1 # kconfig-hardened-check
3 
4 
5 [](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check)
9 There are plenty of security hardening options for the Linux kernel. A lot of them are
10 not enabled by the major distros. We have to enable these options ourselves to
11 make our systems more secure.
13 But nobody likes checking configs manually. So let the computers do their job!
15 __kconfig-hardened-check__ helps me to check the Linux kernel options
16 against my security hardening preferences, which are based on the
18 - [KSPP recommended settings][1]
19 - [CLIP OS kernel configuration][2]
20 - Last public [grsecurity][3] patch (options which they disable)
21 - [SECURITY_LOCKDOWN_LSM][5] patchset
22 - [Direct feedback from the Linux kernel maintainers][23]
24 This tool supports checking __Kconfig__ options and __kernel cmdline__ parameters.
26 I also created the [__Linux Kernel Defence Map__][4], which is a graphical representation of the
27 relationships between security hardening features and the corresponding vulnerability classes
28 or exploitation techniques.
30 __Attention!__ Changing Linux kernel security parameters may also affect system performance
31 and functionality of userspace software. So for choosing these parameters consider
32 the threat model of your Linux-based information system and perform thorough testing
33 of its typical workload.
35 ## Supported microarchitectures
42 TODO: RISC-V (issue [#56][22])
46 You can install the package:
49 pip install git+https://github.com/a13xp0p0v/kconfig-hardened-check
52 or simply run `./bin/kconfig-hardened-check` from the cloned repository.
54 Some Linux distributions also provide `kconfig-hardened-check` as a package.
58 usage: kconfig-hardened-check [-h] [--version] [-p {X86_64,X86_32,ARM64,ARM}]
61 [-m {verbose,json,show_ok,show_fail}]
63 A tool for checking the security hardening options of the Linux kernel
66 -h, --help show this help message and exit
67 --version show program's version number and exit
68 -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
69 print security hardening preferences for the selected architecture
70 -c CONFIG, --config CONFIG
71 check the kernel kconfig file against these preferences
72 -l CMDLINE, --cmdline CMDLINE
73 check the kernel cmdline file against these preferences
74 -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}
75 choose the report mode
80 - no `-m` argument for the default output mode (see the example below)
81 - `-m verbose` for printing additional info:
82 - config options without a corresponding check
83 - internals of complex checks with AND/OR, like this:
85 -------------------------------------------------------------------------------------------
87 CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface
88 CONFIG_DEVMEM | is not set | kspp | cut_attack_surface
89 -------------------------------------------------------------------------------------------
91 - `-m show_fail` for showing only the failed checks
92 - `-m show_ok` for showing only the successful checks
93 - `-m json` for printing the results in JSON format (for combining `kconfig-hardened-check` with other tools)
95 ## Example output for `Fedora 34` kernel configuration
97 $ ./bin/kconfig-hardened-check -c /boot/config-5.19.14-200.fc36.x86_64 -l /proc/cmdline
98 [+] Kconfig file to check: /boot/config-5.19.14-200.fc36.x86_64
99 [+] Kernel cmdline file to check: /proc/cmdline
100 [+] Detected architecture: X86_64
101 [+] Detected kernel version: 5.19
102 [+] Detected compiler: GCC 120201
103 =========================================================================================================================
104 option name | type |desired val | decision | reason | check result
