kconfig-hardened-check.git
8 months agoRename the 'my' check decision to 'a13xp0p0v'
Alexander Popov [Sun, 24 Mar 2024 12:52:40 +0000 (15:52 +0300)]
Rename the 'my' check decision to 'a13xp0p0v'

'my' checks look like the checks created by a user of the tool.
Let's fix that and take the responsibility :)

Refers to #50

8 months agoMake the table column names and JSON field names fit each other
Alexander Popov [Sun, 17 Mar 2024 22:38:54 +0000 (01:38 +0300)]
Make the table column names and JSON field names fit each other

Refers to #108, #115

8 months agoMerge remote-tracking branch 'krishjainx/improve-json-output'
Alexander Popov [Sun, 17 Mar 2024 22:16:51 +0000 (01:16 +0300)]
Merge remote-tracking branch 'krishjainx/improve-json-output'

Refers to #108, #115

8 months agoupdate 115/head
krishjainx [Sun, 17 Mar 2024 21:43:01 +0000 (17:43 -0400)]
update

8 months agofix issues
krishjainx [Sun, 17 Mar 2024 07:20:27 +0000 (03:20 -0400)]
fix issues

8 months agoFix tests to work with new JSON schema
krishjainx [Thu, 14 Mar 2024 10:21:54 +0000 (06:21 -0400)]
Fix tests to work with new JSON schema

8 months agoImprove JSON output format for enhanced processing
krishjainx [Thu, 14 Mar 2024 09:53:19 +0000 (05:53 -0400)]
Improve JSON output format for enhanced processing

8 months agoImprove the DEBUG_CREDENTIALS check
Alexander Popov [Mon, 11 Mar 2024 11:00:25 +0000 (14:00 +0300)]
Improve the DEBUG_CREDENTIALS check

Useful DEBUG_CREDENTIALS was dropped in v6.6.8

Refers to #97

8 months agoFix the false result of the REFCOUNT_FULL check for kernels > v5.4.208
Alexander Popov [Sun, 10 Mar 2024 00:00:24 +0000 (03:00 +0300)]
Fix the false result of the REFCOUNT_FULL check for kernels > v5.4.208

Refers to #88, #89

8 months agoHave to revert codecov back to v3
Alexander Popov [Sat, 9 Mar 2024 23:12:35 +0000 (02:12 +0300)]
Have to revert codecov back to v3

Details about the error:
https://github.com/codecov/codecov-action/issues/1292

8 months agoUpdate codecov-action
Alexander Popov [Sat, 9 Mar 2024 22:29:52 +0000 (01:29 +0300)]
Update codecov-action

This fixes the error:
```
Node.js 16 actions are deprecated.
Please update the following actions to use Node.js 20.
```

8 months agoAdapt test_version() in the unittest
Alexander Popov [Sat, 9 Mar 2024 22:22:46 +0000 (01:22 +0300)]
Adapt test_version() in the unittest

Refers to #88, #89, #97

8 months agoCheck all 3 numbers of the kernel version in VersionCheck
Alexander Popov [Sat, 9 Mar 2024 20:46:51 +0000 (23:46 +0300)]
Check all 3 numbers of the kernel version in VersionCheck

Refers to #88, #89, #97

8 months agoFix the fresh set_state() bug found by unittest
Alexander Popov [Sat, 9 Mar 2024 21:41:49 +0000 (00:41 +0300)]
Fix the fresh set_state() bug found by unittest

This function should write 'self.state' anyway.

Refers to #88, #89, #97

8 months agoMake `python -m unittest` show the whole output
Alexander Popov [Sat, 9 Mar 2024 21:38:25 +0000 (00:38 +0300)]
Make `python -m unittest` show the whole output

8 months agoUpdate github actions
Alexander Popov [Sat, 9 Mar 2024 21:26:12 +0000 (00:26 +0300)]
Update github actions

This fixes the error:
```
Node.js 16 actions are deprecated.
Please update the following actions to use Node.js 20.
```

8 months agoImplement the set_state() method of the check classes
Alexander Popov [Sat, 9 Mar 2024 18:53:47 +0000 (21:53 +0300)]
Implement the set_state() method of the check classes

