X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=README.md;h=688d3a60e1599a732db3c164dc84fc08aef48c1e;hb=5e9f4868791ced7b39c1ab14b539318eaa93b8d0;hp=ec95a7ba64dde925e322514155684f64195ca9f2;hpb=5e4fba6623a686f4c4e86727b2e90df86dc340f0;p=kconfig-hardened-check.git diff --git a/README.md b/README.md index ec95a7b..688d3a6 100644 --- a/README.md +++ b/README.md @@ -16,9 +16,9 @@ against my security hardening preferences, which are based on the - [KSPP recommended settings][1], - [CLIP OS kernel configuration][2], - - last public [grsecurity][3] patch (options which they disable), + - Last public [grsecurity][3] patch (options which they disable), - [SECURITY_LOCKDOWN_LSM][5] patchset, - - direct feedback from Linux kernel maintainers (Daniel Vetter in [issue #38][6]). + - Direct feedback from Linux kernel maintainers (see [#38][6], [#53][15], [#54][16]). I also created [__Linux Kernel Defence Map__][4] that is a graphical representation of the relationships between security hardening features and the corresponding vulnerability classes @@ -31,6 +31,8 @@ or exploitation techniques. - ARM64 - ARM +TODO: RISC-V + ## Installation You can install the package: @@ -41,6 +43,8 @@ pip install git+https://github.com/a13xp0p0v/kconfig-hardened-check or simply run `./bin/kconfig-hardened-check` from the cloned repository. +Some Linux distributions also provide `kconfig-hardened-check` as a package. + ## Usage ``` usage: kconfig-hardened-check [-h] [--version] [-p {X86_64,X86_32,ARM64,ARM}] @@ -60,7 +64,24 @@ optional arguments: choose the report mode ``` -## Output for `Ubuntu 20.04 LTS (Focal Fossa)` kernel config +## Output modes + + - no `-m` argument for the default output mode (see the example below) + - `-m verbose` for printing additional info: + - config options without a corresponding check + - internals of complex checks with AND/OR, like this: +``` +------------------------------------------------------------------------------------------- + <<< OR >>> +CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface +CONFIG_DEVMEM | is not set | kspp | cut_attack_surface +------------------------------------------------------------------------------------------- +``` + - `-m show_fail` for showing only the failed checks + - `-m show_ok` for showing only the successful checks + - `-m json` for printing the results in JSON format (for combining `kconfig-hardened-check` with other tools) + +## Example output for `Ubuntu 20.04 LTS (Focal Fossa)` kernel config ``` $ ./bin/kconfig-hardened-check -c kconfig_hardened_check/config_files/distros/ubuntu-focal.config [+] Config file to check: kconfig_hardened_check/config_files/distros/ubuntu-focal.config @@ -106,6 +127,7 @@ CONFIG_GCC_PLUGIN_LATENT_ENTROPY | y | kspp | self_pr CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection | FAIL: not found CONFIG_HARDENED_USERCOPY | y | kspp | self_protection | OK CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp | self_protection | FAIL: "y" +CONFIG_HARDENED_USERCOPY_PAGESPAN | is not set | kspp | self_protection | OK CONFIG_MODULE_SIG | y | kspp | self_protection | OK CONFIG_MODULE_SIG_ALL | y | kspp | self_protection | OK CONFIG_MODULE_SIG_SHA512 | y | kspp | self_protection | OK @@ -113,7 +135,11 @@ CONFIG_MODULE_SIG_FORCE | y | kspp | self_pr CONFIG_INIT_STACK_ALL_ZERO | y | kspp | self_protection | FAIL: not found CONFIG_INIT_ON_FREE_DEFAULT_ON | y | kspp | self_protection | OK: CONFIG_PAGE_POISONING_ZERO "y" CONFIG_GCC_PLUGIN_STACKLEAK | y | kspp | self_protection | FAIL: not found +CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT | y | kspp | self_protection | FAIL: not found CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | kspp | self_protection | OK +CONFIG_UBSAN_BOUNDS | y |maintainer| self_protection | FAIL: not found +CONFIG_UBSAN_SANITIZE_ALL | y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y" +CONFIG_UBSAN_TRAP | y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y" CONFIG_DEBUG_VIRTUAL | y | clipos | self_protection | FAIL: "is not set" CONFIG_STATIC_USERMODEHELPER | y | clipos | self_protection | FAIL: "is not set" CONFIG_EFI_DISABLE_PCI_DMA | y | clipos | self_protection | FAIL: not found @@ -125,7 +151,6 @@ CONFIG_STACKLEAK_METRICS | is not set | clipos | self_pr CONFIG_STACKLEAK_RUNTIME_DISABLE | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y" CONFIG_INTEL_IOMMU_DEFAULT_ON | y | clipos | self_protection | FAIL: "is not set" CONFIG_INTEL_IOMMU_SVM | y | clipos | self_protection | OK -CONFIG_UBSAN_BOUNDS | y | my | self_protection | FAIL: CONFIG_UBSAN_TRAP not "y" CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection | OK CONFIG_AMD_IOMMU_V2 | y | my | self_protection | FAIL: "m" CONFIG_SECURITY | y |defconfig | security_policy | OK @@ -162,9 +187,13 @@ CONFIG_ZSMALLOC_STAT | is not set |grsecurity| cut_atta CONFIG_PAGE_OWNER | is not set |grsecurity| cut_attack_surface | OK CONFIG_DEBUG_KMEMLEAK | is not set |grsecurity| cut_attack_surface | OK CONFIG_BINFMT_AOUT | is not set |grsecurity| cut_attack_surface | OK: not found -CONFIG_KPROBES | is not set |grsecurity| cut_attack_surface | FAIL: "y" -CONFIG_UPROBES | is not set |grsecurity| cut_attack_surface | FAIL: "y" +CONFIG_KPROBE_EVENTS | is not set |grsecurity| cut_attack_surface | FAIL: "y" +CONFIG_UPROBE_EVENTS | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_GENERIC_TRACER | is not set |grsecurity| cut_attack_surface | FAIL: "y" +CONFIG_FUNCTION_TRACER | is not set |grsecurity| cut_attack_surface | FAIL: "y" +CONFIG_STACK_TRACER | is not set |grsecurity| cut_attack_surface | FAIL: "y" +CONFIG_HIST_TRIGGERS | is not set |grsecurity| cut_attack_surface | FAIL: "y" +CONFIG_BLK_DEV_IO_TRACE | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_PROC_VMCORE | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_PROC_PAGE_MONITOR | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_USELIB | is not set |grsecurity| cut_attack_surface | FAIL: "y" @@ -175,10 +204,27 @@ CONFIG_MEM_SOFT_DIRTY | is not set |grsecurity| cut_atta CONFIG_DEVPORT | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_DEBUG_FS | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_NOTIFIER_ERROR_INJECTION | is not set |grsecurity| cut_attack_surface | FAIL: "m" -CONFIG_X86_PTDUMP | is not set |grsecurity| cut_attack_surface | OK +CONFIG_FAIL_FUTEX | is not set |grsecurity| cut_attack_surface | OK: not found +CONFIG_PUNIT_ATOM_DEBUG | is not set |grsecurity| cut_attack_surface | FAIL: "m" +CONFIG_ACPI_CONFIGFS | is not set |grsecurity| cut_attack_surface | FAIL: "m" +CONFIG_EDAC_DEBUG | is not set |grsecurity| cut_attack_surface | OK +CONFIG_DRM_I915_DEBUG | is not set |grsecurity| cut_attack_surface | OK +CONFIG_BCACHE_CLOSURES_DEBUG | is not set |grsecurity| cut_attack_surface | OK +CONFIG_DVB_C8SECTPFE | is not set |grsecurity| cut_attack_surface | OK: not found +CONFIG_MTD_SLRAM | is not set |grsecurity| cut_attack_surface | FAIL: "m" +CONFIG_MTD_PHRAM | is not set |grsecurity| cut_attack_surface | FAIL: "m" +CONFIG_IO_URING | is not set |grsecurity| cut_attack_surface | FAIL: "y" +CONFIG_KCMP | is not set |grsecurity| cut_attack_surface | OK: not found +CONFIG_RSEQ | is not set |grsecurity| cut_attack_surface | FAIL: "y" +CONFIG_LATENCYTOP | is not set |grsecurity| cut_attack_surface | OK +CONFIG_KCOV | is not set |grsecurity| cut_attack_surface | OK +CONFIG_PROVIDE_OHCI1394_DMA_INIT | is not set |grsecurity| cut_attack_surface | OK +CONFIG_SUNRPC_DEBUG | is not set |grsecurity| cut_attack_surface | FAIL: "y" +CONFIG_PTDUMP_DEBUGFS | is not set |grsecurity| cut_attack_surface | OK: not found CONFIG_DRM_LEGACY | is not set |maintainer| cut_attack_surface | OK CONFIG_FB | is not set |maintainer| cut_attack_surface | FAIL: "y" CONFIG_VT | is not set |maintainer| cut_attack_surface | FAIL: "y" +CONFIG_BLK_DEV_FD | is not set |maintainer| cut_attack_surface | FAIL: "m" CONFIG_AIO | is not set |grapheneos| cut_attack_surface | FAIL: "y" CONFIG_STAGING | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_KSM | is not set | clipos | cut_attack_surface | FAIL: "y" @@ -189,7 +235,6 @@ CONFIG_KEXEC_FILE | is not set | clipos | cut_atta CONFIG_USER_NS | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_X86_MSR | is not set | clipos | cut_attack_surface | FAIL: "m" CONFIG_X86_CPUID | is not set | clipos | cut_attack_surface | FAIL: "m" -CONFIG_IO_URING | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_X86_IOPL_IOPERM | is not set | clipos | cut_attack_surface | OK: not found CONFIG_ACPI_TABLE_UPGRADE | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_EFI_CUSTOM_SSDT_OVERLAYS | is not set | clipos | cut_attack_surface | OK: not found @@ -198,6 +243,7 @@ CONFIG_X86_INTEL_TSX_MODE_OFF | y | clipos | cut_atta CONFIG_EFI_TEST | is not set | lockdown | cut_attack_surface | FAIL: "m" CONFIG_BPF_SYSCALL | is not set | lockdown | cut_attack_surface | FAIL: "y" CONFIG_MMIOTRACE_TEST | is not set | lockdown | cut_attack_surface | OK +CONFIG_KPROBES | is not set | lockdown | cut_attack_surface | FAIL: "y" CONFIG_TRIM_UNUSED_KSYMS | y | my | cut_attack_surface | FAIL: not found CONFIG_MMIOTRACE | is not set | my | cut_attack_surface | FAIL: "y" CONFIG_LIVEPATCH | is not set | my | cut_attack_surface | FAIL: "y" @@ -209,7 +255,7 @@ CONFIG_INPUT_EVBUG | is not set | my | cut_atta CONFIG_INTEGRITY | y |defconfig |userspace_hardening | OK CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_hardening | FAIL: "28" -[+] Config check is finished: 'OK' - 58 / 'FAIL' - 81 +[+] Config check is finished: 'OK' - 68 / 'FAIL' - 96 ``` ## kconfig-hardened-check versioning @@ -289,3 +335,5 @@ I highly recommend using [spectre-meltdown-checker][13] tool maintained by Stép [12]: https://github.com/tych0 [13]: https://github.com/speed47/spectre-meltdown-checker [14]: https://github.com/speed47 +[15]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/53 +[16]: https://github.com/a13xp0p0v/kconfig-hardened-check/pull/54