kconfig-hardened-check.git
4 years agoFix the name for ClearLinux config
Alexander Popov [Wed, 4 Mar 2020 14:47:10 +0000 (17:47 +0300)]
Fix the name for ClearLinux config

4 years agoSTACKPROTECTOR_PER_TASK is now default for ARM
Alexander Popov [Wed, 4 Mar 2020 12:38:13 +0000 (15:38 +0300)]
STACKPROTECTOR_PER_TASK is now default for ARM

4 years agoSECURITY_WRITABLE_HOOKS is not disabled by default
Alexander Popov [Wed, 4 Mar 2020 12:29:34 +0000 (15:29 +0300)]
SECURITY_WRITABLE_HOOKS is not disabled by default

4 years agoInclude GCC_PLUGINS to defconfig
Alexander Popov [Wed, 4 Mar 2020 12:26:40 +0000 (15:26 +0300)]
Include GCC_PLUGINS to defconfig

This option is now enabled by default in case of compiler support.

4 years agoUpdate defconfigs (v5.5)
Alexander Popov [Wed, 4 Mar 2020 12:16:47 +0000 (15:16 +0300)]
Update defconfigs (v5.5)

4 years agoMerge branch 'config-updates-from-hackurx'
Alexander Popov [Thu, 27 Feb 2020 17:29:59 +0000 (20:29 +0300)]
Merge branch 'config-updates-from-hackurx'

Refers to PR #31.

Thanks to @HacKurx for his work.

4 years agoUpdate of the kconfig-hardened-check.py part 31/head
Loïc [Wed, 26 Feb 2020 10:10:21 +0000 (11:10 +0100)]
Update of the kconfig-hardened-check.py part

4 years agoAdd link for clearlinux
Loïc [Wed, 26 Feb 2020 09:55:46 +0000 (10:55 +0100)]
Add link for clearlinux

4 years agoAdd clearlinux-master
Loïc [Wed, 26 Feb 2020 09:53:04 +0000 (10:53 +0100)]
Add clearlinux-master

config check is finished: 'OK' - 74 / 'FAIL' - 49

4 years agoUpdate to 5.3.0-28-generic (LTS HWE)
Loïc [Mon, 24 Feb 2020 20:07:51 +0000 (21:07 +0100)]
Update to 5.3.0-28-generic (LTS HWE)

config check is finished: 'OK' - 50 / 'FAIL' - 73

4 years agoRemove debian-stretch.config
Loïc [Mon, 24 Feb 2020 17:41:04 +0000 (18:41 +0100)]
Remove debian-stretch.config

No need to support old stable versions

4 years agoAdd link for amazonlinux2
Loïc [Mon, 24 Feb 2020 17:38:36 +0000 (18:38 +0100)]
Add link for amazonlinux2

4 years agoUpdate to 4.14.165-133.209.amzn2.x86_64
Loïc [Mon, 24 Feb 2020 17:36:23 +0000 (18:36 +0100)]
Update to 4.14.165-133.209.amzn2.x86_64

config check is finished: 'OK' - 44 / 'FAIL' - 79

4 years agoUpdate to 5.4.21
Loïc [Mon, 24 Feb 2020 17:18:48 +0000 (18:18 +0100)]
Update to 5.4.21

config check is finished: 'OK' - 55 / 'FAIL' - 68

4 years agoUpdate to openSUSE-15.1
Loïc [Mon, 24 Feb 2020 17:16:20 +0000 (18:16 +0100)]
Update to openSUSE-15.1

config check is finished: 'OK' - 36 / 'FAIL' - 87

4 years agoUpdate to 5.3.16 (SLE15-SP2)
Loïc [Mon, 24 Feb 2020 17:14:18 +0000 (18:14 +0100)]
Update to 5.3.16 (SLE15-SP2)

config check is finished: 'OK' - 47 / 'FAIL' - 76

4 years agoUpdate to SLE15-SP2 and openSUSE-15.1
Loïc [Mon, 24 Feb 2020 17:12:12 +0000 (18:12 +0100)]
Update to SLE15-SP2 and openSUSE-15.1

