X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=290768eed613f06cbf752ba2f6e43b0a5a6de02b;hb=e2ecf1ab64d1f4193eddff47df362afce2385c09;hp=6640200a74efd243bcc1951651b510396754638a;hpb=08ce37731061a74fc3711567231be71461d7eeff;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 6640200..ee0babe 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -1,520 +1,114 @@ #!/usr/bin/python3 -# -# This tool helps me to check the Linux kernel Kconfig option list -# against my hardening preferences for X86_64, ARM64, X86_32, and ARM. -# Let the computers do their job! -# -# Author: Alexander Popov -# -# Please don't cry if my Python code looks like C. -# -# -# N.B Hardening command line parameters: -# slub_debug=FZP -# slab_nomerge -# page_alloc.shuffle=1 -# iommu=force (does it help against DMA attacks?) -# page_poison=1 (if enabled) -# init_on_alloc=1 -# init_on_free=1 -# loadpin.enforce=1 -# -# Mitigations of CPU vulnerabilities: -# Аrch-independent: -# mitigations=auto,nosmt -# X86: -# spectre_v2=on -# pti=on -# spec_store_bypass_disable=on -# l1tf=full,force -# mds=full,nosmt -# tsx=off -# ARM64: -# kpti=on -# ssbd=force-on -# -# N.B. Hardening sysctls: -# kernel.kptr_restrict=2 -# kernel.dmesg_restrict=1 -# kernel.perf_event_paranoid=3 -# kernel.kexec_load_disabled=1 -# kernel.yama.ptrace_scope=3 -# user.max_user_namespaces=0 -# kernel.unprivileged_bpf_disabled=1 -# net.core.bpf_jit_harden=2 -# -# vm.unprivileged_userfaultfd=0 -# -# dev.tty.ldisc_autoload=0 -# fs.protected_symlinks=1 -# fs.protected_hardlinks=1 -# fs.protected_fifos=2 -# fs.protected_regular=2 -# fs.suid_dumpable=0 -# kernel.modules_disabled=1 +""" +This tool is for checking the security hardening options of the Linux kernel. +Author: Alexander Popov + +This module performs input/output. +""" + +# pylint: disable=missing-function-docstring,line-too-long,invalid-name,too-many-branches,too-many-statements + +import gzip import sys from argparse import ArgumentParser from collections import OrderedDict import re import json from .__about__ import __version__ +from .checks import add_kconfig_checks, add_cmdline_checks, normalize_cmdline_options, add_sysctl_checks +from .engine import populate_with_data, perform_checks, override_expected_value -# pylint: disable=line-too-long,bad-whitespace,too-many-branches -# pylint: disable=too-many-statements,global-statement - -# debug_mode enables: -# - reporting about unknown kernel options in the config, -# - verbose printing of ComplexOptChecks (OR, AND). -debug_mode = False - -# json_mode is for printing results in JSON format -json_mode = False - -supported_archs = ['X86_64', 'X86_32', 'ARM64', 'ARM'] -kernel_version = None +def _open(file: str, *args, **kwargs): + open_method = open + if file.endswith(".gz"): + open_method = gzip.open + return open_method(file, *args, **kwargs) -class OptCheck: - def __init__(self, name, expected, decision, reason): - self.name = name - self.expected = expected - self.decision = decision - self.reason = reason - self.state = None - self.result = None - def check(self): - if self.expected == self.state: - self.result = 'OK' - elif self.state is None: - if self.expected == 'is not set': - self.result = 'OK: not found' - else: - self.result = 'FAIL: not found' - else: - self.result = 'FAIL: "' + self.state + '"' - - if self.result.startswith('OK'): - return True - return False - - def table_print(self, with_results): - print('CONFIG_{:<38}|{:^13}|{:^10}|{:^20}'.format(self.name, self.expected, self.decision, self.reason), end='') - if with_results: - print('| {}'.format(self.result), end='') - - -class VerCheck: - def __init__(self, ver_expected): - self.ver_expected = ver_expected - self.result = None - - def check(self): - if kernel_version[0] > self.ver_expected[0]: - self.result = 'OK: version >= ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1]) - return True - if kernel_version[0] < self.ver_expected[0]: - self.result = 'FAIL: version < ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1]) - return False - if kernel_version[1] >= self.ver_expected[1]: - self.result = 'OK: version >= ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1]) - return True - self.result = 'FAIL: version < ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1]) - return False - - def table_print(self, with_results): - ver_req = 'kernel version >= ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1]) - print('{:<91}'.format(ver_req), end='') - if with_results: - print('| {}'.format(self.result), end='') - - -class PresenceCheck: - def __init__(self, name): - self.name = name - self.state = None - self.result = None - - def check(self): - if self.state is None: - self.result = 'FAIL: not present' - return False - self.result = 'OK: is present' - return True - - def table_print(self, with_results): - print('CONFIG_{:<84}'.format(self.name + ' is present'), end='') - if with_results: - print('| {}'.format(self.result), end='') - - -class ComplexOptCheck: - def __init__(self, *opts): - self.opts = opts - self.result = None - - @property - def name(self): - return self.opts[0].name - - @property - def expected(self): - return self.opts[0].expected - - @property - def state(self): - return self.opts[0].state - - @property - def decision(self): - return self.opts[0].decision - - @property - def reason(self): - return self.opts[0].reason - - def table_print(self, with_results): - if debug_mode: - print(' {:87}'.format('<<< ' + self.