kconfig-hardened-check.git
4 years agoRecommend disabling VIDEO_VIVID
Alexander Popov [Sat, 11 Jan 2020 12:05:11 +0000 (15:05 +0300)]
Recommend disabling VIDEO_VIVID

The vivid driver is for testing. It doesn't require any special hardware.
It is shipped in Ubuntu, Debian, Arch Linux, SUSE Linux Enterprise and openSUSE.
On Ubuntu the devices created by this driver are available to the normal user,
since Ubuntu applies RW ACL when the user is logged in.

See the disclosure of CVE-2019-18683 which I've found and fixed in vivid driver:
https://www.openwall.com/lists/oss-security/2019/11/02/1

4 years agoTake some ideas from NixOS/nixpkgs hardened kernel config
Alexander Popov [Fri, 10 Jan 2020 14:41:14 +0000 (17:41 +0300)]
Take some ideas from NixOS/nixpkgs hardened kernel config

Add CONFIG_SECURITY_SAFESETID (y) and CONFIG_SECURITY_WRITABLE_HOOKS (n).

Refers to the pull request #27.

4 years agoPretty printing
Alexander Popov [Mon, 2 Dec 2019 14:23:57 +0000 (17:23 +0300)]
Pretty printing

4 years agoVersion 0.5.3 (supports Linux kernel v5.3) v0.5.3
Alexander Popov [Fri, 29 Nov 2019 13:56:32 +0000 (16:56 +0300)]
Version 0.5.3 (supports Linux kernel v5.3)

4 years agoAdd the link to Linux Kernel Defence Map
Alexander Popov [Fri, 29 Nov 2019 13:53:29 +0000 (16:53 +0300)]
Add the link to Linux Kernel Defence Map

4 years agoUpdate the README
Alexander Popov [Fri, 29 Nov 2019 13:25:59 +0000 (16:25 +0300)]
Update the README

4 years agoUpdate defconfigs
Alexander Popov [Fri, 29 Nov 2019 13:22:43 +0000 (16:22 +0300)]
Update defconfigs

4 years agoRANDOMIZE_BASE is now enabled by default on arm64
Alexander Popov [Fri, 29 Nov 2019 13:21:42 +0000 (16:21 +0300)]
RANDOMIZE_BASE is now enabled by default on arm64

4 years agox86_32: INTEL_IOMMU is not enabled by default - fix the reason
Alexander Popov [Thu, 28 Nov 2019 21:11:07 +0000 (00:11 +0300)]
x86_32: INTEL_IOMMU is not enabled by default - fix the reason

4 years agoX86_INTEL_UMIP is now X86_UMIP
Alexander Popov [Thu, 28 Nov 2019 21:07:48 +0000 (00:07 +0300)]
X86_INTEL_UMIP is now X86_UMIP

4 years agox86_64: more hardening options are enabled by default - change the reason
Alexander Popov [Thu, 28 Nov 2019 21:07:21 +0000 (00:07 +0300)]
x86_64: more hardening options are enabled by default - change the reason

4 years agoImprove the list of the kernel parameters in TODO
Alexander Popov [Thu, 28 Nov 2019 17:24:55 +0000 (20:24 +0300)]
Improve the list of the kernel parameters in TODO

4 years agoAdd CLIP OS links
Alexander Popov [Thu, 28 Nov 2019 17:23:04 +0000 (20:23 +0300)]
Add CLIP OS links

4 years agoUpdate the column width
Alexander Popov [Thu, 28 Nov 2019 16:56:13 +0000 (19:56 +0300)]
Update the column width

4 years agoSome of my recommendations are used by CLIP OS, change the `reason` field
Alexander Popov [Thu, 28 Nov 2019 16:54:55 +0000 (19:54 +0300)]
Some of my recommendations are used by CLIP OS, change the `reason` field

4 years agoDon't recommend disabling IKCONFIG anymore
Alexander Popov [Thu, 28 Nov 2019 16:30:01 +0000 (19:30 +0300)]
Don't recommend disabling IKCONFIG anymore

That info is needed for this script :)

4 years agoSave more hardening sysctls for TODO
Alexander Popov [Thu, 28 Nov 2019 16:28:52 +0000 (19:28 +0300)]
Save more hardening sysctls for TODO

4 years agoUpdate CLIP OS doc
Alexander Popov [Thu, 28 Nov 2019 16:27:53 +0000 (19:27 +0300)]
Update CLIP OS doc

4 years agoGroup security policies together
Alexander Popov [Thu, 28 Nov 2019 09:09:36 +0000 (12:09 +0300)]
Group security policies together

Also update the name of the lockdown feature (merged into v5.4).

