X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=README.md;h=d8a43a6d09bf38e2b4ef3cf5bdcb4f37ea5c825a;hb=4de80103b72ee3d7842b032c5513ab1aee5b6129;hp=c69a5e7f228bc290aac09c00331384bc3d30079d;hpb=a5535b23fad7cd21010c890bcb7322fc7abfe0c1;p=kconfig-hardened-check.git diff --git a/README.md b/README.md index c69a5e7..d8a43a6 100644 --- a/README.md +++ b/README.md @@ -28,8 +28,8 @@ Please don't cry if my Python code looks like C. I'm just a kernel developer. ### Usage ``` -#usage: kconfig-hardened-check.py [-h] [-p {X86_64,X86_32,ARM64,ARM}] - [-c CONFIG] [--debug] +usage: kconfig-hardened-check.py [-h] [-p {X86_64,X86_32,ARM64,ARM}] + [-c CONFIG] [--debug] [--json] Checks the hardening options in the Linux kernel config @@ -40,6 +40,7 @@ optional arguments: -c CONFIG, --config CONFIG check the config_file against these preferences --debug enable internal debug mode + --json print results in JSON format ``` @@ -70,11 +71,10 @@ CONFIG_DEBUG_WX | y | kspp | self_protect CONFIG_SCHED_STACK_END_CHECK | y | kspp | self_protection || OK CONFIG_SLAB_FREELIST_HARDENED | y | kspp | self_protection || OK CONFIG_SLAB_FREELIST_RANDOM | y | kspp | self_protection || OK +CONFIG_SHUFFLE_PAGE_ALLOCATOR | y | kspp | self_protection || FAIL: not found CONFIG_FORTIFY_SOURCE | y | kspp | self_protection || OK CONFIG_GCC_PLUGINS | y | kspp | self_protection || FAIL: "is not set" CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection || FAIL: not found -CONFIG_GCC_PLUGIN_STRUCTLEAK | y | kspp | self_protection || FAIL: not found -CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL | y | kspp | self_protection || FAIL: not found CONFIG_GCC_PLUGIN_LATENT_ENTROPY | y | kspp | self_protection || FAIL: not found CONFIG_DEBUG_LIST | y | kspp | self_protection || FAIL: "is not set" CONFIG_DEBUG_SG | y | kspp | self_protection || FAIL: "is not set" @@ -104,13 +104,14 @@ CONFIG_IOMMU_SUPPORT | y | clipos | self_protect CONFIG_INTEL_IOMMU | y | clipos | self_protection || OK CONFIG_INTEL_IOMMU_SVM | y | clipos | self_protection || OK CONFIG_INTEL_IOMMU_DEFAULT_ON | y | clipos | self_protection || FAIL: "is not set" -CONFIG_AMD_IOMMU | y | my | self_protection || OK -CONFIG_AMD_IOMMU_V2 | y | my | self_protection || FAIL: "m" +CONFIG_INIT_STACK_ALL | y | my | self_protection || FAIL: not found CONFIG_SLUB_DEBUG_ON | y | my | self_protection || FAIL: "is not set" CONFIG_SECURITY_LOADPIN | y | my | self_protection || FAIL: "is not set" CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection || OK CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection ||FAIL: CONFIG_PAGE_POISONING is needed CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection ||FAIL: CONFIG_PAGE_POISONING is needed +CONFIG_AMD_IOMMU | y | my | self_protection || OK +CONFIG_AMD_IOMMU_V2 | y | my | self_protection || FAIL: "m" CONFIG_SECURITY | y |defconfig | security_policy || OK CONFIG_SECURITY_YAMA | y | kspp | security_policy || OK CONFIG_SECCOMP | y |defconfig | cut_attack_surface || OK @@ -175,8 +176,18 @@ CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_prot [+] config check is finished: 'OK' - 50 / 'FAIL' - 70 ``` +## kconfig-hardened-check versioning + +I usually update the kernel hardening recommendations after each Linux kernel release. + +So the version of `kconfig-hardened-check` is associated with the corresponding version of the kernel. + +The version format is: __[major_number].[kernel_version]__ + +The current version of `kconfig-hardened-check` is __0.5.2__, it's marked with the git tag. + -### Questions and answers +## Questions and answers __Q:__ How disabling `CONFIG_USER_NS` cuts the attack surface? It's needed for containers!