__class__.__name__ + ' >>>'), end='') - if with_results: - print('| {}'.format(self.result), end='') - for o in self.opts: - print() - o.table_print(with_results) - else: - o = self.opts[0] - o.table_print(False) - if with_results: - print('| {}'.format(self.result), end='') - - -class OR(ComplexOptCheck): - # self.opts[0] is the option that this OR-check is about. - # Use case: - # OR(, ) - # OR(, ) - - def check(self): - if not self.opts: - sys.exit('[!] ERROR: invalid OR check') - - for i, opt in enumerate(self.opts): - ret = opt.check() - if ret: - if i == 0 or not hasattr(opt, 'expected'): - self.result = opt.result - else: - self.result = 'OK: CONFIG_{} "{}"'.format(opt.name, opt.expected) - return True - self.result = self.opts[0].result - return False - - -class AND(ComplexOptCheck): - # self.opts[0] is the option that this AND-check is about. - # Use case: AND(, ) - # Suboption is not checked if checking of the main_option is failed. - - def check(self): - for i, opt in reversed(list(enumerate(self.opts))): - ret = opt.check() - if i == 0: - self.result = opt.result - return ret - if not ret: - if hasattr(opt, 'expected'): - self.result = 'FAIL: CONFIG_{} is needed'.format(opt.name) - else: - self.result = opt.result - return False - - sys.exit('[!] ERROR: invalid AND check') - - -def detect_arch(fname): - with open(fname, 'r') as f: - arch_pattern = re.compile("CONFIG_[a-zA-Z0-9_]*=y") +def detect_arch(fname, archs): + with _open(fname, 'rt', encoding='utf-8') as f: + arch_pattern = re.compile("CONFIG_[a-zA-Z0-9_]+=y$") arch = None - if not json_mode: - print('[+] Trying to detect architecture in "{}"...'.format(fname)) for line in f.readlines(): if arch_pattern.match(line): option, _ = line[7:].split('=', 1) - if option in supported_archs: - if not arch: + if option in archs: + if arch is None: arch = option else: - return None, 'more than one supported architecture is detected' - if not arch: - return None, 'failed to detect architecture' + return None, 'detected more than one microarchitecture' + if arch is None: + return None, 'failed to detect microarchitecture' return arch, 'OK' -def detect_version(fname): - with open(fname, 'r') as f: - ver_pattern = re.compile("# Linux/.* Kernel Configuration") - if not json_mode: - print('[+] Trying to detect kernel version in "{}"...'.format(fname)) +def detect_kernel_version(fname): + with _open(fname, 'rt', encoding='utf-8') as f: + ver_pattern = re.compile("# Linux/.+ Kernel Configuration$") for line in f.readlines(): if ver_pattern.match(line): line = line.strip() - if not json_mode: - print('[+] Found version line: "{}"'.format(line)) parts = line.split() ver_str = parts[2] ver_numbers = ver_str.split('.') if len(ver_numbers) < 3 or not ver_numbers[0].isdigit() or not ver_numbers[1].isdigit(): - msg = 'failed to parse the version "' + ver_str + '"' + msg = f'failed to parse the version "{ver_str}"' return None, msg return (int(ver_numbers[0]), int(ver_numbers[1])), None return None, 'no kernel version detected' -def construct_checklist(checklist, arch): - modules_not_set = OptCheck('MODULES', 'is not set', 'kspp', 'cut_attack_surface') - devmem_not_set = OptCheck('DEVMEM', 'is not set', 'kspp', 'cut_attack_surface') # refers to LOCKDOWN - - checklist.append(OptCheck('BUG', 'y', 'defconfig', 'self_protection')) - checklist.append(OR(OptCheck('STRICT_KERNEL_RWX', 'y', 'defconfig', 'self_protection'), \ - OptCheck('DEBUG_RODATA', 'y', 'defconfig', 'self_protection'))) # before v4.11 - checklist.append(OR(OptCheck('STACKPROTECTOR_STRONG', 'y', 'defconfig', 'self_protection'), \ - OptCheck('CC_STACKPROTECTOR_STRONG', 'y', 'defconfig', 'self_protection'))) - checklist.append(OptCheck('SLUB_DEBUG', 'y', 'defconfig', 'self_protection')) - checklist.append(OR(OptCheck('STRICT_MODULE_RWX', 'y', 'defconfig', 'self_protection'), \ - OptCheck('DEBUG_SET_MODULE_RONX', 'y', 'defconfig', 'self_protection'), \ - modules_not_set)) # DEBUG_SET_MODULE_RONX was before v4.11 - checklist.append(OptCheck('GCC_PLUGINS', 'y', 'defconfig', 'self_protection')) - checklist.append(OR(OptCheck('REFCOUNT_FULL', 'y', 'defconfig', 'self_protection'), \ - VerCheck((5, 5)))) # REFCOUNT_FULL is enabled by default since v5.5 - iommu_support_is_set = OptCheck('IOMMU_SUPPORT', 'y', 'defconfig', 'self_protection') # is needed for mitigating DMA attacks - checklist.append(iommu_support_is_set) - if arch in ('X86_64', 'X86_32'): - checklist.append(OptCheck('MICROCODE', 'y', 'defconfig', 'self_protection')) # is needed for mitigating CPU bugs - checklist.append(OptCheck('RETPOLINE', 'y', 'defconfig', 'self_protection')) - checklist.append(OptCheck('X86_SMAP', 