Alexander Popov [Wed, 4 Mar 2020 14:47:10 +0000 (17:47 +0300)]
Fix the name for ClearLinux config
Alexander Popov [Wed, 4 Mar 2020 12:38:13 +0000 (15:38 +0300)]
STACKPROTECTOR_PER_TASK is now default for ARM
Alexander Popov [Wed, 4 Mar 2020 12:29:34 +0000 (15:29 +0300)]
SECURITY_WRITABLE_HOOKS is not disabled by default
Alexander Popov [Wed, 4 Mar 2020 12:26:40 +0000 (15:26 +0300)]
Include GCC_PLUGINS to defconfig
This option is now enabled by default in case of compiler support.
Alexander Popov [Wed, 4 Mar 2020 12:16:47 +0000 (15:16 +0300)]
Update defconfigs (v5.5)
Alexander Popov [Thu, 27 Feb 2020 17:29:59 +0000 (20:29 +0300)]
Merge branch 'config-updates-from-hackurx'
Refers to PR #31.
Thanks to @HacKurx for his work.
Loïc [Wed, 26 Feb 2020 10:10:21 +0000 (11:10 +0100)]
Update of the kconfig-hardened-check.py part
Loïc [Wed, 26 Feb 2020 09:55:46 +0000 (10:55 +0100)]
Add link for clearlinux
Loïc [Wed, 26 Feb 2020 09:53:04 +0000 (10:53 +0100)]
Add clearlinux-master
config check is finished: 'OK' - 74 / 'FAIL' - 49
Loïc [Mon, 24 Feb 2020 20:07:51 +0000 (21:07 +0100)]
Update to 5.3.0-28-generic (LTS HWE)
config check is finished: 'OK' - 50 / 'FAIL' - 73
Loïc [Mon, 24 Feb 2020 17:41:04 +0000 (18:41 +0100)]
Remove debian-stretch.config
No need to support old stable versions
Loïc [Mon, 24 Feb 2020 17:38:36 +0000 (18:38 +0100)]
Add link for amazonlinux2
Loïc [Mon, 24 Feb 2020 17:36:23 +0000 (18:36 +0100)]
Update to 4.14.165-133.209.amzn2.x86_64
config check is finished: 'OK' - 44 / 'FAIL' - 79
Loïc [Mon, 24 Feb 2020 17:18:48 +0000 (18:18 +0100)]
Update to 5.4.21
config check is finished: 'OK' - 55 / 'FAIL' - 68
Loïc [Mon, 24 Feb 2020 17:16:20 +0000 (18:16 +0100)]
Update to openSUSE-15.1
config check is finished: 'OK' - 36 / 'FAIL' - 87
Loïc [Mon, 24 Feb 2020 17:14:18 +0000 (18:14 +0100)]
Update to 5.3.16 (SLE15-SP2)
config check is finished: 'OK' - 47 / 'FAIL' - 76
Loïc [Mon, 24 Feb 2020 17:12:12 +0000 (18:12 +0100)]
Update to SLE15-SP2 and openSUSE-15.1
Loïc [Mon, 24 Feb 2020 17:08:01 +0000 (18:08 +0100)]
Update to 5.4.21
config check is finished: 'OK' - 87 / 'FAIL' - 36
Loïc [Mon, 24 Feb 2020 17:04:23 +0000 (18:04 +0100)]
Update to 5.5.5-pentoo
config check is finished: 'OK' - 84 / 'FAIL' - 39
Loïc [Mon, 24 Feb 2020 17:02:25 +0000 (18:02 +0100)]
Update of some links
Loïc [Mon, 24 Feb 2020 16:53:48 +0000 (17:53 +0100)]
Update to 5.4.1 (uek6)
config check is finished: 'OK' - 52 / 'FAIL' - 71
Loïc [Mon, 24 Feb 2020 16:47:31 +0000 (17:47 +0100)]
Update to 4.18.0-147.5.1.el8_1.x86_64
config check is finished: 'OK' - 47 / 'FAIL' - 76
Loïc [Mon, 24 Feb 2020 16:43:54 +0000 (17:43 +0100)]
Update to config-4.19.0-8-amd64
config check is finished: 'OK' - 54 / 'FAIL' - 69
Alexander Popov [Tue, 14 Jan 2020 10:28:25 +0000 (13:28 +0300)]
Fix INIT_ON_FREE_DEFAULT_ON vs PAGE_POISONING issue #28
PAGE_POISONING is a debugging feature.