4 years agoUpdate to 5.4.21
Loïc [Mon, 24 Feb 2020 17:08:01 +0000 (18:08 +0100)]
Update to 5.4.21

config check is finished: 'OK' - 87 / 'FAIL' - 36

4 years agoUpdate to 5.5.5-pentoo
Loïc [Mon, 24 Feb 2020 17:04:23 +0000 (18:04 +0100)]
Update to 5.5.5-pentoo

config check is finished: 'OK' - 84 / 'FAIL' - 39

4 years agoUpdate of some links
Loïc [Mon, 24 Feb 2020 17:02:25 +0000 (18:02 +0100)]
Update of some links

4 years agoUpdate to 5.4.1 (uek6)
Loïc [Mon, 24 Feb 2020 16:53:48 +0000 (17:53 +0100)]
Update to 5.4.1 (uek6)

config check is finished: 'OK' - 52 / 'FAIL' - 71

4 years agoUpdate to 4.18.0-147.5.1.el8_1.x86_64
Loïc [Mon, 24 Feb 2020 16:47:31 +0000 (17:47 +0100)]
Update to 4.18.0-147.5.1.el8_1.x86_64

config check is finished: 'OK' - 47 / 'FAIL' - 76

4 years agoUpdate to config-4.19.0-8-amd64
Loïc [Mon, 24 Feb 2020 16:43:54 +0000 (17:43 +0100)]
Update to config-4.19.0-8-amd64

config check is finished: 'OK' - 54 / 'FAIL' - 69

4 years agoFix INIT_ON_FREE_DEFAULT_ON vs PAGE_POISONING issue #28
Alexander Popov [Tue, 14 Jan 2020 10:28:25 +0000 (13:28 +0300)]
Fix INIT_ON_FREE_DEFAULT_ON vs PAGE_POISONING issue #28

PAGE_POISONING is a debugging feature.
It provides less erasing than INIT_ON_FREE_DEFAULT_ON.
Join these checks with OR giving preference to INIT_ON_FREE_DEFAULT_ON.

Thanks to @madaidan for the details.

Also drop my previous recommendations about CONFIG_PAGE_POISONING_NO_SANITY
and CONFIG_PAGE_POISONING_ZERO.

4 years agoAnswer the question about CONFIG_PANIC_ON_OOPS
Alexander Popov [Tue, 14 Jan 2020 09:35:38 +0000 (12:35 +0300)]
Answer the question about CONFIG_PANIC_ON_OOPS

Thanks to @madaidan
Refers to #29

4 years agoRecommend disabling VIDEO_VIVID
Alexander Popov [Sat, 11 Jan 2020 12:05:11 +0000 (15:05 +0300)]
Recommend disabling VIDEO_VIVID

The vivid driver is for testing. It doesn't require any special hardware.
It is shipped in Ubuntu, Debian, Arch Linux, SUSE Linux Enterprise and openSUSE.
On Ubuntu the devices created by this driver are available to the normal user,
since Ubuntu applies RW ACL when the user is logged in.

See the disclosure of CVE-2019-18683 which I've found and fixed in vivid driver:
https://www.openwall.com/lists/oss-security/2019/11/02/1

4 years agoTake some ideas from NixOS/nixpkgs hardened kernel config
Alexander Popov [Fri, 10 Jan 2020 14:41:14 +0000 (17:41 +0300)]
Take some ideas from NixOS/nixpkgs hardened kernel config

Add CONFIG_SECURITY_SAFESETID (y) and CONFIG_SECURITY_WRITABLE_HOOKS (n).

Refers to the pull request #27.

4 years agoPretty printing
Alexander Popov [Mon, 2 Dec 2019 14:23:57 +0000 (17:23 +0300)]
Pretty printing

4 years agoVersion 0.5.3 (supports Linux kernel v5.3) v0.5.3
Alexander Popov [Fri, 29 Nov 2019 13:56:32 +0000 (16:56 +0300)]
Version 0.5.3 (supports Linux kernel v5.3)

4 years agoAdd the link to Linux Kernel Defence Map
Alexander Popov [Fri, 29 Nov 2019 13:53:29 +0000 (16:53 +0300)]
Add the link to Linux Kernel Defence Map

4 years agoUpdate the README
Alexander Popov [Fri, 29 Nov 2019 13:25:59 +0000 (16:25 +0300)]
Update the README