'y', 'defconfig', 'self_protection')) - checklist.append(OR(OptCheck('X86_UMIP', 'y', 'defconfig', 'self_protection'), \ - OptCheck('X86_INTEL_UMIP', 'y', 'defconfig', 'self_protection'))) - checklist.append(OptCheck('SYN_COOKIES', 'y', 'defconfig', 'self_protection')) # another reason? - if arch == 'X86_64': - checklist.append(OptCheck('PAGE_TABLE_ISOLATION', 'y', 'defconfig', 'self_protection')) - checklist.append(OptCheck('RANDOMIZE_MEMORY', 'y', 'defconfig', 'self_protection')) - checklist.append(AND(OptCheck('INTEL_IOMMU', 'y', 'defconfig', 'self_protection'), \ - iommu_support_is_set)) - checklist.append(AND(OptCheck('AMD_IOMMU', 'y', 'defconfig', 'self_protection'), \ - iommu_support_is_set)) - if arch == 'ARM64': - checklist.append(OptCheck('UNMAP_KERNEL_AT_EL0', 'y', 'defconfig', 'self_protection')) - checklist.append(OptCheck('HARDEN_EL2_VECTORS', 'y', 'defconfig', 'self_protection')) - checklist.append(OptCheck('RODATA_FULL_DEFAULT_ENABLED', 'y', 'defconfig', 'self_protection')) - checklist.append(OptCheck('ARM64_PTR_AUTH', 'y', 'defconfig', 'self_protection')) - if arch in ('X86_64', 'ARM64'): - checklist.append(OptCheck('VMAP_STACK', 'y', 'defconfig', 'self_protection')) - if arch in ('X86_64', 'ARM64', 'X86_32'): - checklist.append(OptCheck('RANDOMIZE_BASE', 'y', 'defconfig', 'self_protection')) - checklist.append(OptCheck('THREAD_INFO_IN_TASK', 'y', 'defconfig', 'self_protection')) - if arch == 'ARM': - checklist.append(OptCheck('CPU_SW_DOMAIN_PAN', 'y', 'defconfig', 'self_protection')) - checklist.append(OptCheck('STACKPROTECTOR_PER_TASK', 'y', 'defconfig', 'self_protection')) - if arch in ('ARM64', 'ARM'): - checklist.append(OptCheck('HARDEN_BRANCH_PREDICTOR', 'y', 'defconfig', 'self_protection')) - - checklist.append(OptCheck('BUG_ON_DATA_CORRUPTION', 'y', 'kspp', 'self_protection')) - checklist.append(OptCheck('DEBUG_WX', 'y', 'kspp', 'self_protection')) - checklist.append(OptCheck('SCHED_STACK_END_CHECK', 'y', 'kspp', 'self_protection')) - checklist.append(OptCheck('SLAB_FREELIST_HARDENED', 'y', 'kspp', 'self_protection')) - checklist.append(OptCheck('SLAB_FREELIST_RANDOM', 'y', 'kspp', 'self_protection')) - checklist.append(OptCheck('SHUFFLE_PAGE_ALLOCATOR', 'y', 'kspp', 'self_protection')) - checklist.append(OptCheck('FORTIFY_SOURCE', 'y', 'kspp', 'self_protection')) - randstruct_is_set = OptCheck('GCC_PLUGIN_RANDSTRUCT', 'y', 'kspp', 'self_protection') - checklist.append(randstruct_is_set) - checklist.append(OptCheck('GCC_PLUGIN_LATENT_ENTROPY', 'y', 'kspp', 'self_protection')) - checklist.append(OptCheck('DEBUG_LIST', 'y', 'kspp', 'self_protection')) - checklist.append(OptCheck('DEBUG_SG', 'y', 'kspp', 'self_protection')) - checklist.append(OptCheck('DEBUG_CREDENTIALS', 'y', 'kspp', 'self_protection')) - checklist.append(OptCheck('DEBUG_NOTIFIERS', 'y', 'kspp', 'self_protection')) - hardened_usercopy_is_set = OptCheck('HARDENED_USERCOPY', 'y', 'kspp', 'self_protection') - checklist.append(hardened_usercopy_is_set) - checklist.append(AND(OptCheck('HARDENED_USERCOPY_FALLBACK', 'is not set', 'kspp', 'self_protection'), \ - hardened_usercopy_is_set)) - checklist.append(OR(OptCheck('MODULE_SIG', 'y', 'kspp', 'self_protection'), \ - modules_not_set)) - checklist.append(OR(OptCheck('MODULE_SIG_ALL', 'y', 'kspp', 'self_protection'), \ - modules_not_set)) - checklist.append(OR(OptCheck('MODULE_SIG_SHA512', 'y', 'kspp', 'self_protection'), \ - modules_not_set)) - checklist.append(OR(OptCheck('MODULE_SIG_FORCE', 'y', 'kspp', 'self_protection'), \ - modules_not_set)) # refers to LOCKDOWN - checklist.append(OR(OptCheck('INIT_STACK_ALL', 'y', 'kspp', 'self_protection'), \ - OptCheck('GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y', 'kspp', 'self_protection'))) - checklist.append(OptCheck('INIT_ON_ALLOC_DEFAULT_ON', 'y', 'kspp', 'self_protection')) - checklist.append(OR(OptCheck('INIT_ON_FREE_DEFAULT_ON', 'y', 'kspp', 'self_protection'), \ - OptCheck('PAGE_POISONING', 'y', 'kspp', 'self_protection'))) # before v5.3 - if arch in ('X86_64', 'ARM64', 'X86_32'): - stackleak_is_set = OptCheck('GCC_PLUGIN_STACKLEAK', 'y', 'kspp', 'self_protection') - checklist.append(stackleak_is_set) - checklist.append(AND(OptCheck('STACKLEAK_METRICS', 'is not set', 'clipos', 'self_protection'), \ - stackleak_is_set)) - checklist.append(AND(OptCheck('STACKLEAK_RUNTIME_DISABLE', 'is not set', 'clipos', 'self_protection'), \ - stackleak_is_set)) - if arch in ('X86_64', 'X86_32'): - checklist.append(OptCheck('DEFAULT_MMAP_MIN_ADDR', '65536', 'kspp', 'self_protection')) - if arch == 'X86_32': - checklist.append(OptCheck('PAGE_TABLE_ISOLATION', 'y', 'kspp', 'self_protection')) - checklist.append(OptCheck('HIGHMEM64G', 'y', 'kspp', 'self_protection')) - checklist.append(OptCheck('X86_PAE', 'y', 'kspp', 'self_protection')) - if arch == 'ARM64': - checklist.append(OptCheck('ARM64_SW_TTBR0_PAN', 'y', 'kspp', 'self_protection')) - if arch in ('ARM64', 'ARM'): - checklist.append(OptCheck('SYN_COOKIES', 'y', 'kspp', 'self_protection')) # another