADPIN_ENFORCE | y | my | security_policy | FAIL: CONFIG_SECURITY_LOADPIN is needed CONFIG_SECURITY_SAFESETID | y | my | security_policy | OK CONFIG_SECCOMP | y |defconfig | cut_attack_surface | OK CONFIG_SECCOMP_FILTER | y |defconfig | cut_attack_surface | OK @@ -125,6 +144,7 @@ CONFIG_STRICT_DEVMEM | y |defconfig | cut_atta CONFIG_MODULES | is not set | kspp | cut_attack_surface | FAIL: "y" CONFIG_DEVMEM | is not set | kspp | cut_attack_surface | FAIL: "y" CONFIG_IO_STRICT_DEVMEM | y | kspp | cut_attack_surface | FAIL: "is not set" +CONFIG_LEGACY_VSYSCALL_NONE | y | kspp | cut_attack_surface | FAIL: "is not set" CONFIG_ACPI_CUSTOM_METHOD | is not set | kspp | cut_attack_surface | OK CONFIG_COMPAT_BRK | is not set | kspp | cut_attack_surface | OK CONFIG_DEVKMEM | is not set | kspp | cut_attack_surface | OK @@ -135,10 +155,10 @@ CONFIG_KEXEC | is not set | kspp | cut_atta CONFIG_PROC_KCORE | is not set | kspp | cut_attack_surface | FAIL: "y" CONFIG_LEGACY_PTYS | is not set | kspp | cut_attack_surface | FAIL: "y" CONFIG_HIBERNATION | is not set | kspp | cut_attack_surface | FAIL: "y" -CONFIG_LEGACY_VSYSCALL_NONE | y | kspp | cut_attack_surface | FAIL: "is not set" CONFIG_IA32_EMULATION | is not set | kspp | cut_attack_surface | FAIL: "y" CONFIG_X86_X32 | is not set | kspp | cut_attack_surface | FAIL: "y" CONFIG_MODIFY_LDT_SYSCALL | is not set | kspp | cut_attack_surface | FAIL: "y" +CONFIG_OABI_COMPAT | is not set | kspp | cut_attack_surface | OK: not found CONFIG_X86_PTDUMP | is not set |grsecurity| cut_attack_surface | OK CONFIG_ZSMALLOC_STAT | is not set |grsecurity| cut_attack_surface | OK CONFIG_PAGE_OWNER | is not set |grsecurity| cut_attack_surface | OK @@ -157,18 +177,26 @@ CONFIG_MEM_SOFT_DIRTY | is not set |grsecurity| cut_atta CONFIG_DEVPORT | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_DEBUG_FS | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_NOTIFIER_ERROR_INJECTION | is not set |grsecurity| cut_attack_surface | FAIL: "m" +CONFIG_DRM_LEGACY | is not set |maintainer| cut_attack_surface | OK +CONFIG_FB | is not set |maintainer| cut_attack_surface | FAIL: "y" +CONFIG_VT | is not set |maintainer| cut_attack_surface | FAIL: "y" CONFIG_ACPI_TABLE_UPGRADE | is not set | lockdown | cut_attack_surface | FAIL: "y" -CONFIG_ACPI_APEI_EINJ | is not set | lockdown | cut_attack_surface | FAIL: "m" -CONFIG_PROFILING | is not set | lockdown | cut_attack_surface | FAIL: "y" +CONFIG_X86_IOPL_IOPERM | is not set | lockdown | cut_attack_surface | OK: not found +CONFIG_EFI_TEST | is not set | lockdown | cut_attack_surface | FAIL: "m" CONFIG_BPF_SYSCALL | is not set | lockdown | cut_attack_surface | FAIL: "y" CONFIG_MMIOTRACE_TEST | is not set | lockdown | cut_attack_surface | OK +CONFIG_X86_INTEL_TSX_MODE_OFF | y | clipos | cut_attack_surface | OK +CONFIG_STAGING | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_KSM | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_KALLSYMS | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_X86_VSYSCALL_EMULATION | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_MAGIC_SYSRQ | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_KEXEC_FILE | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_USER_NS | is not set | clipos | cut_attack_surface | FAIL: "y" +CONFIG_X86_MSR | is not set | clipos | cut_attack_surface | FAIL: "m" +CONFIG_X86_CPUID | is not set | clipos | cut_attack_surface | FAIL: "m" CONFIG_LDISC_AUTOLOAD | is not set | clipos | cut_attack_surface | FAIL: "y" +CONFIG_AIO | is not set |grapheneos| cut_attack_surface | FAIL: "y" CONFIG_MMIOTRACE | is not set | my | cut_attack_surface | FAIL: "y" CONFIG_LIVEPATCH | is not set | my | cut_attack_surface | FAIL: "y" CONFIG_IP_DCCP | is not set | my | cut_attack_surface | FAIL: "m" @@ -176,9 +204,11 @@ CONFIG_IP_SCTP | is not set | my | cut_atta CONFIG_FTRACE | is not set | my | cut_attack_surface | FAIL: "y" CONFIG_BPF_JIT | is not set | my | cut_attack_surface | FAIL: "y" CONFIG_VIDEO_VIVID | is not set | my | cut_attack_surface | FAIL: "m" +CONFIG_INPUT_EVBUG | is not set | my | cut_attack_surface | FAIL: "m" +CONFIG_INTEGRITY | y |defconfig |userspace_hardening | OK CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_hardening | FAIL: "28" -[+] config check is finished: 'OK' - 50 / 'FAIL' - 73 +[+] config check is finished: 'OK' - 56 / 'FAIL' - 80 ``` ## kconfig-hardened-check versioning @@ -187,9 +217,7 @@ I usually update the kernel hardening recommendations after each Linux kernel re So the version of `kconfig-hardened-check` is associated with the corresponding version of the kernel. -The version format is: __[major_number].[kernel_version]__ - -The current version of `kconfig-hardened-check` is __0.5.3__, it's marked with the git tag. +The version format is: __[major_number].[kernel_version].[kernel_patchlevel]__ ## Questions and answers @@ -197,7 +225,7 @@ The current version of `kconfig-hardened-check` is __0.5.3__, it's marked with t __Q:__ How disabling `CONFIG_USER_NS` cuts the attack surface? It's needed for containers! __A:__ Yes, the `CONFIG_USER_NS` option provides some isolation between the userspace programs, -but the script recommends disabling it to cut the attack surface __of the kernel__. +but the tool recommends disabling it to cut the attack surface __of the kernel__. The rationale: @@ -224,3 +252,5 @@ if we have a kernel oops in the process context, the offending/attacking process [2]: https://docs.clip-os.org/clipos/kernel.html#configuration [3]: https://grsecurity.net/ [4]: https://github.com/a13xp0p0v/linux-kernel-defence-map +[5]: https://lwn.net/Articles/791863/ +[6]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/38