X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=README.md;h=36ecedca4b562607a0cc74159ea757accc6cb1ce;hb=e2c996e9059a09a90c5a372819d586780e56d2af;hp=93307f99e3e725ac21c7ec9c95aa117d81508eaa;hpb=35f90af9096a0dad868107ea6dc005468badd5c3;p=kconfig-hardened-check.git
diff --git a/README.md b/README.md
index 93307f9..36ecedc 100644
--- a/README.md
+++ b/README.md
@@ -1,10 +1,11 @@
-# kernel-hardening-checker (formerly kconfig-hardened-check)
+# kernel-hardening-checker
-[](https://github.com/a13xp0p0v/kernel-hardening-checker/tags)
+__(formerly kconfig-hardened-check)__
[](https://github.com/a13xp0p0v/kernel-hardening-checker/actions/workflows/functional_test.yml)
[](https://codecov.io/gh/a13xp0p0v/kernel-hardening-checker)
[](https://github.com/a13xp0p0v/kernel-hardening-checker/actions/workflows/engine_unit-test.yml)
-[](https://codecov.io/gh/a13xp0p0v/kernel-hardening-checker)
+[](https://codecov.io/gh/a13xp0p0v/kernel-hardening-checker)
+[](https://github.com/a13xp0p0v/kernel-hardening-checker/tags)
## Motivation
@@ -14,7 +15,7 @@ make our systems more secure.
But nobody likes checking configs manually. So let the computers do their job!
-__kernel-hardening-checker__ is a tool for checking the security hardening options of the Linux kernel. It supports checking:
+__kernel-hardening-checker__ (formerly __kconfig-hardened-check__) is a tool for checking the security hardening options of the Linux kernel. It supports checking:
- Kconfig options (compile-time)
- Kernel cmdline arguments (boot-time)
@@ -67,9 +68,9 @@ Some Linux distributions also provide `kernel-hardening-checker` as a package.
## Usage
```
usage: kernel-hardening-checker [-h] [--version] [-m {verbose,json,show_ok,show_fail}]
- [-c CONFIG] [-l CMDLINE] [-s SYSCTL]
- [-p {X86_64,X86_32,ARM64,ARM}]
- [-g {X86_64,X86_32,ARM64,ARM}]
+ [-c CONFIG] [-l CMDLINE] [-s SYSCTL] [-v KERNEL_VERSION]
+ [-p {X86_64,X86_32,ARM64,ARM}]
+ [-g {X86_64,X86_32,ARM64,ARM}]
A tool for checking the security hardening options of the Linux kernel
@@ -87,6 +88,9 @@ options:
-s SYSCTL, --sysctl SYSCTL
check the security hardening options in the sysctl output file
(`sudo sysctl -a > file`)
+ -v KERNEL_VERSION, --kernel-version KERNEL_VERSION
+ extract the version from the kernel version file (contents of
+ /proc/version)
-p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
print the security hardening recommendations for the selected
microarchitecture
@@ -114,7 +118,7 @@ CONFIG_DEVMEM |kconfig| is not set | kspp |cut_att
## Example output for `Fedora 38` kernel configuration
```
-$ ./bin/kernel-hardening-checker -c kernel_hardening_checker/config_files/distros/fedora_38.config -l /proc/cmdline -s kernel_hardening_checker/config_files/distros/example_sysctls.txt
+$ ./bin/kernel-hardening-checker -c kernel_hardening_checker/config_files/distros/fedora_38.config -l /proc/cmdline -s kernel_hardening_checker/config_files/distros/example_sysctls.txt
[+] Kconfig file to check: kernel_hardening_checker/config_files/distros/fedora_38.config
[+] Kernel cmdline file to check: /proc/cmdline
[+] Sysctl output file to check: kernel_hardening_checker/config_files/distros/example_sysctls.txt
@@ -332,7 +336,6 @@ tsx_async_abort |cmdline| is not off |defconfig | self_p
srbds |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
mmio_stale_data |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
retbleed |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
-kpti |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
rodata |cmdline| on |defconfig | self_protection | OK: rodata is not found
nosmt |cmdline| is present | kspp | self_protection | FAIL: is not present
mitigations |cmdline| auto,nosmt | kspp | self_protection | FAIL: is not found
@@ -341,10 +344,10 @@ slub_merge |cmdline| is not set | kspp | self_p
slab_nomerge |cmdline| is present | kspp | self_protection | OK: CONFIG_SLAB_MERGE_DEFAULT is "is not set"
init_on_alloc |cmdline| 1 | kspp | self_protection | FAIL: is not found
init_on_free |cmdline| 1 | kspp | self_protection | FAIL: is not found
-iommu.strict |cmdline| 1 | kspp | self_protection | FAIL: is not found
-iommu.passthrough |cmdline| 0 | kspp | self_protection | OK: CONFIG_IOMMU_DEFAULT_PASSTHROUGH is "is not set"
hardened_usercopy |cmdline| 1 | kspp | self_protection | OK: CONFIG_HARDENED_USERCOPY is "y"
slab_common.usercopy_fallback |cmdline| 0 | kspp | self_protection | OK: CONFIG_HARDENED_USERCOPY_FALLBACK is not found
+iommu.strict |cmdline| 1 | kspp | self_protection | FAIL: is not found
+iommu.passthrough |cmdline| 0 | kspp | self_protection | OK: CONFIG_IOMMU_DEFAULT_PASSTHROUGH is "is not set"
randomize_kstack_offset |cmdline| 1 | kspp | self_protection | OK: CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT is "y"
pti |cmdline| on | kspp | self_protection | FAIL: is not found
page_alloc.shuffle |cmdline| 1 | clipos | self_protection | FAIL: is not found
@@ -362,10 +365,8 @@ kernel.kexec_load_disabled |sysctl | 1 | kspp |cut_att
user.max_user_namespaces |sysctl | 0 | kspp |cut_attack_surface| FAIL: "31021"
dev.tty.ldisc_autoload |sysctl | 0 | kspp |cut_attack_surface| FAIL: "1"
kernel.unprivileged_bpf_disabled |sysctl | 1 | kspp |cut_attack_surface| OK
-kernel.kptr_restrict |sysctl | 1 | kspp |cut_attack_surface| FAIL: "0"
-kernel.yama.ptrace_scope |sysctl | 1 | kspp |cut_attack_surface| FAIL: "0"
-[+] Config check is finished: 'OK' - 118 / 'FAIL' - 122
+[+] Config check is finished: 'OK' - 118 / 'FAIL' - 119
```
## Generating a Kconfig fragment with the security hardening options