4 years agoAdd INIT_ON_ALLOC_DEFAULT_ON and INIT_ON_FREE_DEFAULT_ON introduced in v5.3
Alexander Popov [Thu, 28 Nov 2019 09:07:11 +0000 (12:07 +0300)]
Add INIT_ON_ALLOC_DEFAULT_ON and INIT_ON_FREE_DEFAULT_ON introduced in v5.3

4 years agoAdd RODATA_FULL_DEFAULT_ENABLED for ARM64
Alexander Popov [Thu, 28 Nov 2019 09:06:27 +0000 (12:06 +0300)]
Add RODATA_FULL_DEFAULT_ENABLED for ARM64

4 years agoAdd info about Debian and AOSP kernel configs to links.txt
Alexander Popov [Thu, 28 Nov 2019 07:32:49 +0000 (10:32 +0300)]
Add info about Debian and AOSP kernel configs to links.txt

4 years agoAdd Debian Buster kernel config
Alexander Popov [Thu, 28 Nov 2019 07:17:57 +0000 (10:17 +0300)]
Add Debian Buster kernel config

4 years agoAdd AOSP kernel config for Pixel 3a
Alexander Popov [Thu, 28 Nov 2019 07:17:07 +0000 (10:17 +0300)]
Add AOSP kernel config for Pixel 3a

5 years agoIntroduce the versioning v0.5.2
Alexander Popov [Fri, 23 Aug 2019 16:09:36 +0000 (19:09 +0300)]
Introduce the versioning

At the Chaos Communication Camp 2019 @jelly told that it would be nice to add the kconfig-hardened-check to Arch Linux.

So I add versioning to make it happen.

Thanks @jelly, nice to meet you!

5 years agoUpdate the script output in the README
Alexander Popov [Fri, 23 Aug 2019 12:48:43 +0000 (15:48 +0300)]
Update the script output in the README

5 years agoAdd HARDEN_BRANCH_PREDICTOR and HARDEN_EL2_VECTORS
Alexander Popov [Fri, 23 Aug 2019 10:35:53 +0000 (13:35 +0300)]
Add HARDEN_BRANCH_PREDICTOR and HARDEN_EL2_VECTORS

5 years agoBring more order to the offsets (style fix)
Alexander Popov [Fri, 23 Aug 2019 11:40:41 +0000 (14:40 +0300)]
Bring more order to the offsets (style fix)

5 years agoAdd INIT_STACK_ALL as an alternative to GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
Alexander Popov [Thu, 22 Aug 2019 10:43:46 +0000 (13:43 +0300)]
Add INIT_STACK_ALL as an alternative to GCC_PLUGIN_STRUCTLEAK_BYREF_ALL

5 years agoAdd SHUFFLE_PAGE_ALLOCATOR from v5.2
Alexander Popov [Thu, 22 Aug 2019 10:35:32 +0000 (13:35 +0300)]
Add SHUFFLE_PAGE_ALLOCATOR from v5.2

5 years agoAdd some new sysctls (to remember them)
Alexander Popov [Thu, 22 Aug 2019 10:34:49 +0000 (13:34 +0300)]
Add some new sysctls (to remember them)

5 years agoMerge pull request #22 from adrianopol/master
Alexander Popov [Mon, 8 Jul 2019 14:07:18 +0000 (17:07 +0300)]
Merge pull request #22 from adrianopol/master

#20 fix: use right quotes in json output

Thanks @adrianopol

5 years ago#20 fix: use right quotes in json output 22/head
Andrew Petelin [Sun, 7 Jul 2019 19:24:41 +0000 (22:24 +0300)]
#20 fix: use right quotes in json output

5 years agoDo code refactoring without changing the functionality
Alexander Popov [Mon, 24 Jun 2019 12:05:51 +0000 (15:05 +0300)]
Do code refactoring without changing the functionality

Changes:
 - get rid of checklist global variable,
 - improve print_checks().