105 =========================================================================================================================
106 CONFIG_BUG |kconfig| y |defconfig | self_protection | OK
107 CONFIG_SLUB_DEBUG |kconfig| y |defconfig | self_protection | OK
108 CONFIG_GCC_PLUGINS |kconfig| y |defconfig | self_protection | OK
109 CONFIG_STACKPROTECTOR |kconfig| y |defconfig | self_protection | OK
110 CONFIG_STACKPROTECTOR_STRONG |kconfig| y |defconfig | self_protection | FAIL: "is not set"
111 CONFIG_STRICT_KERNEL_RWX |kconfig| y |defconfig | self_protection | OK
112 CONFIG_STRICT_MODULE_RWX |kconfig| y |defconfig | self_protection | OK
113 CONFIG_REFCOUNT_FULL |kconfig| y |defconfig | self_protection | OK: version >= 5.5
114 CONFIG_THREAD_INFO_IN_TASK |kconfig| y |defconfig | self_protection | OK
115 CONFIG_IOMMU_SUPPORT |kconfig| y |defconfig | self_protection | OK
116 CONFIG_RANDOMIZE_BASE |kconfig| y |defconfig | self_protection | OK
117 CONFIG_VMAP_STACK |kconfig| y |defconfig | self_protection | OK
118 CONFIG_X86_MCE |kconfig| y |defconfig | self_protection | OK
119 CONFIG_X86_MCE_INTEL |kconfig| y |defconfig | self_protection | OK
120 CONFIG_X86_MCE_AMD |kconfig| y |defconfig | self_protection | OK
121 CONFIG_MICROCODE |kconfig| y |defconfig | self_protection | OK
122 CONFIG_RETPOLINE |kconfig| y |defconfig | self_protection | OK
123 CONFIG_X86_SMAP |kconfig| y |defconfig | self_protection | OK: version >= 5.19
124 CONFIG_SYN_COOKIES |kconfig| y |defconfig | self_protection | OK
125 CONFIG_X86_UMIP |kconfig| y |defconfig | self_protection | OK
126 CONFIG_PAGE_TABLE_ISOLATION |kconfig| y |defconfig | self_protection | OK
127 CONFIG_RANDOMIZE_MEMORY |kconfig| y |defconfig | self_protection | OK
128 CONFIG_INTEL_IOMMU |kconfig| y |defconfig | self_protection | OK
129 CONFIG_AMD_IOMMU |kconfig| y |defconfig | self_protection | OK
130 CONFIG_BUG_ON_DATA_CORRUPTION |kconfig| y | kspp | self_protection | OK
131 CONFIG_DEBUG_WX |kconfig| y | kspp | self_protection | OK
132 CONFIG_SCHED_STACK_END_CHECK |kconfig| y | kspp | self_protection | OK
133 CONFIG_SLAB_FREELIST_HARDENED |kconfig| y | kspp | self_protection | OK
134 CONFIG_SLAB_FREELIST_RANDOM |kconfig| y | kspp | self_protection | OK
135 CONFIG_SHUFFLE_PAGE_ALLOCATOR |kconfig| y | kspp | self_protection | OK
136 CONFIG_FORTIFY_SOURCE |kconfig| y | kspp | self_protection | OK
137 CONFIG_DEBUG_LIST |kconfig| y | kspp | self_protection | OK
138 CONFIG_DEBUG_VIRTUAL |kconfig| y | kspp | self_protection | FAIL: "is not set"
139 CONFIG_DEBUG_SG |kconfig| y | kspp | self_protection | FAIL: "is not set"
140 CONFIG_DEBUG_CREDENTIALS |kconfig| y | kspp | self_protection | FAIL: "is not set"
141 CONFIG_DEBUG_NOTIFIERS |kconfig| y | kspp | self_protection | FAIL: "is not set"
142 CONFIG_INIT_ON_ALLOC_DEFAULT_ON |kconfig| y | kspp | self_protection | FAIL: "is not set"
143 CONFIG_GCC_PLUGIN_LATENT_ENTROPY |kconfig| y | kspp | self_protection | FAIL: "is not set"
144 CONFIG_KFENCE |kconfig| y | kspp | self_protection | OK
145 CONFIG_WERROR |kconfig| y | kspp | self_protection | FAIL: "is not set"
146 CONFIG_IOMMU_DEFAULT_DMA_STRICT |kconfig| y | kspp | self_protection | FAIL: "is not set"
147 CONFIG_IOMMU_DEFAULT_PASSTHROUGH |kconfig| is not set | kspp | self_protection | OK
148 CONFIG_ZERO_CALL_USED_REGS |kconfig| y | kspp | self_protection | FAIL: "is not set"
149 CONFIG_HW_RANDOM_TPM |kconfig| y | kspp | self_protection | OK
150 CONFIG_STATIC_USERMODEHELPER |kconfig| y | kspp | self_protection | FAIL: "is not set"
151 CONFIG_SCHED_CORE |kconfig| y | kspp | self_protection | OK
152 CONFIG_RANDSTRUCT_FULL |kconfig| y | kspp | self_protection | FAIL: "is not set"