4 years agoUpdate defconfigs
Alexander Popov [Fri, 29 Nov 2019 13:22:43 +0000 (16:22 +0300)]
Update defconfigs

4 years agoRANDOMIZE_BASE is now enabled by default on arm64
Alexander Popov [Fri, 29 Nov 2019 13:21:42 +0000 (16:21 +0300)]
RANDOMIZE_BASE is now enabled by default on arm64

4 years agox86_32: INTEL_IOMMU is not enabled by default - fix the reason
Alexander Popov [Thu, 28 Nov 2019 21:11:07 +0000 (00:11 +0300)]
x86_32: INTEL_IOMMU is not enabled by default - fix the reason

4 years agoX86_INTEL_UMIP is now X86_UMIP
Alexander Popov [Thu, 28 Nov 2019 21:07:48 +0000 (00:07 +0300)]
X86_INTEL_UMIP is now X86_UMIP

4 years agox86_64: more hardening options are enabled by default - change the reason
Alexander Popov [Thu, 28 Nov 2019 21:07:21 +0000 (00:07 +0300)]
x86_64: more hardening options are enabled by default - change the reason

4 years agoImprove the list of the kernel parameters in TODO
Alexander Popov [Thu, 28 Nov 2019 17:24:55 +0000 (20:24 +0300)]
Improve the list of the kernel parameters in TODO

4 years agoAdd CLIP OS links
Alexander Popov [Thu, 28 Nov 2019 17:23:04 +0000 (20:23 +0300)]
Add CLIP OS links

4 years agoUpdate the column width
Alexander Popov [Thu, 28 Nov 2019 16:56:13 +0000 (19:56 +0300)]
Update the column width

4 years agoSome of my recommendations are used by CLIP OS, change the `reason` field
Alexander Popov [Thu, 28 Nov 2019 16:54:55 +0000 (19:54 +0300)]
Some of my recommendations are used by CLIP OS, change the `reason` field

4 years agoDon't recommend disabling IKCONFIG anymore
Alexander Popov [Thu, 28 Nov 2019 16:30:01 +0000 (19:30 +0300)]
Don't recommend disabling IKCONFIG anymore

That info is needed for this script :)

4 years agoSave more hardening sysctls for TODO
Alexander Popov [Thu, 28 Nov 2019 16:28:52 +0000 (19:28 +0300)]
Save more hardening sysctls for TODO

4 years agoUpdate CLIP OS doc
Alexander Popov [Thu, 28 Nov 2019 16:27:53 +0000 (19:27 +0300)]
Update CLIP OS doc

4 years agoGroup security policies together
Alexander Popov [Thu, 28 Nov 2019 09:09:36 +0000 (12:09 +0300)]
Group security policies together

Also update the name of the lockdown feature (merged into v5.4).

4 years agoAdd INIT_ON_ALLOC_DEFAULT_ON and INIT_ON_FREE_DEFAULT_ON introduced in v5.3
Alexander Popov [Thu, 28 Nov 2019 09:07:11 +0000 (12:07 +0300)]
Add INIT_ON_ALLOC_DEFAULT_ON and INIT_ON_FREE_DEFAULT_ON introduced in v5.3

4 years agoAdd RODATA_FULL_DEFAULT_ENABLED for ARM64
Alexander Popov [Thu, 28 Nov 2019 09:06:27 +0000 (12:06 +0300)]
Add RODATA_FULL_DEFAULT_ENABLED for ARM64

4 years agoAdd info about Debian and AOSP kernel configs to links.txt
Alexander Popov [Thu, 28 Nov 2019 07:32:49 +0000 (10:32 +0300)]
Add info about Debian and AOSP kernel configs to links.txt

4 years agoAdd Debian Buster kernel config
Alexander Popov [Thu, 28 Nov 2019 07:17:57 +0000 (10:17 +0300)]
Add Debian Buster kernel config

4 years agoAdd AOSP kernel config for Pixel 3a
Alexander Popov [Thu, 28 Nov 2019 07:17:07 +0000 (10:17 +0300)]
Add AOSP kernel config for Pixel 3a

5 years agoIntroduce the versioning v0.5.2
Alexander Popov [Fri, 23 Aug 2019 16:09:36 +0000 (19:09 +0300)]
Introduce the versioning

At the Chaos Communication Camp 2019 @jelly told that it would be nice to add the kconfig-hardened-check to Arch Linux.

