kconfig-hardened-check.git
6 years agoUpdate the README
Alexander Popov [Tue, 24 Jul 2018 22:39:31 +0000 (01:39 +0300)]
Update the README

6 years agoImprove the OR result calculation
Alexander Popov [Tue, 24 Jul 2018 22:36:25 +0000 (01:36 +0300)]
Improve the OR result calculation

1. don't duplicate opts[0].name in the successful output;
2. fix the bug with printing None state, just reuse the OptCheck.result.

6 years agoAdjust the output format
Alexander Popov [Tue, 24 Jul 2018 21:30:21 +0000 (00:30 +0300)]
Adjust the output format

6 years agosupport DEVMEM not set when considering STRICT_DEVMEM/IO_STRICT_DEVMEM
anthraxx [Mon, 25 Jun 2018 22:26:50 +0000 (00:26 +0200)]
support DEVMEM not set when considering STRICT_DEVMEM/IO_STRICT_DEVMEM

Detect STRICT_DEVMEM and IO_STRICT_DEVMEM as not being needed whenever
DEVMEM is not set.

Conflicts resolved by @a13xp0p0v

6 years agoAdd the comment describing OR use case
Alexander Popov [Tue, 24 Jul 2018 20:33:57 +0000 (23:33 +0300)]
Add the comment describing OR use case

6 years agoOR needs OptCheck.check() return values
Alexander Popov [Tue, 24 Jul 2018 20:33:26 +0000 (23:33 +0300)]
OR needs OptCheck.check() return values

6 years agosupport logical OR operations on options
anthraxx [Mon, 25 Jun 2018 22:21:10 +0000 (00:21 +0200)]
support logical OR operations on options

The OR class implementation supports combining Opt's logically
with an or-operator. If any of the Opt's provided to the OR class
returns True, the check is considered OK.

Fixes #1

Conflicts resolved by @a13xp0p0v

6 years agoUpdate usage in README.md
Alexander Popov [Fri, 20 Jul 2018 17:53:52 +0000 (20:53 +0300)]
Update usage in README.md

6 years agoMerge branch 'from-hackurx-1'
Alexander Popov [Fri, 20 Jul 2018 17:52:37 +0000 (20:52 +0300)]
Merge branch 'from-hackurx-1'

6 years agoAdd config_files directory
HacKurx [Fri, 20 Jul 2018 14:56:09 +0000 (16:56 +0200)]
Add config_files directory

6 years agoAdd Alpinelinux-edge.config
Loïc [Fri, 20 Jul 2018 11:29:41 +0000 (13:29 +0200)]
Add Alpinelinux-edge.config

config check is NOT PASSED: 44 errors

6 years agoAdd Archlinux-hardened.config
Loïc [Fri, 20 Jul 2018 11:25:13 +0000 (13:25 +0200)]
Add Archlinux-hardened.config

config check is NOT PASSED: 33 errors

6 years agoAdd CONFIG_BINFMT_AOUT to ubuntu18
Loïc [Thu, 19 Jul 2018 18:28:10 +0000 (20:28 +0200)]
Add CONFIG_BINFMT_AOUT to ubuntu18

As requested by a13xp0p0v.

6 years agoAdd Archlinux-Testing.config
Loïc [Wed, 18 Jul 2018 19:41:17 +0000 (21:41 +0200)]
Add Archlinux-Testing.config

config check is NOT PASSED: 49 errors

6 years agoAdd debian-sid-amd64.config
Loïc [Wed, 18 Jul 2018 19:34:52 +0000 (21:34 +0200)]
Add debian-sid-amd64.config

config check is NOT PASSED: 49 errors

6 years agoAdd Grsecurity recommendation on BINFMT_AOUT
Loïc [Wed, 18 Jul 2018 18:34:28 +0000 (20:34 +0200)]
Add Grsecurity recommendation on BINFMT_AOUT

Linux historical interest is not secure ;)

Conflicts resolved by @a13xp0p0v

6 years agoMerge branch 'arch-changes-from-anthraxx'
Alexander Popov [Fri, 20 Jul 2018 17:40:27 +0000 (20:40 +0300)]
Merge branch 'arch-changes-from-anthraxx'

6 years agoCount errors in the end
Alexander Popov [Fri, 20 Jul 2018 17:27:30 +0000 (20:27 +0300)]
Count errors in the end

6 years agoRename 'opt_list' as well
Alexander Popov [Fri, 20 Jul 2018 16:55:36 +0000 (19:55 +0300)]
Rename 'opt_list' as well

6 years agorename Opt to better matching OptCheck
anthraxx [Mon, 9 Jul 2018 00:49:16 +0000 (02:49 +0200)]
rename Opt to better matching OptCheck

6 years agoDon't return the result from Opt.check(), we don't use it
Alexander Popov [Fri, 20 Jul 2018 16:36:52 +0000 (19:36 +0300)]
Don't return the result from Opt.check(), we don't use it

6 years agostore option check result as class member
anthraxx [Mon, 9 Jul 2018 00:30:42 +0000 (02:30 +0200)]
store option check result as class member

Conflicts resolved by @a13xp0p0v:

6 years agoPlease forgive me, I fear lambdas :\
Alexander Popov [Fri, 20 Jul 2018 16:09:08 +0000 (19:09 +0300)]
Please forgive me, I fear lambdas :\

Also print the value of the unknown option

6 years agoDebug mode output should be printed before the final results
Alexander Popov [Fri, 20 Jul 2018 16:06:18 +0000 (19:06 +0300)]
Debug mode output should be printed before the final results

6 years agoFix the output: ERROR, not BUG
Alexander Popov [Fri, 20 Jul 2018 16:04:54 +0000 (19:04 +0300)]
Fix the output: ERROR, not BUG

6 years agoRename check_state() according the new meaning
Alexander Popov [Fri, 20 Jul 2018 16:03:11 +0000 (19:03 +0300)]
Rename check_state() according the new meaning

6 years agoFix the check against multiple options in config file
Alexander Popov [Fri, 20 Jul 2018 16:00:20 +0000 (19:00 +0300)]
Fix the check against multiple options in config file

6 years agoUse None as state of the options which are not found
Alexander Popov [Fri, 20 Jul 2018 15:55:43 +0000 (18:55 +0300)]
Use None as state of the options which are not found

That will change the check result
  FAIL: "not found"
onto initial
  FAIL: not found

6 years agoDrop assertions which are now useless
Alexander Popov [Fri, 20 Jul 2018 15:57:16 +0000 (18:57 +0300)]
Drop assertions which are now useless

6 years agoimprove architecture in preparation for new features
anthraxx [Wed, 20 Jun 2018 21:27:40 +0000 (23:27 +0200)]
improve architecture in preparation for new features

This improves the opt storage using a kconfig key based dict to
avoid looping through all opts to get a certain entry by allowing
key based lookups.

6 years agoArgumentParser: drop unneeded default=False for args with action='store_true'
Alexander Popov [Fri, 13 Jul 2018 23:11:41 +0000 (02:11 +0300)]
ArgumentParser: drop unneeded default=False for args with action='store_true'

6 years agoArgumentParser: Improve description
Alexander Popov [Fri, 13 Jul 2018 23:10:23 +0000 (02:10 +0300)]
ArgumentParser: Improve description

6 years agoargparse: using python module instead of manual getopt
anthraxx [Mon, 9 Jul 2018 00:25:23 +0000 (02:25 +0200)]
argparse: using python module instead of manual getopt

6 years agoConsider 'not found' as an equivalent of 'is not set'
Alexander Popov [Thu, 5 Jul 2018 11:44:04 +0000 (14:44 +0300)]
Consider 'not found' as an equivalent of 'is not set'

6 years agoAdd rules for options disabled by grsecurity
Alexander Popov [Thu, 5 Jul 2018 10:54:40 +0000 (13:54 +0300)]
Add rules for options disabled by grsecurity

Carefully extracted from their last public patch

6 years agoMove some features to 'cut_attack_surface' category
Alexander Popov [Wed, 4 Jul 2018 18:08:21 +0000 (21:08 +0300)]
Move some features to 'cut_attack_surface' category

STRICT_DEVMEM and IO_STRICT_DEVMEM, SECCOMP and SECCOMP_FILTER
are not self protection features. They cut attack surface.

I'm also not sure about SYN_COOKIES. Mark it with a comment.

6 years agoMore decisions on kernel options
Alexander Popov [Wed, 4 Jul 2018 09:29:39 +0000 (12:29 +0300)]
More decisions on kernel options

6 years agoAdd Oracle Unbreakable Enterprise Kernel 5 (UEK-5) config
Alexander Popov [Tue, 3 Jul 2018 20:31:48 +0000 (23:31 +0300)]
Add Oracle Unbreakable Enterprise Kernel 5 (UEK-5) config

6 years agoDrop CONFIG_DEBUG_KERNEL from kspp-recommendations.config
Alexander Popov [Fri, 22 Jun 2018 12:34:23 +0000 (15:34 +0300)]
Drop CONFIG_DEBUG_KERNEL from kspp-recommendations.config

It is needed only for kernels prior to v4.11 (Kees has updated the wiki)

6 years agoDisable buggy IP_SCTP to cut attack surface
Alexander Popov [Wed, 20 Jun 2018 21:07:52 +0000 (00:07 +0300)]
Disable buggy IP_SCTP to cut attack surface

6 years agoDisable only CONFIG_USER_NS, not whole CONFIG_NAMESPACES
Alexander Popov [Wed, 20 Jun 2018 21:09:12 +0000 (00:09 +0300)]
Disable only CONFIG_USER_NS, not whole CONFIG_NAMESPACES

Thanks to @Bernhard40 for the correction

Signed-off-by: Alexander Popov <alex.popov@linux.com>
6 years agoAdd kconfig-hardened-check.py
Alexander Popov [Wed, 20 Jun 2018 14:09:42 +0000 (17:09 +0300)]
Add kconfig-hardened-check.py

This script helps me to check the Linux kernel Kconfig option list
against my hardening preferences for x86_64.

Nobody likes checking configs manually. Let the computers do their job!

Signed-off-by: Alexander Popov <alex.popov@linux.com>