reason? - checklist.append(OptCheck('DEFAULT_MMAP_MIN_ADDR', '32768', 'kspp', 'self_protection')) - - checklist.append(OptCheck('SECURITY_DMESG_RESTRICT', 'y', 'clipos', 'self_protection')) - checklist.append(OptCheck('DEBUG_VIRTUAL', 'y', 'clipos', 'self_protection')) - checklist.append(OptCheck('STATIC_USERMODEHELPER', 'y', 'clipos', 'self_protection')) # needs userspace support (systemd) - checklist.append(OptCheck('SLAB_MERGE_DEFAULT', 'is not set', 'clipos', 'self_protection')) # slab_nomerge - checklist.append(AND(OptCheck('GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set', 'clipos', 'self_protection'), \ - randstruct_is_set)) - checklist.append(OptCheck('RANDOM_TRUST_BOOTLOADER', 'is not set', 'clipos', 'self_protection')) - checklist.append(OptCheck('RANDOM_TRUST_CPU', 'is not set', 'clipos', 'self_protection')) - if arch in ('X86_64', 'X86_32'): - checklist.append(AND(OptCheck('INTEL_IOMMU_SVM', 'y', 'clipos', 'self_protection'), \ - iommu_support_is_set)) - checklist.append(AND(OptCheck('INTEL_IOMMU_DEFAULT_ON', 'y', 'clipos', 'self_protection'), \ - iommu_support_is_set)) - if arch == 'X86_32': - checklist.append(AND(OptCheck('INTEL_IOMMU', 'y', 'clipos', 'self_protection'), \ - iommu_support_is_set)) - - checklist.append(OptCheck('SLUB_DEBUG_ON', 'y', 'my', 'self_protection')) - checklist.append(OptCheck('RESET_ATTACK_MITIGATION', 'y', 'my', 'self_protection')) # needs userspace support (systemd) - if arch == 'X86_64': - checklist.append(AND(OptCheck('AMD_IOMMU_V2', 'y', 'my', 'self_protection'), \ - iommu_support_is_set)) - - if arch in ('X86_64', 'ARM64', 'X86_32'): - checklist.append(OptCheck('SECURITY', 'y', 'defconfig', 'security_policy')) # and choose your favourite LSM - if arch == 'ARM': - checklist.append(OptCheck('SECURITY', 'y', 'kspp', 'security_policy')) # and choose your favourite LSM - checklist.append(OptCheck('SECURITY_YAMA', 'y', 'kspp', 'security_policy')) - checklist.append(OR(OptCheck('SECURITY_WRITABLE_HOOKS', 'is not set', 'my', 'security_policy'), \ - OptCheck('SECURITY_SELINUX_DISABLE', 'is not set', 'kspp', 'security_policy'))) - checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM', 'y', 'clipos', 'security_policy')) - checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM_EARLY', 'y', 'clipos', 'security_policy')) - checklist.append(OptCheck('LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y', 'clipos', 'security_policy')) - loadpin_is_set = OptCheck('SECURITY_LOADPIN', 'y', 'my', 'security_policy') # needs userspace support - checklist.append(loadpin_is_set) - checklist.append(AND(OptCheck('SECURITY_LOADPIN_ENFORCE', 'y', 'my', 'security_policy'), \ - loadpin_is_set)) - checklist.append(OptCheck('SECURITY_SAFESETID', 'y', 'my', 'security_policy')) - - checklist.append(OptCheck('SECCOMP', 'y', 'defconfig', 'cut_attack_surface')) - checklist.append(OptCheck('SECCOMP_FILTER', 'y', 'defconfig', 'cut_attack_surface')) - if arch in ('X86_64', 'ARM64', 'X86_32'): - checklist.append(OR(OptCheck('STRICT_DEVMEM', 'y', 'defconfig', 'cut_attack_surface'), \ - devmem_not_set)) # refers to LOCKDOWN - - checklist.append(modules_not_set) - checklist.append(devmem_not_set) - checklist.append(OR(OptCheck('IO_STRICT_DEVMEM', 'y', 'kspp', 'cut_attack_surface'), \ - devmem_not_set)) # refers to LOCKDOWN - if arch == 'ARM': - checklist.append(OR(OptCheck('STRICT_DEVMEM', 'y', 'kspp', 'cut_attack_surface'), \ - devmem_not_set)) # refers to LOCKDOWN - if arch == 'X86_64': - checklist.append(OptCheck('LEGACY_VSYSCALL_NONE', 'y', 'kspp', 'cut_attack_surface')) # 'vsyscall=none' - checklist.append(OptCheck('ACPI_CUSTOM_METHOD', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCKDOWN - checklist.append(OptCheck('COMPAT_BRK', 'is not set', 'kspp', 'cut_attack_surface')) - checklist.append(OptCheck('DEVKMEM', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCKDOWN - checklist.append(OptCheck('COMPAT_VDSO', 'is not set', 'kspp', 'cut_attack_surface')) - checklist.append(OptCheck('BINFMT_MISC', 'is not set', 'kspp', 'cut_attack_surface')) - checklist.append(OptCheck('INET_DIAG', 'is not set', 'kspp', 'cut_attack_surface')) - checklist.append(OptCheck('KEXEC', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCKDOWN - checklist.append(OptCheck('PROC_KCORE', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCKDOWN - checklist.append(OptCheck('LEGACY_PTYS', 'is not set', 'kspp', 'cut_attack_surface')) - checklist.append(OptCheck('HIBERNATION', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCKDOWN - checklist.append(OptCheck('IA32_EMULATION', 'is not set', 'kspp', 'cut_attack_surface')) - checklist.append(OptCheck('X86_X32', 'is not set', 'kspp', 'cut_attack_surface')) - checklist.append(OptCheck('MODIFY_LDT_SYSCALL', 'is not set', 'kspp', 'cut_attack_surface')) - checklist.append(OptCheck('OABI_COMPAT', 'is not set', 'kspp', 'cut_attack_surface')) - - checklist.append(OptCheck('X86_PTDUMP', 'is not set', 'grsecurity', 'cut_attack_surface')) - checklist.append(OptCheck('ZSMALLOC_STAT', 'is not set', 