It provides less erasing than INIT_ON_FREE_DEFAULT_ON.
Join these checks with OR giving preference to INIT_ON_FREE_DEFAULT_ON.
Thanks to @madaidan for the details.
Also drop my previous recommendations about CONFIG_PAGE_POISONING_NO_SANITY
and CONFIG_PAGE_POISONING_ZERO.
Alexander Popov [Tue, 14 Jan 2020 09:35:38 +0000 (12:35 +0300)]
Answer the question about CONFIG_PANIC_ON_OOPS
Thanks to @madaidan
Refers to #29
Alexander Popov [Sat, 11 Jan 2020 12:05:11 +0000 (15:05 +0300)]
Recommend disabling VIDEO_VIVID
The vivid driver is for testing. It doesn't require any special hardware.
It is shipped in Ubuntu, Debian, Arch Linux, SUSE Linux Enterprise and openSUSE.
On Ubuntu the devices created by this driver are available to the normal user,
since Ubuntu applies RW ACL when the user is logged in.
See the disclosure of CVE-2019-18683 which I've found and fixed in vivid driver:
https://www.openwall.com/lists/oss-security/2019/11/02/1
Alexander Popov [Fri, 10 Jan 2020 14:41:14 +0000 (17:41 +0300)]
Take some ideas from NixOS/nixpkgs hardened kernel config
Add CONFIG_SECURITY_SAFESETID (y) and CONFIG_SECURITY_WRITABLE_HOOKS (n).
Refers to the pull request #27.
Alexander Popov [Mon, 2 Dec 2019 14:23:57 +0000 (17:23 +0300)]
Pretty printing
Alexander Popov [Fri, 29 Nov 2019 13:56:32 +0000 (16:56 +0300)]
Version 0.5.3 (supports Linux kernel v5.3)
Alexander Popov [Fri, 29 Nov 2019 13:53:29 +0000 (16:53 +0300)]
Add the link to Linux Kernel Defence Map
Alexander Popov [Fri, 29 Nov 2019 13:25:59 +0000 (16:25 +0300)]
Update the README
Alexander Popov [Fri, 29 Nov 2019 13:22:43 +0000 (16:22 +0300)]
Update defconfigs
Alexander Popov [Fri, 29 Nov 2019 13:21:42 +0000 (16:21 +0300)]
RANDOMIZE_BASE is now enabled by default on arm64
Alexander Popov [Thu, 28 Nov 2019 21:11:07 +0000 (00:11 +0300)]
x86_32: INTEL_IOMMU is not enabled by default - fix the reason
Alexander Popov [Thu, 28 Nov 2019 21:07:48 +0000 (00:07 +0300)]
X86_INTEL_UMIP is now X86_UMIP
Alexander Popov [Thu, 28 Nov 2019 21:07:21 +0000 (00:07 +0300)]
x86_64: more hardening options are enabled by default - change the reason
Alexander Popov [Thu, 28 Nov 2019 17:24:55 +0000 (20:24 +0300)]
Improve the list of the kernel parameters in TODO
Alexander Popov [Thu, 28 Nov 2019 17:23:04 +0000 (20:23 +0300)]
Add CLIP OS links
Alexander Popov [Thu, 28 Nov 2019 16:56:13 +0000 (19:56 +0300)]
Update the column width
Alexander Popov [Thu, 28 Nov 2019 16:54:55 +0000 (19:54 +0300)]
Some of my recommendations are used by CLIP OS, change the `reason` field
Alexander Popov [Thu, 28 Nov 2019 16:30:01 +0000 (19:30 +0300)]
Don't recommend disabling IKCONFIG anymore
That info is needed for this script :)
Alexander Popov [Thu, 28 Nov 2019 16:28:52 +0000 (19:28 +0300)]
Save more hardening sysctls for TODO
Alexander Popov [Thu, 28 Nov 2019 16:27:53 +0000 (19:27 +0300)]
Update CLIP OS doc
Alexander Popov [Thu, 28 Nov 2019 09:09:36 +0000 (12:09 +0300)]
Group security policies together
Also update the name of the lockdown feature (merged into v5.4).