5 years agoMerge branch 'json-support'
Alexander Popov [Mon, 24 Jun 2019 11:04:11 +0000 (14:04 +0300)]
Merge branch 'json-support'

Thanks to @adrianopol

5 years agojson: Fix minor things and update the README
Alexander Popov [Mon, 24 Jun 2019 10:51:35 +0000 (13:51 +0300)]
json: Fix minor things and update the README

5 years agoadd --json option 21/head
Andrew Petelin [Fri, 21 Jun 2019 19:56:23 +0000 (22:56 +0300)]
add --json option

5 years agoDrop CONFIG_X86_MSR from the recommendations
Alexander Popov [Tue, 4 Jun 2019 22:04:07 +0000 (01:04 +0300)]
Drop CONFIG_X86_MSR from the recommendations

It exposes MSRs to the userspace, IMO it is not needed for mitigating
X86 CPU bugs.

Refers to the issue #19 (comment by @Bernhard40)

5 years agoAdd the LDISC_AUTOLOAD check
Alexander Popov [Mon, 3 Jun 2019 23:43:58 +0000 (02:43 +0300)]
Add the LDISC_AUTOLOAD check

In fact we have a false positive here because the absence
of the disabled CONFIG_LDISC_AUTOLOAD means FAIL (line
disciplines are automatically loaded).

TODO: Introduce a special check for this type of cases.

5 years agoAttribute some of my recommendations to CLIP OS - part II
Alexander Popov [Mon, 3 Jun 2019 20:00:59 +0000 (23:00 +0300)]
Attribute some of my recommendations to CLIP OS - part II

They have a bigger authority :)

Refers to the issue #19 by @HacKurx

5 years agoAdd the link to the CLIP OS kernel configuration
Alexander Popov [Mon, 3 Jun 2019 19:33:35 +0000 (22:33 +0300)]
Add the link to the CLIP OS kernel configuration

Refers to the issue #19 by @HacKurx

5 years agoUpdate the README
Alexander Popov [Mon, 3 Jun 2019 18:04:03 +0000 (21:04 +0300)]
Update the README

Refers to the issue #19 by @HacKurx

5 years agoUpdate the README (printing format)
Alexander Popov [Mon, 3 Jun 2019 17:55:44 +0000 (20:55 +0300)]
Update the README (printing format)

5 years agoAdd a snapshot of the CLIP OS config documentation
Alexander Popov [Mon, 3 Jun 2019 17:41:13 +0000 (20:41 +0300)]
Add a snapshot of the CLIP OS config documentation

Refers to the issue #19 by @HacKurx

5 years agoAttribute some of my recommendations to CLIP OS
Alexander Popov [Mon, 3 Jun 2019 17:38:17 +0000 (20:38 +0300)]
Attribute some of my recommendations to CLIP OS

They have a bigger authority :)

Refers to the issue #19 by @HacKurx

5 years agoAdd my recommendations for AMD (similar to CLIP OS recommendations for Intel)
Alexander Popov [Mon, 3 Jun 2019 17:27:51 +0000 (20:27 +0300)]
Add my recommendations for AMD (similar to CLIP OS recommendations for Intel)

Refers to the issue #19 by @HacKurx

5 years agoAdd X86-specific CLIP OS recommendations for kernel self-protection
Alexander Popov [Mon, 3 Jun 2019 17:24:21 +0000 (20:24 +0300)]
Add X86-specific CLIP OS recommendations for kernel self-protection

Refers to the issue #19 by @HacKurx

5 years agoAdd arch-independent CLIP OS recommendations for kernel self-protection
Alexander Popov [Mon, 3 Jun 2019 17:19:02 +0000 (20:19 +0300)]
Add arch-independent CLIP OS recommendations for kernel self-protection