'grsecurity', 'cut_attack_surface')) - checklist.append(OptCheck('PAGE_OWNER', 'is not set', 'grsecurity', 'cut_attack_surface')) - checklist.append(OptCheck('DEBUG_KMEMLEAK', 'is not set', 'grsecurity', 'cut_attack_surface')) - checklist.append(OptCheck('BINFMT_AOUT', 'is not set', 'grsecurity', 'cut_attack_surface')) - checklist.append(OptCheck('KPROBES', 'is not set', 'grsecurity', 'cut_attack_surface')) # refers to LOCKDOWN - checklist.append(OptCheck('UPROBES', 'is not set', 'grsecurity', 'cut_attack_surface')) - checklist.append(OptCheck('GENERIC_TRACER', 'is not set', 'grsecurity', 'cut_attack_surface')) # refers to LOCKDOWN - checklist.append(OptCheck('PROC_VMCORE', 'is not set', 'grsecurity', 'cut_attack_surface')) - checklist.append(OptCheck('PROC_PAGE_MONITOR', 'is not set', 'grsecurity', 'cut_attack_surface')) - checklist.append(OptCheck('USELIB', 'is not set', 'grsecurity', 'cut_attack_surface')) - checklist.append(OptCheck('CHECKPOINT_RESTORE', 'is not set', 'grsecurity', 'cut_attack_surface')) - checklist.append(OptCheck('USERFAULTFD', 'is not set', 'grsecurity', 'cut_attack_surface')) - checklist.append(OptCheck('HWPOISON_INJECT', 'is not set', 'grsecurity', 'cut_attack_surface')) - checklist.append(OptCheck('MEM_SOFT_DIRTY', 'is not set', 'grsecurity', 'cut_attack_surface')) - checklist.append(OptCheck('DEVPORT', 'is not set', 'grsecurity', 'cut_attack_surface')) # refers to LOCKDOWN - checklist.append(OptCheck('DEBUG_FS', 'is not set', 'grsecurity', 'cut_attack_surface')) # refers to LOCKDOWN - checklist.append(OptCheck('NOTIFIER_ERROR_INJECTION','is not set', 'grsecurity', 'cut_attack_surface')) - - checklist.append(OptCheck('DRM_LEGACY', 'is not set', 'maintainer', 'cut_attack_surface')) - checklist.append(OptCheck('FB', 'is not set', 'maintainer', 'cut_attack_surface')) - checklist.append(OptCheck('VT', 'is not set', 'maintainer', 'cut_attack_surface')) - - checklist.append(OptCheck('ACPI_TABLE_UPGRADE', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN - checklist.append(OptCheck('X86_IOPL_IOPERM', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN - checklist.append(OptCheck('EFI_TEST', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN - checklist.append(OptCheck('BPF_SYSCALL', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN - checklist.append(OptCheck('MMIOTRACE_TEST', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN - - if arch in ('X86_64', 'X86_32'): - checklist.append(OptCheck('X86_INTEL_TSX_MODE_OFF', 'y', 'clipos', 'cut_attack_surface')) # tsx=off - checklist.append(OptCheck('STAGING', 'is not set', 'clipos', 'cut_attack_surface')) - checklist.append(OptCheck('KSM', 'is not set', 'clipos', 'cut_attack_surface')) # to prevent FLUSH+RELOAD attack -# checklist.append(OptCheck('IKCONFIG', 'is not set', 'clipos', 'cut_attack_surface')) # no, this info is needed for this check :) - checklist.append(OptCheck('KALLSYMS', 'is not set', 'clipos', 'cut_attack_surface')) - checklist.append(OptCheck('X86_VSYSCALL_EMULATION', 'is not set', 'clipos', 'cut_attack_surface')) - checklist.append(OptCheck('MAGIC_SYSRQ', 'is not set', 'clipos', 'cut_attack_surface')) - checklist.append(OptCheck('KEXEC_FILE', 'is not set', 'clipos', 'cut_attack_surface')) # refers to LOCKDOWN (permissive) - checklist.append(OptCheck('USER_NS', 'is not set', 'clipos', 'cut_attack_surface')) # user.max_user_namespaces=0 - checklist.append(OptCheck('X86_MSR', 'is not set', 'clipos', 'cut_attack_surface')) # refers to LOCKDOWN - checklist.append(OptCheck('X86_CPUID', 'is not set', 'clipos', 'cut_attack_surface')) - checklist.append(AND(OptCheck('LDISC_AUTOLOAD', 'is not set', 'clipos', 'cut_attack_surface'), \ - PresenceCheck('LDISC_AUTOLOAD'))) - - checklist.append(OptCheck('AIO', 'is not set', 'grapheneos', 'cut_attack_surface')) - - checklist.append(OptCheck('MMIOTRACE', 'is not set', 'my', 'cut_attack_surface')) # refers to LOCKDOWN (permissive) - checklist.append(OptCheck('LIVEPATCH', 'is not set', 'my', 'cut_attack_surface')) - checklist.append(OptCheck('IP_DCCP', 'is not set', 'my', 'cut_attack_surface')) - checklist.append(OptCheck('IP_SCTP', 'is not set', 'my', 'cut_attack_surface')) - checklist.append(OptCheck('FTRACE', 'is not set', 'my', 'cut_attack_surface')) # refers to LOCKDOWN - checklist.append(OptCheck('BPF_JIT', 'is not set', 'my', 'cut_attack_surface')) - checklist.append(OptCheck('VIDEO_VIVID', 'is not set', 'my', 'cut_attack_surface')) - checklist.append(OptCheck('INPUT_EVBUG', 'is not set', 'my', 'cut_attack_surface')) # Can be used as a keylogger - - checklist.append(OptCheck('INTEGRITY', 'y', 'defconfig', 'userspace_hardening')) - if arch in ('ARM', 'X86_32'): - checklist.append(OptCheck('VMSPLIT_3G', 'y', 'defconfig', 'userspace_hardening')) - if arch in ('X86_64', 'ARM64'): - checklist.append(OptCheck('ARCH_MMAP_RND_BITS', '32', 'clipos', 'userspace_hardening')) - if arch in ('X86_32', 'ARM'): - checklist.append(OptCheck('ARCH_MMAP_RND_BITS', '16', 'my', 'userspace_hardening')) - -# checklist.append(OptCheck('LKDTM', 'm', 