Refers to #88, #89, #97

8 months agoUse 3 numbers in the VersionCheck constructor
Alexander Popov [Sat, 9 Mar 2024 18:16:30 +0000 (21:16 +0300)]
Use 3 numbers in the VersionCheck constructor

Refers to #88, #89, #97

8 months agoParse all numbers of the kernel version
Alexander Popov [Sat, 9 Mar 2024 17:27:08 +0000 (20:27 +0300)]
Parse all numbers of the kernel version

Refers to #88, #89, #97

8 months agoSkip the kernel version part after '-'
Alexander Popov [Sat, 9 Mar 2024 17:24:07 +0000 (20:24 +0300)]
Skip the kernel version part after '-'

Example:
# Linux/x86_64 6.7.4-200.fc39.x86_64 Kernel Configuration

Refers to #88, #89, #97

8 months agoAdd the ia32_emulation check
Alexander Popov [Mon, 4 Mar 2024 20:00:49 +0000 (23:00 +0300)]
Add the ia32_emulation check

Refers to #87 #112

9 months agoAdd MODULE_SIG_SHA3_512 as a valid option
Alexander Popov [Mon, 19 Feb 2024 12:25:09 +0000 (15:25 +0300)]
Add MODULE_SIG_SHA3_512 as a valid option

Refers to #107

9 months agoMake LOCKDOWN_LSM 'self_protection', not 'security_policy'
Alexander Popov [Sat, 17 Feb 2024 20:33:33 +0000 (23:33 +0300)]
Make LOCKDOWN_LSM 'self_protection', not 'security_policy'

10 months agoReady for the release 0.6.6 v0.6.6
Alexander Popov [Tue, 16 Jan 2024 22:55:02 +0000 (01:55 +0300)]
Ready for the release 0.6.6

10 months agoUpdate issues.md
Alexander Popov [Tue, 16 Jan 2024 22:54:40 +0000 (01:54 +0300)]
Update issues.md

10 months agoUpdate the README
Alexander Popov [Tue, 16 Jan 2024 22:30:43 +0000 (01:30 +0300)]
Update the README

10 months agoUpdate the Ubuntu example configs
Alexander Popov [Tue, 16 Jan 2024 22:20:39 +0000 (01:20 +0300)]
Update the Ubuntu example configs

10 months agoDon't print the warning about ARCH_MMAP_RND_BITS in the json mode
Alexander Popov [Tue, 16 Jan 2024 21:42:56 +0000 (00:42 +0300)]
Don't print the warning about ARCH_MMAP_RND_BITS in the json mode

10 months agoImprove the check of DEBUG_NOTIFIERS feature (part 2)
Alexander Popov [Tue, 16 Jan 2024 20:53:14 +0000 (23:53 +0300)]
Improve the check of DEBUG_NOTIFIERS feature (part 2)

CFI_PERMISSIVE should be disabled. Reacting with a kernel warning
is not enough.

Thanks to @thestinger for the idea.

Refers to #99.

10 months agoImprove the check of DEBUG_NOTIFIERS feature
Alexander Popov [Tue, 16 Jan 2024 20:31:11 +0000 (23:31 +0300)]
Improve the check of DEBUG_NOTIFIERS feature

This is what DEBUG_NOTIFIERS performs (see kernel/notifier.c):

```
#ifdef CONFIG_DEBUG_NOTIFIERS
if (unlikely(!func_ptr_is_kernel_text(nb->notifier_call))) {
WARN(1, "Invalid notifier called!");
nb = next_nb;
continue;
}
#endif
```

CFI can do the same better.

Thanks to @thestinger for the idea.

Refers to #99.

10 months agoImprove the check of SCHED_STACK_END_CHECK.
Alexander Popov [Tue, 16 Jan 2024 19:57:47 +0000 (22:57 +0300)]
Improve the check of SCHED_STACK_END_CHECK.

SCHED_STACK_END_CHECK checks the magic value at the end
of the kernel thread stack, and VMAP_STACK adds guard pages near it.
So they do a bit different things, but VMAP_STACK is more reliable.

Thanks to @thestinger for the idea.

Refers to #98.