Alexander Popov [Thu, 28 Nov 2019 09:07:11 +0000 (12:07 +0300)]
Add INIT_ON_ALLOC_DEFAULT_ON and INIT_ON_FREE_DEFAULT_ON introduced in v5.3
Alexander Popov [Thu, 28 Nov 2019 09:06:27 +0000 (12:06 +0300)]
Add RODATA_FULL_DEFAULT_ENABLED for ARM64
Alexander Popov [Thu, 28 Nov 2019 07:32:49 +0000 (10:32 +0300)]
Add info about Debian and AOSP kernel configs to links.txt
Alexander Popov [Thu, 28 Nov 2019 07:17:57 +0000 (10:17 +0300)]
Add Debian Buster kernel config
Alexander Popov [Thu, 28 Nov 2019 07:17:07 +0000 (10:17 +0300)]
Add AOSP kernel config for Pixel 3a
Alexander Popov [Fri, 23 Aug 2019 16:09:36 +0000 (19:09 +0300)]
Introduce the versioning
At the Chaos Communication Camp 2019 @jelly told that it would be nice to add the kconfig-hardened-check to Arch Linux.
So I add versioning to make it happen.
Thanks @jelly, nice to meet you!
Alexander Popov [Fri, 23 Aug 2019 12:48:43 +0000 (15:48 +0300)]
Update the script output in the README
Alexander Popov [Fri, 23 Aug 2019 10:35:53 +0000 (13:35 +0300)]
Add HARDEN_BRANCH_PREDICTOR and HARDEN_EL2_VECTORS
Alexander Popov [Fri, 23 Aug 2019 11:40:41 +0000 (14:40 +0300)]
Bring more order to the offsets (style fix)
Alexander Popov [Thu, 22 Aug 2019 10:43:46 +0000 (13:43 +0300)]
Add INIT_STACK_ALL as an alternative to GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
Alexander Popov [Thu, 22 Aug 2019 10:35:32 +0000 (13:35 +0300)]
Add SHUFFLE_PAGE_ALLOCATOR from v5.2
Alexander Popov [Thu, 22 Aug 2019 10:34:49 +0000 (13:34 +0300)]
Add some new sysctls (to remember them)
Alexander Popov [Mon, 8 Jul 2019 14:07:18 +0000 (17:07 +0300)]
Merge pull request #22 from adrianopol/master
#20 fix: use right quotes in json output
Thanks @adrianopol
Andrew Petelin [Sun, 7 Jul 2019 19:24:41 +0000 (22:24 +0300)]
#20 fix: use right quotes in json output
Alexander Popov [Mon, 24 Jun 2019 12:05:51 +0000 (15:05 +0300)]
Do code refactoring without changing the functionality
Changes:
- get rid of checklist global variable,
- improve print_checks().