'my', 'feature_test')) - - -def print_checklist(checklist, with_results): - if json_mode: - opts = [] - for o in checklist: - opt = ['CONFIG_'+o.name, o.expected, o.decision, o.reason] - if with_results: - opt.append(o.result) - opts.append(opt) - print(json.dumps(opts)) +def detect_compiler(fname): + gcc_version = None + clang_version = None + with _open(fname, 'rt', encoding='utf-8') as f: + for line in f.readlines(): + if line.startswith('CONFIG_GCC_VERSION='): + gcc_version = line[19:-1] + if line.startswith('CONFIG_CLANG_VERSION='): + clang_version = line[21:-1] + if gcc_version is None or clang_version is None: + return None, 'no CONFIG_GCC_VERSION or CONFIG_CLANG_VERSION' + if gcc_version == '0' and clang_version != '0': + return 'CLANG ' + clang_version, 'OK' + if gcc_version != '0' and clang_version == '0': + return 'GCC ' + gcc_version, 'OK' + sys.exit(f'[!] ERROR: invalid GCC_VERSION and CLANG_VERSION: {gcc_version} {clang_version}') + + +def print_unknown_options(checklist, parsed_options): + known_options = [] + + for o1 in checklist: + if o1.type != 'complex': + known_options.append(o1.name) + continue + for o2 in o1.opts: + if o2.type != 'complex': + if hasattr(o2, 'name'): + known_options.append(o2.name) + continue + for o3 in o2.opts: + assert(o3.type != 'complex'), \ + f'unexpected ComplexOptCheck inside {o2.name}' + if hasattr(o3, 'name'): + known_options.append(o3.name) + + for option, value in parsed_options.items(): + if option not in known_options: + print(f'[?] No check for option {option} ({value})') + + +def print_checklist(mode, checklist, with_results): + if mode == 'json': + output = [] + for opt in checklist: + output.append(opt.json_dump(with_results)) + print(json.dumps(output)) return # table header @@ -522,138 +116,266 @@ def print_checklist(checklist, with_results): if with_results: sep_line_len += 30 print('=' * sep_line_len) - print('{:^45}|{:^13}|{:^10}|{:^20}'.format('option name', 'desired val', 'decision', 'reason'), end='') + print(f'{"option name":^40}|{"type":^7}|{"desired val":^12}|{"decision":^10}|{"reason":^18}', end='') if with_results: - print('| {}'.format('check result'), end='') + print('| check result', end='') print() print('=' * sep_line_len) # table contents for opt in checklist: - opt.table_print(with_results) + if with_results: + if mode == 'show_ok': + if not opt.result.startswith('OK'): + continue + if mode == 'show_fail': + if not opt.result.startswith('FAIL'): + continue + opt.table_print(mode, with_results) print() - if debug_mode: + if mode == 'verbose': print('-' * sep_line_len) print() + # final score + if with_results: + fail_count = len(list(filter(lambda opt: opt.result.startswith('FAIL'), checklist))) + fail_suppressed = '' + ok_count = len(list(filter(lambda opt: opt.result.startswith('OK'), checklist))) + ok_suppressed = '' + if mode == 'show_ok': + fail_suppressed = ' (suppressed in output)' + if mode == 'show_fail': + ok_suppressed = ' (suppressed in output)' + print(f'[+] Config check is finished: \'OK\' - {ok_count}{ok_suppressed} / \'FAIL\' - {fail_count}{fail_suppressed}') + + +def parse_kconfig_file(mode, parsed_options, fname): + with _open(fname, 'rt', encoding='utf-8') as f: + opt_is_on = re.compile("CONFIG_[a-zA-Z0-9_]+=.+$") + opt_is_off = re.compile("# CONFIG_[a-zA-Z0-9_]+ is not set$") -def perform_checks(checklist, parsed_options): - for opt in checklist: - if hasattr(opt, 'opts'): - # prepare ComplexOptCheck - for o in opt.opts: - if hasattr(o, 'state'): - o.state = parsed_options.get(o.name, None) - else: - # prepare simple check - if not hasattr(opt, 'state'): - sys.exit('[!] ERROR: bad simple check {}'.format(vars(opt))) - opt.state = parsed_options.get(opt.name, None) - opt.check() - - -def check_config_file(checklist, fname, arch): - with open(fname, 'r') as f: - parsed_options = OrderedDict() - opt_is_on = re.compile("CONFIG_[a-zA-Z0-9_]*=[a-zA-Z0-9_\"]*") - opt_is_off = re.compile("# CONFIG_[a-zA-Z0-9_]* is not set") - - if not json_mode: - print('[+] Checking "{}" against {} hardening preferences...'.format(fname, arch)) for line in f.readlines(): line = line.strip() option = None value = None if opt_is_on.match(line): - option, value = line[7:].split('=', 1) + option, value = line.split('=', 1) + if value == 'is not set': + sys.exit(f'[!] ERROR: bad enabled Kconfig option "{line}"') elif opt_is_off.match(line): - option, value = line[9:].split(' ', 1) - if value != 'is not set': - sys.exit('[!] ERROR: bad disabled config option "{}"'.format(line)) + option, value = line[2:].split(' ', 1) + assert(value == 'is not set'), \ + f'unexpected value of disabled Kconfig option "{line}"' + elif line != '' and not line.startswith('#') and mode != 'json': + print(f'[!] WARNING: strange line in Kconfig file: "{line}"') if option in parsed_options: - sys.exit('[!] ERROR: config option "{}" exists multiple times'.format(line)) + sys.exit(f'[!] ERROR: Kconfig option "{line}" is found multiple times') - if option is not None: + if option: parsed_options[option] = value - perform_checks(checklist, parsed_options) - if debug_mode: - known_options = [] - for opt in checklist: - if hasattr(opt, 'opts'): - for o in opt.opts: - if hasattr(o, 'name'): - known_options.append(o.name) - else: - known_options.append(opt.name) - for option, value in parsed_options.items(): - if option not in known_options: - print('DEBUG: dunno about option {} ({})'.format(option, value)) +def parse_cmdline_file(mode, parsed_options, fname): + with open(fname, 'r', encoding='utf-8') as f: + line = f.readline() + opts = line.split() - print_checklist(checklist, True) + line = f.readline() + if line: + sys.exit(f'[!] ERROR: more than one line in "{fname}"') -def main(): - global debug_mode - global json_mode - global kernel_version + for opt in opts: + if '=' in opt: + name, value = opt.split('=', 1) + else: + name = opt + value = '' # '' is not None + if name in parsed_options and mode != 'json': + print(f'[!] WARNING: cmdline option "{name}" is found multiple times') + value = normalize_cmdline_options(name, value) + parsed_options[name] = value - config_checklist = [] +def parse_sysctl_file(mode, parsed_options, fname): + with open(fname, 'r', encoding='utf-8') as f: + sysctl_pattern = re.compile("[a-zA-Z0-9/\._-]+ =.*$") + for line in f.readlines(): + line = line.strip() + if not sysctl_pattern.match(line): + sys.exit(f'[!] ERROR: unexpected line in sysctl file: {line}') + option, value = line.split('=', 1) + option = option.strip() + value = value.strip() + # sysctl options may be found multiple times, let's save the last value: + parsed_options[option] = value + + # let's check the presence of some ancient sysctl option + # to ensure that we are parsing the output of `sudo sysctl -a > file` + if 'kernel.printk' not in parsed_options: + sys.exit(f'[!] ERROR: {fname} doesn\'t look like a sysctl output file, please try `sudo sysctl -a > {fname}`') + + # let's check the presence of a sysctl option available for root + if 'net.core.bpf_jit_harden' not in parsed_options and mode != 'json': + print(f'[!] WARNING: sysctl option "net.core.bpf_jit_harden" available for root is not found in {fname}, please try `sudo sysctl -a > {fname}`') + + +def main(): + # Report modes: + # * verbose mode for + # - reporting about unknown kernel options in the Kconfig + # - verbose printing of ComplexOptCheck items + # * json mode for printing the results in JSON format + report_modes = ['verbose', 'json', 'show_ok', 'show_fail'] + supported_archs = ['X86_64', 'X86_32', 'ARM64', 'ARM'] parser = ArgumentParser(prog='kconfig-hardened-check', - description='Checks the hardening options in the Linux kernel config') - parser.add_argument('-p', '--print', choices=supported_archs, - help='print hardening preferences for selected architecture') - parser.add_argument('-c', '--config', - help='check the config_file against these preferences') - parser.add_argument('--debug', action='store_true', - help='enable verbose debug mode') - parser.add_argument('--json', action='store_true', - help='print results in JSON format') + description='A tool for checking the security hardening options of the Linux kernel') parser.add_argument('--version', action='version', version='%(prog)s ' + __version__) + parser.add_argument('-m', '--mode', choices=report_modes, + help='choose the report mode') + parser.add_argument('-c', '--config', + help='check the security hardening options in the kernel Kconfig file (also supports *.gz files)') + parser.add_argument('-l', '--cmdline', + help='check the security hardening options in the kernel cmdline file (contents of /proc/cmdline)') + parser.add_argument('-s', '--sysctl', + help='check the security hardening options in the sysctl output file (`sudo sysctl -a > file`)') + parser.add_argument('-p', '--print', choices=supported_archs, + help='print the security hardening recommendations for the selected microarchitecture') + parser.add_argument('-g', '--generate', choices=supported_archs, + help='generate a Kconfig fragment with the security hardening options for the selected microarchitecture') args = parser.parse_args() - if args.debug: - debug_mode = True - print('[!] WARNING: debug mode is enabled') - if args.json: - json_mode = True - if debug_mode and json_mode: - sys.exit('[!] ERROR: options --debug and --json cannot be used simultaneously') + mode = None + if args.mode: + mode = args.mode + if mode != 'json': + print(f'[+] Special report mode: {mode}') + + config_checklist = [] if args.config: - arch, msg = detect_arch(args.config) - if not arch: - sys.exit('[!] ERROR: {}'.format(msg)) - elif not json_mode: - print('[+] Detected architecture: {}'.format(arch)) - - kernel_version, msg = detect_version(args.config) - if not kernel_version: - sys.exit('[!] ERROR: {}'.format(msg)) - elif not json_mode: - print('[+] Detected kernel version: {}.