10 months agoFix style (III)
Alexander Popov [Tue, 16 Jan 2024 17:33:58 +0000 (20:33 +0300)]
Fix style (III)

Use f-strings.

10 months agoFix style (II)
Alexander Popov [Tue, 16 Jan 2024 17:21:57 +0000 (20:21 +0300)]
Fix style (II)

10 months agoFix style (I)
Alexander Popov [Tue, 16 Jan 2024 17:20:41 +0000 (20:20 +0300)]
Fix style (I)

10 months agoDisable pylint too-many-locals, it's not useful for add_kconfig_checks()
Alexander Popov [Tue, 16 Jan 2024 08:30:39 +0000 (11:30 +0300)]
Disable pylint too-many-locals, it's not useful for add_kconfig_checks()

10 months agoFix pylint W0613: Unused argument 'arch'
Alexander Popov [Tue, 16 Jan 2024 08:26:27 +0000 (11:26 +0300)]
Fix pylint W0613: Unused argument 'arch'

10 months agoFix pylint E1101: Instance of 'OptCheck' has no 'type' member
Alexander Popov [Tue, 16 Jan 2024 04:24:32 +0000 (07:24 +0300)]
Fix pylint E1101: Instance of 'OptCheck' has no 'type' member

10 months agoFix pylint W0613: Unused argument 'mode'
Alexander Popov [Tue, 16 Jan 2024 04:18:40 +0000 (07:18 +0300)]
Fix pylint W0613: Unused argument 'mode'

10 months agoUpdate the NixOS configs
Alexander Popov [Mon, 15 Jan 2024 05:35:28 +0000 (08:35 +0300)]
Update the NixOS configs

10 months agoDon't add options without explicitly recommended values to Kconfig fragments
Alexander Popov [Sun, 14 Jan 2024 14:31:50 +0000 (17:31 +0300)]
Don't add options without explicitly recommended values to Kconfig fragments

That's important for the '--generate' mode.

10 months agoUBSAN_SANITIZE_ALL is now available for ARM
Alexander Popov [Sun, 14 Jan 2024 12:43:08 +0000 (15:43 +0300)]
UBSAN_SANITIZE_ALL is now available for ARM

10 months agoFix the order in the vdso32 check (part II)
Alexander Popov [Sat, 30 Dec 2023 20:44:34 +0000 (23:44 +0300)]
Fix the order in the vdso32 check (part II)

10 months agoFix the order in the vdso32 check
Alexander Popov [Sat, 30 Dec 2023 20:41:01 +0000 (23:41 +0300)]
Fix the order in the vdso32 check

10 months agoImprove the hackish refinement of the CONFIG_ARCH_MMAP_RND_BITS check
Alexander Popov [Sat, 30 Dec 2023 18:30:14 +0000 (21:30 +0300)]
Improve the hackish refinement of the CONFIG_ARCH_MMAP_RND_BITS check

Don't check CONFIG_ARCH_MMAP_RND_BITS if CONFIG_ARCH_MMAP_RND_BITS_MAX
was not found.

10 months agoShow the option type in print_unknown_options()
Alexander Popov [Sat, 30 Dec 2023 18:22:00 +0000 (21:22 +0300)]
Show the option type in print_unknown_options()

That improves debugging.

10 months agoUse raw strings for regular expression
Alexander Popov [Sat, 30 Dec 2023 18:15:37 +0000 (21:15 +0300)]
Use raw strings for regular expression

10 months agoFix the 'decision' for the 'AIO' check
Alexander Popov [Sat, 30 Dec 2023 16:52:01 +0000 (19:52 +0300)]
Fix the 'decision' for the 'AIO' check

10 months agoFix the 'decision' for the 'vdso32' check
Alexander Popov [Fri, 29 Dec 2023 08:22:06 +0000 (11:22 +0300)]
Fix the 'decision' for the 'vdso32' check

10 months agoImprove the comment for the 'slab_common.usercopy_fallback' check
Alexander Popov [Fri, 29 Dec 2023 08:21:17 +0000 (11:21 +0300)]
Improve the comment for the 'slab_common.usercopy_fallback' check

10 months agoFix the arch condition for the SCHED_CORE check (III)
Alexander Popov [Thu, 28 Dec 2023 13:20:47 +0000 (16:20 +0300)]
Fix the arch condition for the SCHED_CORE check (III)

SCHED_CORE is finally available for ARM64 and ARM.