Alexander Popov [Mon, 24 Jun 2019 11:04:11 +0000 (14:04 +0300)]
Merge branch 'json-support'
Thanks to @adrianopol
Alexander Popov [Mon, 24 Jun 2019 10:51:35 +0000 (13:51 +0300)]
json: Fix minor things and update the README
Andrew Petelin [Fri, 21 Jun 2019 19:56:23 +0000 (22:56 +0300)]
add --json option
Alexander Popov [Tue, 4 Jun 2019 22:04:07 +0000 (01:04 +0300)]
Drop CONFIG_X86_MSR from the recommendations
It exposes MSRs to the userspace, IMO it is not needed for mitigating
X86 CPU bugs.
Refers to the issue #19 (comment by @Bernhard40)
Alexander Popov [Mon, 3 Jun 2019 23:43:58 +0000 (02:43 +0300)]
Add the LDISC_AUTOLOAD check
In fact we have a false positive here because the absence
of the disabled CONFIG_LDISC_AUTOLOAD means FAIL (line
disciplines are automatically loaded).
TODO: Introduce a special check for this type of cases.
Alexander Popov [Mon, 3 Jun 2019 20:00:59 +0000 (23:00 +0300)]
Attribute some of my recommendations to CLIP OS - part II
They have a bigger authority :)
Refers to the issue #19 by @HacKurx
Alexander Popov [Mon, 3 Jun 2019 19:33:35 +0000 (22:33 +0300)]
Add the link to the CLIP OS kernel configuration
Refers to the issue #19 by @HacKurx
Alexander Popov [Mon, 3 Jun 2019 18:04:03 +0000 (21:04 +0300)]
Update the README
Refers to the issue #19 by @HacKurx
Alexander Popov [Mon, 3 Jun 2019 17:55:44 +0000 (20:55 +0300)]
Update the README (printing format)
Alexander Popov [Mon, 3 Jun 2019 17:41:13 +0000 (20:41 +0300)]
Add a snapshot of the CLIP OS config documentation
Refers to the issue #19 by @HacKurx
Alexander Popov [Mon, 3 Jun 2019 17:38:17 +0000 (20:38 +0300)]
Attribute some of my recommendations to CLIP OS
They have a bigger authority :)
Refers to the issue #19 by @HacKurx
Alexander Popov [Mon, 3 Jun 2019 17:27:51 +0000 (20:27 +0300)]
Add my recommendations for AMD (similar to CLIP OS recommendations for Intel)
Refers to the issue #19 by @HacKurx
Alexander Popov [Mon, 3 Jun 2019 17:24:21 +0000 (20:24 +0300)]
Add X86-specific CLIP OS recommendations for kernel self-protection
Refers to the issue #19 by @HacKurx
Alexander Popov [Mon, 3 Jun 2019 17:19:02 +0000 (20:19 +0300)]
Add arch-independent CLIP OS recommendations for kernel self-protection
Refers to the issue #19 by @HacKurx
Alexander Popov [Mon, 3 Jun 2019 17:13:32 +0000 (20:13 +0300)]
Add more details about STACKLEAK
Refers to the issue #19 by @HacKurx
Alexander Popov [Mon, 3 Jun 2019 17:03:58 +0000 (20:03 +0300)]
Don't recommend any particular LSM to avoid the holy war
Alexander Popov [Mon, 3 Jun 2019 17:02:42 +0000 (20:02 +0300)]
Add CLIP OS recommendations for cutting attack surface
Refers to the issue #19 by @HacKurx
Alexander Popov [Mon, 3 Jun 2019 16:59:25 +0000 (19:59 +0300)]
Improve printing of the results
Alexander Popov [Mon, 3 Jun 2019 10:12:35 +0000 (13:12 +0300)]
Update the link to Alpine config
Alexander Popov [Mon, 3 Jun 2019 10:10:28 +0000 (13:10 +0300)]
Merge pull request #18 from HacKurx/patch-1
Update pentoo config link
Loïc [Sat, 1 Jun 2019 12:02:36 +0000 (14:02 +0200)]
Update pentoo config link
Alexander Popov [Mon, 27 May 2019 14:42:53 +0000 (17:42 +0300)]
Add more kernel command line parameters to comments
Going to use them in future
Alexander Popov [Fri, 17 May 2019 15:13:40 +0000 (18:13 +0300)]
Merge remote-tracking branch 'hackurx/master'
Thanks to @HacKurx for updating the distro configs.