So I add versioning to make it happen.

Thanks @jelly, nice to meet you!

5 years agoUpdate the script output in the README
Alexander Popov [Fri, 23 Aug 2019 12:48:43 +0000 (15:48 +0300)]
Update the script output in the README

5 years agoAdd HARDEN_BRANCH_PREDICTOR and HARDEN_EL2_VECTORS
Alexander Popov [Fri, 23 Aug 2019 10:35:53 +0000 (13:35 +0300)]
Add HARDEN_BRANCH_PREDICTOR and HARDEN_EL2_VECTORS

5 years agoBring more order to the offsets (style fix)
Alexander Popov [Fri, 23 Aug 2019 11:40:41 +0000 (14:40 +0300)]
Bring more order to the offsets (style fix)

5 years agoAdd INIT_STACK_ALL as an alternative to GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
Alexander Popov [Thu, 22 Aug 2019 10:43:46 +0000 (13:43 +0300)]
Add INIT_STACK_ALL as an alternative to GCC_PLUGIN_STRUCTLEAK_BYREF_ALL

5 years agoAdd SHUFFLE_PAGE_ALLOCATOR from v5.2
Alexander Popov [Thu, 22 Aug 2019 10:35:32 +0000 (13:35 +0300)]
Add SHUFFLE_PAGE_ALLOCATOR from v5.2

5 years agoAdd some new sysctls (to remember them)
Alexander Popov [Thu, 22 Aug 2019 10:34:49 +0000 (13:34 +0300)]
Add some new sysctls (to remember them)

5 years agoMerge pull request #22 from adrianopol/master
Alexander Popov [Mon, 8 Jul 2019 14:07:18 +0000 (17:07 +0300)]
Merge pull request #22 from adrianopol/master

#20 fix: use right quotes in json output

Thanks @adrianopol

5 years ago#20 fix: use right quotes in json output 22/head
Andrew Petelin [Sun, 7 Jul 2019 19:24:41 +0000 (22:24 +0300)]
#20 fix: use right quotes in json output

5 years agoDo code refactoring without changing the functionality
Alexander Popov [Mon, 24 Jun 2019 12:05:51 +0000 (15:05 +0300)]
Do code refactoring without changing the functionality

Changes:
 - get rid of checklist global variable,
 - improve print_checks().

5 years agoMerge branch 'json-support'
Alexander Popov [Mon, 24 Jun 2019 11:04:11 +0000 (14:04 +0300)]
Merge branch 'json-support'

Thanks to @adrianopol

5 years agojson: Fix minor things and update the README
Alexander Popov [Mon, 24 Jun 2019 10:51:35 +0000 (13:51 +0300)]
json: Fix minor things and update the README

5 years agoadd --json option 21/head
Andrew Petelin [Fri, 21 Jun 2019 19:56:23 +0000 (22:56 +0300)]
add --json option

5 years agoDrop CONFIG_X86_MSR from the recommendations
Alexander Popov [Tue, 4 Jun 2019 22:04:07 +0000 (01:04 +0300)]
Drop CONFIG_X86_MSR from the recommendations

It exposes MSRs to the userspace, IMO it is not needed for mitigating
X86 CPU bugs.

Refers to the issue #19 (comment by @Bernhard40)

5 years agoAdd the LDISC_AUTOLOAD check
Alexander Popov [Mon, 3 Jun 2019 23:43:58 +0000 (02:43 +0300)]
Add the LDISC_AUTOLOAD check

In fact we have a false positive here because the absence
of the disabled CONFIG_LDISC_AUTOLOAD means FAIL (line
disciplines are automatically loaded).

TODO: Introduce a special check for this type of cases.

