X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=README.md;h=714bb4af1431f2d5c8bb93d674ad1643b0bf5918;hb=bd3b0638e8c18cd629bd8c639d273d0e98d36cd2;hp=919654006c5b15cffad92e5cf0e3a59a194c70fe;hpb=295a293b0f21b016b1a9ec0eae1f29e52e70cff1;p=kconfig-hardened-check.git
diff --git a/README.md b/README.md
index 9196540..714bb4a 100644
--- a/README.md
+++ b/README.md
@@ -1,8 +1,10 @@
# kconfig-hardened-check
-![GitHub tag (latest by date)](https://img.shields.io/github/v/tag/a13xp0p0v/kconfig-hardened-check?label=release)
-![functional test](https://github.com/a13xp0p0v/kconfig-hardened-check/workflows/functional%20test/badge.svg)
-[![Coverage Status](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check/graph/badge.svg)](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check)
+[![GitHub tag (latest by date)](https://img.shields.io/github/v/tag/a13xp0p0v/kconfig-hardened-check?label=release)](https://github.com/a13xp0p0v/kconfig-hardened-check/tags)
+[![functional test](https://github.com/a13xp0p0v/kconfig-hardened-check/workflows/functional%20test/badge.svg)](https://github.com/a13xp0p0v/kconfig-hardened-check/actions/workflows/functional_test.yml)
+[![functional test coverage](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check/graph/badge.svg?flag=functional_test)](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check)
+[![engine unit-test](https://github.com/a13xp0p0v/kconfig-hardened-check/workflows/engine%20unit-test/badge.svg)](https://github.com/a13xp0p0v/kconfig-hardened-check/actions/workflows/engine_unit-test.yml)
+[![unit-test coverage](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check/graph/badge.svg?flag=engine_unit-test)](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check)
## Motivation
@@ -12,8 +14,8 @@ make our systems more secure.
But nobody likes checking configs manually. So let the computers do their job!
-__kconfig-hardened-check__ helps me to check the Linux kernel options
-against my security hardening preferences, which are based on the
+__kconfig-hardened-check__ is a tool for checking the security hardening options of the Linux kernel.
+The recommendations are based on
- [KSPP recommended settings][1]
- [CLIP OS kernel configuration][2]
@@ -32,10 +34,11 @@ and functionality of userspace software. So for choosing these parameters consid
the threat model of your Linux-based information system and perform thorough testing
of its typical workload.
-## Repository mirrors
+## Repositories
- - At Codeberg: [https://codeberg.org/a13xp0p0v/kconfig-hardened-check](https://codeberg.org/a13xp0p0v/kconfig-hardened-check)
- - At GitFlic: [https://gitflic.ru/project/a13xp0p0v/kconfig-hardened-check](https://gitflic.ru/project/a13xp0p0v/kconfig-hardened-check)
+ - Main at GitHub
+ - Mirror at Codeberg:
+ - Mirror at GitFlic:
## Supported microarchitectures
@@ -60,24 +63,29 @@ Some Linux distributions also provide `kconfig-hardened-check` as a package.
## Usage
```
-usage: kconfig-hardened-check [-h] [--version] [-p {X86_64,X86_32,ARM64,ARM}]
- [-c CONFIG]
- [-l CMDLINE]
- [-m {verbose,json,show_ok,show_fail}]
+usage: kconfig-hardened-check [-h] [--version] [-m {verbose,json,show_ok,show_fail}]
+ [-c CONFIG] [-l CMDLINE] [-p {X86_64,X86_32,ARM64,ARM}]
+ [-g {X86_64,X86_32,ARM64,ARM}]
A tool for checking the security hardening options of the Linux kernel
-optional arguments:
+options:
-h, --help show this help message and exit
--version show program's version number and exit
- -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
- print security hardening preferences for the selected architecture
- -c CONFIG, --config CONFIG
- check the kernel kconfig file against these preferences
- -l CMDLINE, --cmdline CMDLINE
- check the kernel cmdline file against these preferences
-m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}
choose the report mode
+ -c CONFIG, --config CONFIG
+ check the security hardening options in the kernel Kconfig file
+ (also supports *.gz files)
+ -l CMDLINE, --cmdline CMDLINE
+ check the security hardening options in the kernel cmdline file
+ (contents of /proc/cmdline)
+ -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
+ print the security hardening recommendations for the selected
+ microarchitecture
+ -g {X86_64,X86_32,ARM64,ARM}, --generate {X86_64,X86_32,ARM64,ARM}
+ generate a Kconfig fragment with the security hardening options
+ for the selected microarchitecture
```
## Output modes
@@ -335,14 +343,22 @@ sysrq_always_enabled |cmdline| is not set | my |cut_att
[+] Config check is finished: 'OK' - 122 / 'FAIL' - 101
```
-## kconfig-hardened-check versioning
-
-I usually update the kernel security hardening recommendations every few kernel releases.
-
-So the version of `kconfig-hardened-check` is associated with the corresponding version of the kernel.
+## Generating a Kconfig fragment with the security hardening options
-The version format is: __[major_number].[kernel_version].[kernel_patchlevel]__
+With the `-g` argument, the tool generates a Kconfig fragment with the security hardening options for the selected microarchitecture.
+This Kconfig fragment can be merged with the existing Linux kernel config:
+```
+$ ./bin/kconfig-hardened-check -g X86_64 > /tmp/fragment
+$ cd ~/linux-src/
+$ ./scripts/kconfig/merge_config.sh .config /tmp/fragment
+Using .config as base
+Merging /tmp/fragment
+Value of CONFIG_BUG_ON_DATA_CORRUPTION is redefined by fragment /tmp/fragment:
+Previous value: # CONFIG_BUG_ON_DATA_CORRUPTION is not set
+New value: CONFIG_BUG_ON_DATA_CORRUPTION=y
+ ...
+```
## Questions and answers