Loïc [Sun, 12 May 2019 15:04:25 +0000 (17:04 +0200)]
Create rhel-8.0.config
config check is finished: 'OK' - 41 / 'FAIL' - 62
Loïc [Sun, 12 May 2019 09:59:15 +0000 (11:59 +0200)]
Update and rename pentoo-4.17.11.config to pentoo-livecd.config
config check is finished: 'OK' - 71 / 'FAIL' - 32
Loïc [Sun, 12 May 2019 09:54:43 +0000 (11:54 +0200)]
Update Archlinux-hardened.config
config check is finished: 'OK' - 75 / 'FAIL' - 28
Loïc [Sun, 12 May 2019 09:51:39 +0000 (11:51 +0200)]
Update Alpinelinux-edge.config
config check is finished: 'OK' - 49 / 'FAIL' - 54
Loïc [Sun, 12 May 2019 09:46:53 +0000 (11:46 +0200)]
Update debian-stretch.config
config check is finished: 'OK' - 42 / 'FAIL' - 61
Loïc [Sun, 12 May 2019 09:38:12 +0000 (11:38 +0200)]
Create AmazonLinux2.config
config check is finished: 'OK' - 42 / 'FAIL' - 61
Alexander Popov [Wed, 20 Mar 2019 07:25:22 +0000 (10:25 +0300)]
Add Q&A to the README
Refers to the issue #14 by @jcberthon.
Alexander Popov [Wed, 13 Mar 2019 17:40:23 +0000 (20:40 +0300)]
Add the comment about kptr_restrict
Alexander Popov [Wed, 13 Mar 2019 13:45:34 +0000 (16:45 +0300)]
Add ARM64_PTR_AUTH check
Alexander Popov [Wed, 13 Mar 2019 09:02:19 +0000 (12:02 +0300)]
Add STACKPROTECTOR_PER_TASK check for ARM
Alexander Popov [Wed, 13 Mar 2019 08:37:13 +0000 (11:37 +0300)]
Add defconfigs for 5.0
Alexander Popov [Tue, 12 Mar 2019 21:46:32 +0000 (00:46 +0300)]
Don't hide AND check results if the requirements are not met
Report them as FAIL.
Thanks to @Bernhard40 for this nice idea.
Alexander Popov [Tue, 12 Mar 2019 15:11:56 +0000 (18:11 +0300)]
Update the README
Alexander Popov [Tue, 12 Mar 2019 14:29:20 +0000 (17:29 +0300)]
Improve the final result output
Refers to issue #13.
Alexander Popov [Tue, 12 Mar 2019 14:12:14 +0000 (17:12 +0300)]
Use the AND check for HARDENED_USERCOPY_FALLBACK
If HARDENED_USERCOPY is not set, HARDENED_USERCOPY_FALLBACK is not checked.
Refers to issue #13.
Alexander Popov [Tue, 12 Mar 2019 14:10:57 +0000 (17:10 +0300)]
Use the AND check for PAGE_POISONING_NO_SANITY and PAGE_POISONING_ZERO
If PAGE_POISONING is not set, PAGE_POISONING_NO_SANITY and
PAGE_POISONING_ZERO are not checked.
Refers to issue #13.
Alexander Popov [Tue, 12 Mar 2019 13:45:35 +0000 (16:45 +0300)]
Implement AND ComplexOptCheck
Use case: AND(<suboption>, <main_option>).
Suboption is not checked if checking of the main_option is failed.
It's needed to solve issue #13.
Alexander Popov [Tue, 12 Mar 2019 13:42:23 +0000 (16:42 +0300)]
Add a sanity check and do minor refactoring