5 years agoAttribute some of my recommendations to CLIP OS - part II
Alexander Popov [Mon, 3 Jun 2019 20:00:59 +0000 (23:00 +0300)]
Attribute some of my recommendations to CLIP OS - part II

They have a bigger authority :)

Refers to the issue #19 by @HacKurx

5 years agoAdd the link to the CLIP OS kernel configuration
Alexander Popov [Mon, 3 Jun 2019 19:33:35 +0000 (22:33 +0300)]
Add the link to the CLIP OS kernel configuration

Refers to the issue #19 by @HacKurx

5 years agoUpdate the README
Alexander Popov [Mon, 3 Jun 2019 18:04:03 +0000 (21:04 +0300)]
Update the README

Refers to the issue #19 by @HacKurx

5 years agoUpdate the README (printing format)
Alexander Popov [Mon, 3 Jun 2019 17:55:44 +0000 (20:55 +0300)]
Update the README (printing format)

5 years agoAdd a snapshot of the CLIP OS config documentation
Alexander Popov [Mon, 3 Jun 2019 17:41:13 +0000 (20:41 +0300)]
Add a snapshot of the CLIP OS config documentation

Refers to the issue #19 by @HacKurx

5 years agoAttribute some of my recommendations to CLIP OS
Alexander Popov [Mon, 3 Jun 2019 17:38:17 +0000 (20:38 +0300)]
Attribute some of my recommendations to CLIP OS

They have a bigger authority :)

Refers to the issue #19 by @HacKurx

5 years agoAdd my recommendations for AMD (similar to CLIP OS recommendations for Intel)
Alexander Popov [Mon, 3 Jun 2019 17:27:51 +0000 (20:27 +0300)]
Add my recommendations for AMD (similar to CLIP OS recommendations for Intel)

Refers to the issue #19 by @HacKurx

5 years agoAdd X86-specific CLIP OS recommendations for kernel self-protection
Alexander Popov [Mon, 3 Jun 2019 17:24:21 +0000 (20:24 +0300)]
Add X86-specific CLIP OS recommendations for kernel self-protection

Refers to the issue #19 by @HacKurx

5 years agoAdd arch-independent CLIP OS recommendations for kernel self-protection
Alexander Popov [Mon, 3 Jun 2019 17:19:02 +0000 (20:19 +0300)]
Add arch-independent CLIP OS recommendations for kernel self-protection

Refers to the issue #19 by @HacKurx

5 years agoAdd more details about STACKLEAK
Alexander Popov [Mon, 3 Jun 2019 17:13:32 +0000 (20:13 +0300)]
Add more details about STACKLEAK

Refers to the issue #19 by @HacKurx

5 years agoDon't recommend any particular LSM to avoid the holy war
Alexander Popov [Mon, 3 Jun 2019 17:03:58 +0000 (20:03 +0300)]
Don't recommend any particular LSM to avoid the holy war

5 years agoAdd CLIP OS recommendations for cutting attack surface
Alexander Popov [Mon, 3 Jun 2019 17:02:42 +0000 (20:02 +0300)]
Add CLIP OS recommendations for cutting attack surface

Refers to the issue #19 by @HacKurx

5 years agoImprove printing of the results
Alexander Popov [Mon, 3 Jun 2019 16:59:25 +0000 (19:59 +0300)]
Improve printing of the results

5 years agoUpdate the link to Alpine config
Alexander Popov [Mon, 3 Jun 2019 10:12:35 +0000 (13:12 +0300)]
Update the link to Alpine config

5 years agoMerge pull request #18 from HacKurx/patch-1
Alexander Popov [Mon, 3 Jun 2019 10:10:28 +0000 (13:10 +0300)]
Merge pull request #18 from HacKurx/patch-1

Update pentoo config link

5 years agoUpdate pentoo config link 18/head
Loïc [Sat, 1 Jun 2019 12:02:36 +0000 (14:02 +0200)]
Update pentoo config link

5 years agoAdd more kernel command line parameters to comments
Alexander Popov [Mon, 27 May 2019 14:42:53 +0000 (17:42 +0300)]
Add more kernel command line parameters to comments

Going to use them in future

5 years agoMerge remote-tracking branch 'hackurx/master'
Alexander Popov [Fri, 17 May 2019 15:13:40 +0000 (18:13 +0300)]
Merge remote-tracking branch 'hackurx/master'

Thanks to @HacKurx for updating the distro configs.

