X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=README.md;h=714bb4af1431f2d5c8bb93d674ad1643b0bf5918;hb=48471f9c100834fb82be7bb73fa40fe23f24a437;hp=a6e3b089e5388808f110fd51779f8028dc909595;hpb=33a61e05f504ad3d7591f785cde9f29473b50140;p=kconfig-hardened-check.git diff --git a/README.md b/README.md index a6e3b08..714bb4a 100644 --- a/README.md +++ b/README.md @@ -14,8 +14,8 @@ make our systems more secure. But nobody likes checking configs manually. So let the computers do their job! -__kconfig-hardened-check__ helps me to check the Linux kernel options -against my security hardening preferences, which are based on the +__kconfig-hardened-check__ is a tool for checking the security hardening options of the Linux kernel. +The recommendations are based on - [KSPP recommended settings][1] - [CLIP OS kernel configuration][2] @@ -63,24 +63,29 @@ Some Linux distributions also provide `kconfig-hardened-check` as a package. ## Usage ``` -usage: kconfig-hardened-check [-h] [--version] [-p {X86_64,X86_32,ARM64,ARM}] - [-c CONFIG] - [-l CMDLINE] - [-m {verbose,json,show_ok,show_fail}] +usage: kconfig-hardened-check [-h] [--version] [-m {verbose,json,show_ok,show_fail}] + [-c CONFIG] [-l CMDLINE] [-p {X86_64,X86_32,ARM64,ARM}] + [-g {X86_64,X86_32,ARM64,ARM}] A tool for checking the security hardening options of the Linux kernel -optional arguments: +options: -h, --help show this help message and exit --version show program's version number and exit - -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM} - print security hardening preferences for the selected architecture - -c CONFIG, --config CONFIG - check the kernel kconfig file against these preferences - -l CMDLINE, --cmdline CMDLINE - check the kernel cmdline file against these preferences -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail} choose the report mode + -c CONFIG, --config CONFIG + check the security hardening options in the kernel Kconfig file + (also supports *.gz files) + -l CMDLINE, --cmdline CMDLINE + check the security hardening options in the kernel cmdline file + (contents of /proc/cmdline) + -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM} + print the security hardening recommendations for the selected + microarchitecture + -g {X86_64,X86_32,ARM64,ARM}, --generate {X86_64,X86_32,ARM64,ARM} + generate a Kconfig fragment with the security hardening options + for the selected microarchitecture ``` ## Output modes @@ -338,14 +343,22 @@ sysrq_always_enabled |cmdline| is not set | my |cut_att [+] Config check is finished: 'OK' - 122 / 'FAIL' - 101 ``` -## kconfig-hardened-check versioning - -I usually update the kernel security hardening recommendations every few kernel releases. - -So the version of `kconfig-hardened-check` is associated with the corresponding version of the kernel. +## Generating a Kconfig fragment with the security hardening options -The version format is: __[major_number].[kernel_version].[kernel_patchlevel]__ +With the `-g` argument, the tool generates a Kconfig fragment with the security hardening options for the selected microarchitecture. +This Kconfig fragment can be merged with the existing Linux kernel config: +``` +$ ./bin/kconfig-hardened-check -g X86_64 > /tmp/fragment +$ cd ~/linux-src/ +$ ./scripts/kconfig/merge_config.sh .config /tmp/fragment +Using .config as base +Merging /tmp/fragment +Value of CONFIG_BUG_ON_DATA_CORRUPTION is redefined by fragment /tmp/fragment: +Previous value: # CONFIG_BUG_ON_DATA_CORRUPTION is not set +New value: CONFIG_BUG_ON_DATA_CORRUPTION=y + ... +``` ## Questions and answers