Refers to the issue #19 by @HacKurx

5 years agoAdd more details about STACKLEAK
Alexander Popov [Mon, 3 Jun 2019 17:13:32 +0000 (20:13 +0300)]
Add more details about STACKLEAK

Refers to the issue #19 by @HacKurx

5 years agoDon't recommend any particular LSM to avoid the holy war
Alexander Popov [Mon, 3 Jun 2019 17:03:58 +0000 (20:03 +0300)]
Don't recommend any particular LSM to avoid the holy war

5 years agoAdd CLIP OS recommendations for cutting attack surface
Alexander Popov [Mon, 3 Jun 2019 17:02:42 +0000 (20:02 +0300)]
Add CLIP OS recommendations for cutting attack surface

Refers to the issue #19 by @HacKurx

5 years agoImprove printing of the results
Alexander Popov [Mon, 3 Jun 2019 16:59:25 +0000 (19:59 +0300)]
Improve printing of the results

5 years agoUpdate the link to Alpine config
Alexander Popov [Mon, 3 Jun 2019 10:12:35 +0000 (13:12 +0300)]
Update the link to Alpine config

5 years agoMerge pull request #18 from HacKurx/patch-1
Alexander Popov [Mon, 3 Jun 2019 10:10:28 +0000 (13:10 +0300)]
Merge pull request #18 from HacKurx/patch-1

Update pentoo config link

5 years agoUpdate pentoo config link 18/head
Loïc [Sat, 1 Jun 2019 12:02:36 +0000 (14:02 +0200)]
Update pentoo config link

5 years agoAdd more kernel command line parameters to comments
Alexander Popov [Mon, 27 May 2019 14:42:53 +0000 (17:42 +0300)]
Add more kernel command line parameters to comments

Going to use them in future

5 years agoMerge remote-tracking branch 'hackurx/master'
Alexander Popov [Fri, 17 May 2019 15:13:40 +0000 (18:13 +0300)]
Merge remote-tracking branch 'hackurx/master'

Thanks to @HacKurx for updating the distro configs.

5 years agoCreate rhel-8.0.config 17/head
Loïc [Sun, 12 May 2019 15:04:25 +0000 (17:04 +0200)]
Create rhel-8.0.config

config check is finished: 'OK' - 41 / 'FAIL' - 62

5 years agoUpdate and rename pentoo-4.17.11.config to pentoo-livecd.config
Loïc [Sun, 12 May 2019 09:59:15 +0000 (11:59 +0200)]
Update and rename pentoo-4.17.11.config to pentoo-livecd.config

config check is finished: 'OK' - 71 / 'FAIL' - 32

5 years agoUpdate Archlinux-hardened.config
Loïc [Sun, 12 May 2019 09:54:43 +0000 (11:54 +0200)]
Update Archlinux-hardened.config

config check is finished: 'OK' - 75 / 'FAIL' - 28

5 years agoUpdate Alpinelinux-edge.config
Loïc [Sun, 12 May 2019 09:51:39 +0000 (11:51 +0200)]
Update Alpinelinux-edge.config

config check is finished: 'OK' - 49 / 'FAIL' - 54

5 years agoUpdate debian-stretch.config
Loïc [Sun, 12 May 2019 09:46:53 +0000 (11:46 +0200)]
Update debian-stretch.config

config check is finished: 'OK' - 42 / 'FAIL' - 61

5 years agoCreate AmazonLinux2.config
Loïc [Sun, 12 May 2019 09:38:12 +0000 (11:38 +0200)]
Create AmazonLinux2.config

config check is finished: 'OK' - 42 / 'FAIL' - 61

5 years agoAdd Q&A to the README
Alexander Popov [Wed, 20 Mar 2019 07:25:22 +0000 (10:25 +0300)]
Add Q&A to the README

Refers to the issue #14 by @jcberthon.