5 years agoCreate rhel-8.0.config 17/head
Loïc [Sun, 12 May 2019 15:04:25 +0000 (17:04 +0200)]
Create rhel-8.0.config

config check is finished: 'OK' - 41 / 'FAIL' - 62

5 years agoUpdate and rename pentoo-4.17.11.config to pentoo-livecd.config
Loïc [Sun, 12 May 2019 09:59:15 +0000 (11:59 +0200)]
Update and rename pentoo-4.17.11.config to pentoo-livecd.config

config check is finished: 'OK' - 71 / 'FAIL' - 32

5 years agoUpdate Archlinux-hardened.config
Loïc [Sun, 12 May 2019 09:54:43 +0000 (11:54 +0200)]
Update Archlinux-hardened.config

config check is finished: 'OK' - 75 / 'FAIL' - 28

5 years agoUpdate Alpinelinux-edge.config
Loïc [Sun, 12 May 2019 09:51:39 +0000 (11:51 +0200)]
Update Alpinelinux-edge.config

config check is finished: 'OK' - 49 / 'FAIL' - 54

5 years agoUpdate debian-stretch.config
Loïc [Sun, 12 May 2019 09:46:53 +0000 (11:46 +0200)]
Update debian-stretch.config

config check is finished: 'OK' - 42 / 'FAIL' - 61

5 years agoCreate AmazonLinux2.config
Loïc [Sun, 12 May 2019 09:38:12 +0000 (11:38 +0200)]
Create AmazonLinux2.config

config check is finished: 'OK' - 42 / 'FAIL' - 61

5 years agoAdd Q&A to the README
Alexander Popov [Wed, 20 Mar 2019 07:25:22 +0000 (10:25 +0300)]
Add Q&A to the README

Refers to the issue #14 by @jcberthon.

5 years agoAdd the comment about kptr_restrict
Alexander Popov [Wed, 13 Mar 2019 17:40:23 +0000 (20:40 +0300)]
Add the comment about kptr_restrict

5 years agoAdd ARM64_PTR_AUTH check
Alexander Popov [Wed, 13 Mar 2019 13:45:34 +0000 (16:45 +0300)]
Add ARM64_PTR_AUTH check

5 years agoAdd STACKPROTECTOR_PER_TASK check for ARM
Alexander Popov [Wed, 13 Mar 2019 09:02:19 +0000 (12:02 +0300)]
Add STACKPROTECTOR_PER_TASK check for ARM

5 years agoAdd defconfigs for 5.0
Alexander Popov [Wed, 13 Mar 2019 08:37:13 +0000 (11:37 +0300)]
Add defconfigs for 5.0

5 years agoDon't hide AND check results if the requirements are not met
Alexander Popov [Tue, 12 Mar 2019 21:46:32 +0000 (00:46 +0300)]
Don't hide AND check results if the requirements are not met

Report them as FAIL.

Thanks to @Bernhard40 for this nice idea.

5 years agoUpdate the README
Alexander Popov [Tue, 12 Mar 2019 15:11:56 +0000 (18:11 +0300)]
Update the README

5 years agoImprove the final result output
Alexander Popov [Tue, 12 Mar 2019 14:29:20 +0000 (17:29 +0300)]
Improve the final result output

Refers to issue #13.

5 years agoUse the AND check for HARDENED_USERCOPY_FALLBACK
Alexander Popov [Tue, 12 Mar 2019 14:12:14 +0000 (17:12 +0300)]
Use the AND check for HARDENED_USERCOPY_FALLBACK

If HARDENED_USERCOPY is not set, HARDENED_USERCOPY_FALLBACK is not checked.

Refers to issue #13.

5 years agoUse the AND check for PAGE_POISONING_NO_SANITY and PAGE_POISONING_ZERO
Alexander Popov [Tue, 12 Mar 2019 14:10:57 +0000 (17:10 +0300)]
Use the AND check for PAGE_POISONING_NO_SANITY and PAGE_POISONING_ZERO

If PAGE_POISONING is not set, PAGE_POISONING_NO_SANITY and
PAGE_POISONING_ZERO are not checked.

Refers to issue #13.

5 years agoImplement AND ComplexOptCheck
Alexander Popov [Tue, 12 Mar 2019 13:45:35 +0000 (16:45 +0300)]
Implement AND ComplexOptCheck

Use case: AND(<suboption>, <main_option>).
Suboption is not checked if checking of the main_option is failed.

It's needed to solve issue #13.

5 years agoAdd a sanity check and do minor refactoring
Alexander Popov [Tue, 12 Mar 2019 13:42:23 +0000 (16:42 +0300)]
Add a sanity check and do minor refactoring