SCHED_SMT was needed for that.

10 months agoUpdate the KSPP recommendations
Alexander Popov [Thu, 28 Dec 2023 12:30:56 +0000 (15:30 +0300)]
Update the KSPP recommendations

10 months agoFix the arch for the CPU_SRSO check (it's available only for x86_64)
Alexander Popov [Thu, 28 Dec 2023 11:58:11 +0000 (14:58 +0300)]
Fix the arch for the CPU_SRSO check (it's available only for x86_64)

10 months agoSplit the HW_RANDOM_TPM check (it's enabled by default on ARM and ARM64)
Alexander Popov [Thu, 28 Dec 2023 11:41:09 +0000 (14:41 +0300)]
Split the HW_RANDOM_TPM check (it's enabled by default on ARM and ARM64)

10 months agoChange the 'decision' of the INIT_STACK_ALL_ZERO check
Alexander Popov [Thu, 28 Dec 2023 11:33:10 +0000 (14:33 +0300)]
Change the 'decision' of the INIT_STACK_ALL_ZERO check

11 months agoAdd defconfigs for Linux v6.6
Alexander Popov [Sun, 17 Dec 2023 23:51:58 +0000 (02:51 +0300)]
Add defconfigs for Linux v6.6

11 months agoAdd the RANDOM_KMALLOC_CACHES check
Alexander Popov [Sat, 16 Dec 2023 23:41:40 +0000 (02:41 +0300)]
Add the RANDOM_KMALLOC_CACHES check

Refers to #83

11 months agoAdd the SECURITY_SELINUX_DEBUG check
Alexander Popov [Sat, 16 Dec 2023 23:11:53 +0000 (02:11 +0300)]
Add the SECURITY_SELINUX_DEBUG check

11 months agoFix the 'decision' for the LEGACY_TIOCSTI check
Alexander Popov [Sat, 16 Dec 2023 22:53:50 +0000 (01:53 +0300)]
Fix the 'decision' for the LEGACY_TIOCSTI check

11 months agoAdd the CONFIG_LIST_HARDENED check
Alexander Popov [Sat, 16 Dec 2023 21:21:10 +0000 (00:21 +0300)]
Add the CONFIG_LIST_HARDENED check

11 months agoAdd the gather_data_sampling check
Alexander Popov [Sat, 9 Dec 2023 19:25:38 +0000 (22:25 +0300)]
Add the gather_data_sampling check

11 months agoAdd the CPU_SRSO check
Alexander Popov [Sat, 9 Dec 2023 19:10:32 +0000 (22:10 +0300)]
Add the CPU_SRSO check

11 months agoAdd the SPECULATION_MITIGATIONS check
Alexander Popov [Sat, 9 Dec 2023 19:06:13 +0000 (22:06 +0300)]
Add the SPECULATION_MITIGATIONS check

11 months agoAdd the spec_rstack_overflow check
Alexander Popov [Sat, 9 Dec 2023 18:57:13 +0000 (21:57 +0300)]
Add the spec_rstack_overflow check

11 months agoAdd the MODULE_FORCE_LOAD check
Alexander Popov [Sat, 9 Dec 2023 05:47:55 +0000 (08:47 +0300)]
Add the MODULE_FORCE_LOAD check

Thanks to @vobst for the idea

11 months agoUpdate the README
Alexander Popov [Sat, 2 Dec 2023 19:21:13 +0000 (22:21 +0300)]
Update the README

11 months agoAdd the check for dis_ucode_ldr
Alexander Popov [Sat, 2 Dec 2023 17:46:14 +0000 (20:46 +0300)]
Add the check for dis_ucode_ldr

Thanks to @izh1979 for the idea

11 months agoAdd the MICROCODE_INTEL and MICROCODE_AMD checks
Alexander Popov [Sat, 2 Dec 2023 17:33:56 +0000 (20:33 +0300)]
Add the MICROCODE_INTEL and MICROCODE_AMD checks