{}'.format(kernel_version[0], kernel_version[1])) - - construct_checklist(config_checklist, arch) - check_config_file(config_checklist, args.config, arch) - error_count = len(list(filter(lambda opt: opt.result.startswith('FAIL'), config_checklist))) - ok_count = len(list(filter(lambda opt: opt.result.startswith('OK'), config_checklist))) - if not debug_mode and not json_mode: - print('[+] config check is finished: \'OK\' - {} / \'FAIL\' - {}'.format(ok_count, error_count)) + if args.print: + sys.exit('[!] ERROR: --config and --print can\'t be used together') + + if args.generate: + sys.exit('[!] ERROR: --config and --generate can\'t be used together') + + if mode != 'json': + print(f'[+] Kconfig file to check: {args.config}') + if args.cmdline: + print(f'[+] Kernel cmdline file to check: {args.cmdline}') + if args.sysctl: + print(f'[+] Sysctl output file to check: {args.sysctl}') + + arch, msg = detect_arch(args.config, supported_archs) + if arch is None: + sys.exit(f'[!] ERROR: {msg}') + if mode != 'json': + print(f'[+] Detected microarchitecture: {arch}') + + kernel_version, msg = detect_kernel_version(args.config) + if kernel_version is None: + sys.exit(f'[!] ERROR: {msg}') + if mode != 'json': + print(f'[+] Detected kernel version: {kernel_version[0]}.{kernel_version[1]}') + + compiler, msg = detect_compiler(args.config) + if mode != 'json': + if compiler: + print(f'[+] Detected compiler: {compiler}') + else: + print(f'[-] Can\'t detect the compiler: {msg}') + + # add relevant Kconfig checks to the checklist + add_kconfig_checks(config_checklist, arch) + + if args.cmdline: + # add relevant cmdline checks to the checklist + add_cmdline_checks(config_checklist, arch) + + if args.sysctl: + # add relevant sysctl checks to the checklist + add_sysctl_checks(config_checklist, arch) + + # populate the checklist with the parsed Kconfig data + parsed_kconfig_options = OrderedDict() + parse_kconfig_file(mode, parsed_kconfig_options, args.config) + populate_with_data(config_checklist, parsed_kconfig_options, 'kconfig') + + # populate the checklist with the kernel version data + populate_with_data(config_checklist, kernel_version, 'version') + + if args.cmdline: + # populate the checklist with the parsed cmdline data + parsed_cmdline_options = OrderedDict() + parse_cmdline_file(mode, parsed_cmdline_options, args.cmdline) + populate_with_data(config_checklist, parsed_cmdline_options, 'cmdline') + + if args.sysctl: + # populate the checklist with the parsed sysctl data + parsed_sysctl_options = OrderedDict() + parse_sysctl_file(mode, parsed_sysctl_options, args.sysctl) + populate_with_data(config_checklist, parsed_sysctl_options, 'sysctl') + + # hackish refinement of the CONFIG_ARCH_MMAP_RND_BITS check + mmap_rnd_bits_max = parsed_kconfig_options.get('CONFIG_ARCH_MMAP_RND_BITS_MAX', None) + if mmap_rnd_bits_max: + override_expected_value(config_checklist, 'CONFIG_ARCH_MMAP_RND_BITS', mmap_rnd_bits_max) + + # now everything is ready, perform the checks + perform_checks(config_checklist) + + if mode == 'verbose': + # print the parsed options without the checks (for debugging) + all_parsed_options = parsed_kconfig_options # assignment does not copy + if args.cmdline: + all_parsed_options.update(parsed_cmdline_options) + if args.sysctl: + all_parsed_options.update(parsed_sysctl_options) + print_unknown_options(config_checklist, all_parsed_options) + + # finally print the results + print_checklist(mode, config_checklist, True) + sys.exit(0) + elif args.cmdline: + sys.exit('[!] ERROR: checking cmdline depends on checking Kconfig') + elif args.sysctl: + # TODO: sysctl check should also work separately + sys.exit('[!] ERROR: checking sysctl depends on checking Kconfig') if args.print: + assert(args.config is None and args.cmdline is None and args.sysctl is None), 'unexpected args' + if args.generate: + sys.exit('[!] ERROR: --print and --generate can\'t be used together') + if mode and mode not in ('verbose', 'json'): + sys.exit(f'[!] ERROR: wrong mode "{mode}" for --print') arch = args.print - construct_checklist(config_checklist, arch) - if not json_mode: - print('[+] Printing kernel hardening preferences for {}...'.format(arch)) - print_checklist(config_checklist, False) + add_kconfig_checks(config_checklist, arch) + add_cmdline_checks(config_checklist, arch) + add_sysctl_checks(config_checklist, arch) + if mode != 'json': + print(f'[+] Printing kernel security hardening options for {arch}...') + print_checklist(mode, config_checklist, False) + sys.exit(0) + + if args.generate: + assert(args.config is None and args.cmdline is None and args.sysctl is None and args.print is None), 'unexpected args' + if mode: + sys.exit(f'[!] ERROR: wrong mode "{mode}" for --generate') + arch = args.generate + add_kconfig_checks(config_checklist, arch) + print(f'CONFIG_{arch}=y') # the Kconfig fragment should describe the microarchitecture + for opt in config_checklist: + if opt.name == 'CONFIG_ARCH_MMAP_RND_BITS': + continue # don't add CONFIG_ARCH_MMAP_RND_BITS because its value needs refinement + if opt.expected == 'is not set': + print(f'# {opt.name} is not set') + else: + print(f'{opt.name}={opt.expected}') sys.exit(0) parser.print_help() sys.exit(0) - -if __name__ == '__main__': - main()