5 years agoAdd the comment about kptr_restrict
Alexander Popov [Wed, 13 Mar 2019 17:40:23 +0000 (20:40 +0300)]
Add the comment about kptr_restrict

5 years agoAdd ARM64_PTR_AUTH check
Alexander Popov [Wed, 13 Mar 2019 13:45:34 +0000 (16:45 +0300)]
Add ARM64_PTR_AUTH check

5 years agoAdd STACKPROTECTOR_PER_TASK check for ARM
Alexander Popov [Wed, 13 Mar 2019 09:02:19 +0000 (12:02 +0300)]
Add STACKPROTECTOR_PER_TASK check for ARM

5 years agoAdd defconfigs for 5.0
Alexander Popov [Wed, 13 Mar 2019 08:37:13 +0000 (11:37 +0300)]
Add defconfigs for 5.0

5 years agoDon't hide AND check results if the requirements are not met
Alexander Popov [Tue, 12 Mar 2019 21:46:32 +0000 (00:46 +0300)]
Don't hide AND check results if the requirements are not met

Report them as FAIL.

Thanks to @Bernhard40 for this nice idea.

5 years agoUpdate the README
Alexander Popov [Tue, 12 Mar 2019 15:11:56 +0000 (18:11 +0300)]
Update the README

5 years agoImprove the final result output
Alexander Popov [Tue, 12 Mar 2019 14:29:20 +0000 (17:29 +0300)]
Improve the final result output

Refers to issue #13.

5 years agoUse the AND check for HARDENED_USERCOPY_FALLBACK
Alexander Popov [Tue, 12 Mar 2019 14:12:14 +0000 (17:12 +0300)]
Use the AND check for HARDENED_USERCOPY_FALLBACK

If HARDENED_USERCOPY is not set, HARDENED_USERCOPY_FALLBACK is not checked.

Refers to issue #13.

5 years agoUse the AND check for PAGE_POISONING_NO_SANITY and PAGE_POISONING_ZERO
Alexander Popov [Tue, 12 Mar 2019 14:10:57 +0000 (17:10 +0300)]
Use the AND check for PAGE_POISONING_NO_SANITY and PAGE_POISONING_ZERO

If PAGE_POISONING is not set, PAGE_POISONING_NO_SANITY and
PAGE_POISONING_ZERO are not checked.

Refers to issue #13.

5 years agoImplement AND ComplexOptCheck
Alexander Popov [Tue, 12 Mar 2019 13:45:35 +0000 (16:45 +0300)]
Implement AND ComplexOptCheck

Use case: AND(<suboption>, <main_option>).
Suboption is not checked if checking of the main_option is failed.

It's needed to solve issue #13.

5 years agoAdd a sanity check and do minor refactoring
Alexander Popov [Tue, 12 Mar 2019 13:42:23 +0000 (16:42 +0300)]
Add a sanity check and do minor refactoring

5 years agoIntroduce the ComplexOptCheck superclass
Alexander Popov [Tue, 12 Mar 2019 12:02:49 +0000 (15:02 +0300)]
Introduce the ComplexOptCheck superclass

5 years agoUpdate the README
Alexander Popov [Mon, 11 Mar 2019 15:59:10 +0000 (18:59 +0300)]
Update the README

5 years agoAdd explicit checks for CONFIG_MODULES and CONFIG_DEVMEM
Alexander Popov [Mon, 11 Mar 2019 15:21:18 +0000 (18:21 +0300)]
Add explicit checks for CONFIG_MODULES and CONFIG_DEVMEM

I like this hack. Now the script recommends to disable modules and
devmem OR harden them at least.

5 years agoAdd missing OR use case
Alexander Popov [Mon, 11 Mar 2019 15:08:59 +0000 (18:08 +0300)]
Add missing OR use case

5 years agoImprove the output of OR checks
Alexander Popov [Mon, 11 Mar 2019 15:33:11 +0000 (18:33 +0300)]
Improve the output of OR checks

5 years agoAdd the RESET_ATTACK_MITIGATION check according to the feature request #11
Alexander Popov [Mon, 4 Mar 2019 18:24:45 +0000 (21:24 +0300)]
Add the RESET_ATTACK_MITIGATION check according to the feature request #11

Let's check the RESET_ATTACK_MITIGATION option.

The description of this security feature:
https://lwn.net/Articles/730006/

It needs support from the userspace side:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a5c03c31af2291f13689d11760c0b59fb70c9a5a

Improve the comments about the userspace support by the way.

