The security hardening recommendations are based on:
- [KSPP recommended settings][1]
- - Last public [grsecurity][3] patch (options which they disable)
+ - [Direct feedback from the Linux kernel maintainers][23]
++ - Kernel options disabled by [grsecurity][3] to cut attack surface
- [CLIP OS kernel configuration][2]
- - [grsecurity][3] patch (options which they disable)
+ - [GrapheneOS][25] recommendations
- [SECURITY_LOCKDOWN_LSM][5] patchset
- - [Direct feedback from the Linux kernel maintainers][23]
I also created the [__Linux Kernel Defence Map__][4], which is a graphical representation of the
relationships between security hardening features and the corresponding vulnerability classes
l += [KconfigCheck('cut_attack_surface', 'grsec', 'SUNRPC_DEBUG', 'is not set')]
l += [AND(KconfigCheck('cut_attack_surface', 'grsec', 'PTDUMP_DEBUGFS', 'is not set'),
KconfigCheck('cut_attack_surface', 'grsec', 'X86_PTDUMP', 'is not set'))]
+ l += [AND(KconfigCheck('cut_attack_surface', 'grsec', 'PTDUMP_DEBUGFS', 'is not set'),
+ KconfigCheck('cut_attack_surface', 'grsec', 'ARM_PTDUMP', 'is not set'))]
+ l += [KconfigCheck('cut_attack_surface', 'grsec', 'X86_16BIT', 'is not set')]
+ l += [KconfigCheck('cut_attack_surface', 'grsec', 'BLK_DEV_UBLK', 'is not set')]
+ l += [KconfigCheck('cut_attack_surface', 'grsec', 'VCAP_KUNIT_TEST', 'is not set')]
+ l += [KconfigCheck('cut_attack_surface', 'grsec', 'SMB_SERVER', 'is not set')]
+ l += [KconfigCheck('cut_attack_surface', 'grsec', 'XFS_ONLINE_SCRUB_STATS', 'is not set')]
+ l += [KconfigCheck('cut_attack_surface', 'grsec', 'BUILD_SALT', 'is not set')]
+ l += [KconfigCheck('cut_attack_surface', 'grsec', 'CACHESTAT_SYSCALL', 'is not set')]
+ l += [KconfigCheck('cut_attack_surface', 'grsec', 'PREEMPTIRQ_TRACEPOINTS', 'is not set')]
+ l += [KconfigCheck('cut_attack_surface', 'grsec', 'ENABLE_DEFAULT_TRACERS', 'is not set')]
+ l += [KconfigCheck('cut_attack_surface', 'grsec', 'PROVE_LOCKING', 'is not set')]
+ l += [KconfigCheck('cut_attack_surface', 'grsec', 'MPTCP', 'is not set')]
+ l += [KconfigCheck('cut_attack_surface', 'grsec', 'TLS', 'is not set')]
+ l += [KconfigCheck('cut_attack_surface', 'grsec', 'TIPC', 'is not set')]
- # 'cut_attack_surface', 'maintainer'
- l += [KconfigCheck('cut_attack_surface', 'maintainer', 'DRM_LEGACY', 'is not set')] # recommended by Daniel Vetter in /issues/38
- l += [KconfigCheck('cut_attack_surface', 'maintainer', 'FB', 'is not set')] # recommended by Daniel Vetter in /issues/38
- l += [KconfigCheck('cut_attack_surface', 'maintainer', 'VT', 'is not set')] # recommended by Daniel Vetter in /issues/38
- l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD', 'is not set')] # recommended by Denis Efremov in /pull/54
- l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD_RAWCMD', 'is not set')] # recommended by Denis Efremov in /pull/62
- l += [KconfigCheck('cut_attack_surface', 'maintainer', 'NOUVEAU_LEGACY_CTX_SUPPORT', 'is not set')]
- # recommended by Dave Airlie in kernel commit b30a43ac7132cdda
-
# 'cut_attack_surface', 'clipos'
l += [KconfigCheck('cut_attack_surface', 'clipos', 'STAGING', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'clipos', 'KSM', 'is not set')] # to prevent FLUSH+RELOAD attack
projects / kconfig-hardened-check.git / commitdiff