Thanks to @izh1979 for the idea

11 months agoAdd a check for the 'kfence.sample_interval' boot parameter
Alexander Popov [Sat, 2 Dec 2023 10:49:42 +0000 (13:49 +0300)]
Add a check for the 'kfence.sample_interval' boot parameter

Thanks to @izh1979 for the idea

11 months agoAdd the KFENCE_SAMPLE_INTERVAL check
Alexander Popov [Sat, 2 Dec 2023 10:04:30 +0000 (13:04 +0300)]
Add the KFENCE_SAMPLE_INTERVAL check

Thanks to @izh1979 for the idea

11 months agoKeep the recommendation to disable kernel modules
Alexander Popov [Sat, 2 Dec 2023 06:28:13 +0000 (09:28 +0300)]
Keep the recommendation to disable kernel modules

Disabling kernel modules is a radical method to cut the kernel attack
surface. It may be useful for some systems.

Quoting CLIP OS recommendation:
```
Disable module loading once systemd has loaded the ones required for the
running machine according to a profile.
```

11 months agoAdd a comment about 'kernel.modules_disabled'
Alexander Popov [Sat, 11 Nov 2023 15:13:19 +0000 (18:13 +0300)]
Add a comment about 'kernel.modules_disabled'

11 months agoadd --kernel-version option (#94)
Alexander Popov [Sat, 2 Dec 2023 06:11:44 +0000 (09:11 +0300)]
add --kernel-version option (#94)

11 months agoadd --kernel-version option 94/head
Fabrice Fontaine [Wed, 29 Nov 2023 16:37:58 +0000 (17:37 +0100)]
add --kernel-version option

--kernel-version option will extract the version in /proc/version.
This is especially useful on embedded systems where config.gz doesn't
always contain the kernel version

Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>
13 months agoFix the reason for the 'kernel.yama.ptrace_scope' check
Alexander Popov [Wed, 18 Oct 2023 07:30:36 +0000 (10:30 +0300)]
Fix the reason for the 'kernel.yama.ptrace_scope' check

13 months agoAdd kspp-recommendations/kspp-sysctl.txt
Alexander Popov [Tue, 17 Oct 2023 20:34:14 +0000 (23:34 +0300)]
Add kspp-recommendations/kspp-sysctl.txt

13 months agoFix the reason for the nosmt check
Alexander Popov [Tue, 17 Oct 2023 20:23:31 +0000 (23:23 +0300)]
Fix the reason for the nosmt check

Use 'cut_attack_surface'.

13 months agoUpdate kspp-cmdline-x86-64.txt
Alexander Popov [Tue, 17 Oct 2023 19:57:18 +0000 (22:57 +0300)]
Update kspp-cmdline-x86-64.txt

13 months agoAdd the 'dev.tty.legacy_tiocsti' check
Alexander Popov [Tue, 17 Oct 2023 17:19:05 +0000 (20:19 +0300)]
Add the 'dev.tty.legacy_tiocsti' check

13 months agoAdd the 'kernel.randomize_va_space' check
Alexander Popov [Tue, 17 Oct 2023 16:27:37 +0000 (19:27 +0300)]
Add the 'kernel.randomize_va_space' check

13 months agoAdd the 'fs.suid_dumpable' check
Alexander Popov [Tue, 17 Oct 2023 16:24:25 +0000 (19:24 +0300)]
Add the 'fs.suid_dumpable' check

13 months agoChange the reason of the COREDUMP check
Alexander Popov [Tue, 17 Oct 2023 16:23:00 +0000 (19:23 +0300)]
Change the reason of the COREDUMP check

13 months agoAdd the 'fs.protected_regular' check
Alexander Popov [Tue, 17 Oct 2023 16:20:08 +0000 (19:20 +0300)]
Add the 'fs.protected_regular' check

13 months agoAdd the 'fs.protected_fifos' check
Alexander Popov [Tue, 17 Oct 2023 16:19:06 +0000 (19:19 +0300)]
Add the 'fs.protected_fifos' check

13 months agoAdd the 'fs.protected_hardlinks' check
Alexander Popov [Tue, 17 Oct 2023 16:07:41 +0000 (19:07 +0300)]
Add the 'fs.protected_hardlinks' check