5 years agoFix false positive about CONFIG_MODULE_SIG_FORCE.
Alexander Popov [Mon, 4 Mar 2019 13:38:14 +0000 (16:38 +0300)]
Fix false positive about CONFIG_MODULE_SIG_FORCE.

CONFIG_MODULE_SIG_FORCE shouldn't be checked if CONFIG_MODULES is not set.

Fixes issue #12.
Thanks to @hannob.

5 years agoUpdate the README and comments after adding ARM support
Alexander Popov [Thu, 24 Jan 2019 07:43:58 +0000 (10:43 +0300)]
Update the README and comments after adding ARM support

5 years agoFix typo in KSPP recommendations for ARM
Alexander Popov [Thu, 24 Jan 2019 07:34:00 +0000 (10:34 +0300)]
Fix typo in KSPP recommendations for ARM

5 years agoAdd ARM support
Alexander Popov [Thu, 24 Jan 2019 07:33:25 +0000 (10:33 +0300)]
Add ARM support

5 years agoUpdate the README after adding ARM64 support
Alexander Popov [Wed, 23 Jan 2019 17:02:53 +0000 (20:02 +0300)]
Update the README after adding ARM64 support

5 years agoGo through all the checks in debug mode
Alexander Popov [Wed, 23 Jan 2019 16:31:26 +0000 (19:31 +0300)]
Go through all the checks in debug mode

5 years agoAdd ARM64 support
Alexander Popov [Wed, 23 Jan 2019 16:11:55 +0000 (19:11 +0300)]
Add ARM64 support

5 years agoUpdate the README after adding X86_32 support
Alexander Popov [Tue, 22 Jan 2019 12:22:04 +0000 (15:22 +0300)]
Update the README after adding X86_32 support

And improve the style by the way.

5 years agoAdd X86_32 support
Alexander Popov [Tue, 22 Jan 2019 11:55:47 +0000 (14:55 +0300)]
Add X86_32 support

5 years agoMerge branch 'arch-configs'
Alexander Popov [Tue, 22 Jan 2019 11:55:07 +0000 (14:55 +0300)]
Merge branch 'arch-configs'

5 years agoCreate a separate directory for distro configs
Alexander Popov [Tue, 22 Jan 2019 11:22:35 +0000 (14:22 +0300)]
Create a separate directory for distro configs

5 years agoCreate a separate directory for defconfigs
Alexander Popov [Tue, 22 Jan 2019 11:10:23 +0000 (14:10 +0300)]
Create a separate directory for defconfigs

5 years agoAdd arm64 defconfig for v4.20
Alexander Popov [Tue, 22 Jan 2019 11:09:26 +0000 (14:09 +0300)]
Add arm64 defconfig for v4.20

5 years agoAdd arm defconfig for v4.20
Alexander Popov [Tue, 22 Jan 2019 11:09:09 +0000 (14:09 +0300)]
Add arm defconfig for v4.20

5 years agoAdd x86_32 defconfig for v4.20
Alexander Popov [Tue, 22 Jan 2019 10:47:31 +0000 (13:47 +0300)]
Add x86_32 defconfig for v4.20

5 years agoCreate a separate directory for KSPP recommendations
Alexander Popov [Tue, 22 Jan 2019 11:04:51 +0000 (14:04 +0300)]
Create a separate directory for KSPP recommendations

5 years agoSpecify the architecture in KSPP recommendations
Alexander Popov [Tue, 22 Jan 2019 11:03:11 +0000 (14:03 +0300)]
Specify the architecture in KSPP recommendations

5 years agoUpdate the README (arch support)
Alexander Popov [Mon, 21 Jan 2019 22:18:36 +0000 (01:18 +0300)]
Update the README (arch support)

5 years agoMake the script aware of target architecture
Alexander Popov [Mon, 21 Jan 2019 22:06:45 +0000 (01:06 +0300)]
Make the script aware of target architecture

Add the ability to parse the processor architecture from the config file.

Change '-p' command-line argument behaviour. Now it comes with the
name of architecture you want to print recommendations for.

Currently only X86_64 is supported. More architectures to come soon.

This is based heavily on work by @tyhicks.