X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=README.md;h=76d4e1dd2de7fef729e8862622082bc72b53964a;hb=a47bed83770d59987ae270d059a59e4a8fe81117;hp=b2389d91b13708ec6b73d4a0c07d97123207e3a5;hpb=ed10b5afc2b65437a635a6db224f2c3d1a837479;p=kconfig-hardened-check.git diff --git a/README.md b/README.md index b2389d9..76d4e1d 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,9 @@ against my hardening preferences, which are based on the - [KSPP recommended settings][1], - [CLIP OS kernel configuration][2], - - last public [grsecurity][3] patch (options which they disable). + - last public [grsecurity][3] patch (options which they disable), + - [SECURITY_LOCKDOWN_LSM][5] patchset, + - direct feedback from Linux kernel maintainers (Daniel Vetter in [issue #38][6]). I also created [__Linux Kernel Defence Map__][4] that is a graphical representation of the relationships between these hardening features and the corresponding vulnerability classes @@ -42,7 +44,7 @@ or simply run `./bin/kconfig-hardened-check` from the cloned repository. ## Usage ``` usage: kconfig-hardened-check [-h] [-p {X86_64,X86_32,ARM64,ARM}] [-c CONFIG] - [--debug] [--json] + [--debug] [--json] [--version] Checks the hardening options in the Linux kernel config @@ -54,6 +56,7 @@ optional arguments: check the config_file against these preferences --debug enable verbose debug mode --json print results in JSON format + --version show program's version number and exit ``` ## Output for `Ubuntu 18.04 (Bionic Beaver with HWE)` kernel config @@ -174,6 +177,9 @@ CONFIG_MEM_SOFT_DIRTY | is not set |grsecurity| cut_atta CONFIG_DEVPORT | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_DEBUG_FS | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_NOTIFIER_ERROR_INJECTION | is not set |grsecurity| cut_attack_surface | FAIL: "m" +CONFIG_DRM_LEGACY | is not set |maintainer| cut_attack_surface | OK +CONFIG_FB | is not set |maintainer| cut_attack_surface | FAIL: "y" +CONFIG_VT | is not set |maintainer| cut_attack_surface | FAIL: "y" CONFIG_ACPI_TABLE_UPGRADE | is not set | lockdown | cut_attack_surface | FAIL: "y" CONFIG_X86_IOPL_IOPERM | is not set | lockdown | cut_attack_surface | OK: not found CONFIG_EFI_TEST | is not set | lockdown | cut_attack_surface | FAIL: "m" @@ -201,7 +207,7 @@ CONFIG_VIDEO_VIVID | is not set | my | cut_atta CONFIG_INTEGRITY | y |defconfig |userspace_hardening | OK CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_hardening | FAIL: "28" -[+] config check is finished: 'OK' - 55 / 'FAIL' - 77 +[+] config check is finished: 'OK' - 56 / 'FAIL' - 79 ``` ## kconfig-hardened-check versioning @@ -210,9 +216,7 @@ I usually update the kernel hardening recommendations after each Linux kernel re So the version of `kconfig-hardened-check` is associated with the corresponding version of the kernel. -The version format is: __[major_number].[kernel_version]__ - -The current version of `kconfig-hardened-check` is __0.5.5__, it's marked with the git tag. +The version format is: __[major_number].[kernel_version].[kernel_patchlevel]__ ## Questions and answers @@ -247,3 +251,5 @@ if we have a kernel oops in the process context, the offending/attacking process [2]: https://docs.clip-os.org/clipos/kernel.html#configuration [3]: https://grsecurity.net/ [4]: https://github.com/a13xp0p0v/linux-kernel-defence-map +[5]: https://lwn.net/Articles/791863/ +[6]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/38