13 months agoAdd the 'fs.protected_symlinks' check
Alexander Popov [Tue, 17 Oct 2023 16:07:00 +0000 (19:07 +0300)]
Add the 'fs.protected_symlinks' check

13 months agoAdd the 'vm.unprivileged_userfaultfd' check
Alexander Popov [Tue, 17 Oct 2023 16:02:39 +0000 (19:02 +0300)]
Add the 'vm.unprivileged_userfaultfd' check

13 months agoAdd the 'kernel.yama.ptrace_scope' check
Alexander Popov [Tue, 17 Oct 2023 15:53:32 +0000 (18:53 +0300)]
Add the 'kernel.yama.ptrace_scope' check

13 months agoAdd the 'kernel.kptr_restrict' check
Alexander Popov [Tue, 17 Oct 2023 15:52:57 +0000 (18:52 +0300)]
Add the 'kernel.kptr_restrict' check

13 months agoImprove the slab_common.usercopy_fallback check
Alexander Popov [Tue, 17 Oct 2023 05:38:51 +0000 (08:38 +0300)]
Improve the slab_common.usercopy_fallback check

Don't require slab_common.usercopy_fallback=0,
since HARDENED_USERCOPY_FALLBACK was removed in Linux v5.16

13 months agohardened_usercopy=1 is now officially recommended by KSPP
Alexander Popov [Tue, 17 Oct 2023 05:35:00 +0000 (08:35 +0300)]
hardened_usercopy=1 is now officially recommended by KSPP

13 months agoEnabling page_alloc.shuffle is now recommended by KSPP
Alexander Popov [Mon, 16 Oct 2023 20:40:15 +0000 (23:40 +0300)]
Enabling page_alloc.shuffle is now recommended by KSPP

13 months ago'mitigations=auto,nosmt' is now recommended by KSPP
Alexander Popov [Mon, 16 Oct 2023 20:22:59 +0000 (23:22 +0300)]
'mitigations=auto,nosmt' is now recommended by KSPP

13 months agoDisabling X86_VSYSCALL_EMULATION is now recommended by KSPP
Alexander Popov [Mon, 16 Oct 2023 05:13:29 +0000 (08:13 +0300)]
Disabling X86_VSYSCALL_EMULATION is now recommended by KSPP

13 months agoUse /usr/bin/env in shebangs (#90)
Alexander Popov [Mon, 16 Oct 2023 04:31:36 +0000 (07:31 +0300)]
Use /usr/bin/env in shebangs (#90)

Thanks, @SuperSandro2000

13 months agoUse /usr/bin/env in shebangs 90/head
Sandro Jäckel [Thu, 5 Oct 2023 22:41:00 +0000 (00:41 +0200)]
Use /usr/bin/env in shebangs

This is guaranteed to work everything including NixOS

13 months agoDrop ZERO_CALL_USED_REGS in favour of backward-edge CFI
Alexander Popov [Wed, 4 Oct 2023 18:21:21 +0000 (21:21 +0300)]
Drop ZERO_CALL_USED_REGS in favour of backward-edge CFI

This option isn't worth the performance impact.

Refers to #82.

14 months agoUpdate the README
Alexander Popov [Mon, 18 Sep 2023 20:56:21 +0000 (23:56 +0300)]
Update the README

14 months agoRefactor the assertion in colorize_result() to improve test coverage
Alexander Popov [Mon, 18 Sep 2023 05:58:44 +0000 (08:58 +0300)]
Refactor the assertion in colorize_result() to improve test coverage

14 months agoUpdate the backup in issues.md
Alexander Popov [Sun, 17 Sep 2023 22:56:10 +0000 (01:56 +0300)]
Update the backup in issues.md

14 months agoRename kconfig-hardened-check into kernel-hardening-checker (#85)
Alexander Popov [Sun, 17 Sep 2023 22:29:39 +0000 (01:29 +0300)]
Rename kconfig-hardened-check into kernel-hardening-checker (#85)

**kconfig-hardened-check** is a tool for checking the security hardening
options of the Linux kernel.

In addition to Kconfig options, it now can check kernel cmdline
arguments and sysctl parameters.

It's time to give this project a new name that describes it better:
**kernel-hardening-checker**.