153 CONFIG_RANDSTRUCT_PERFORMANCE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_RANDSTRUCT_FULL not "y"
154 CONFIG_HARDENED_USERCOPY |kconfig| y | kspp | self_protection | OK
155 CONFIG_HARDENED_USERCOPY_FALLBACK |kconfig| is not set | kspp | self_protection | OK: not found
156 CONFIG_HARDENED_USERCOPY_PAGESPAN |kconfig| is not set | kspp | self_protection | OK: not found
157 CONFIG_MODULE_SIG |kconfig| y | kspp | self_protection | OK
158 CONFIG_MODULE_SIG_ALL |kconfig| y | kspp | self_protection | OK
159 CONFIG_MODULE_SIG_SHA512 |kconfig| y | kspp | self_protection | OK
160 CONFIG_MODULE_SIG_FORCE |kconfig| y | kspp | self_protection | FAIL: "is not set"
161 CONFIG_INIT_STACK_ALL_ZERO |kconfig| y | kspp | self_protection | FAIL: "is not set"
162 CONFIG_INIT_ON_FREE_DEFAULT_ON |kconfig| y | kspp | self_protection | FAIL: "is not set"
163 CONFIG_EFI_DISABLE_PCI_DMA |kconfig| y | kspp | self_protection | FAIL: "is not set"
164 CONFIG_RESET_ATTACK_MITIGATION |kconfig| y | kspp | self_protection | FAIL: "is not set"
165 CONFIG_UBSAN_BOUNDS |kconfig| y | kspp | self_protection | FAIL: not found
166 CONFIG_UBSAN_LOCAL_BOUNDS |kconfig| y | kspp | self_protection | FAIL: not found
167 CONFIG_UBSAN_TRAP |kconfig| y | kspp | self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y"
168 CONFIG_UBSAN_SANITIZE_ALL |kconfig| y | kspp | self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y"
169 CONFIG_GCC_PLUGIN_STACKLEAK |kconfig| y | kspp | self_protection | FAIL: "is not set"
170 CONFIG_STACKLEAK_METRICS |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y"
171 CONFIG_STACKLEAK_RUNTIME_DISABLE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y"
172 CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT |kconfig| y | kspp | self_protection | OK
173 CONFIG_CFI_CLANG |kconfig| y | kspp | self_protection | FAIL: not found
174 CONFIG_CFI_PERMISSIVE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_CFI_CLANG not "y"
175 CONFIG_DEFAULT_MMAP_MIN_ADDR |kconfig| 65536 | kspp | self_protection | OK
176 CONFIG_INTEL_IOMMU_DEFAULT_ON |kconfig| y | kspp | self_protection | FAIL: "is not set"
177 CONFIG_SLS |kconfig| y | kspp | self_protection | OK
178 CONFIG_INTEL_IOMMU_SVM |kconfig| y | kspp | self_protection | OK
179 CONFIG_AMD_IOMMU_V2 |kconfig| y | kspp | self_protection | FAIL: "m"
180 CONFIG_SLAB_MERGE_DEFAULT |kconfig| is not set | clipos | self_protection | OK
181 CONFIG_SECURITY |kconfig| y |defconfig | security_policy | OK
182 CONFIG_SECURITY_YAMA |kconfig| y | kspp | security_policy | OK
183 CONFIG_SECURITY_LANDLOCK |kconfig| y | kspp | security_policy | OK
184 CONFIG_SECURITY_SELINUX_DISABLE |kconfig| is not set | kspp | security_policy | OK
185 CONFIG_SECURITY_SELINUX_BOOTPARAM |kconfig| is not set | kspp | security_policy | FAIL: "y"
186 CONFIG_SECURITY_SELINUX_DEVELOP |kconfig| is not set | kspp | security_policy | FAIL: "y"
187 CONFIG_SECURITY_LOCKDOWN_LSM |kconfig| y | kspp | security_policy | OK
188 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY |kconfig| y | kspp | security_policy | OK
189 CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|kconfig| y | kspp | security_policy | FAIL: "is not set"
190 CONFIG_SECURITY_WRITABLE_HOOKS |kconfig| is not set | kspp | security_policy | OK: not found
191 CONFIG_BPF_UNPRIV_DEFAULT_OFF |kconfig| y |defconfig |cut_attack_surface| OK
192 CONFIG_SECCOMP |kconfig| y |defconfig |cut_attack_surface| OK
193 CONFIG_SECCOMP_FILTER |kconfig| y |defconfig |cut_attack_surface| OK
194 CONFIG_STRICT_DEVMEM |kconfig| y |defconfig |cut_attack_surface| OK
195 CONFIG_SECURITY_DMESG_RESTRICT |kconfig| y | kspp |cut_attack_surface| FAIL: "is not set"
196 CONFIG_ACPI_CUSTOM_METHOD |kconfig| is not set | kspp |cut_attack_surface| OK
197 CONFIG_COMPAT_BRK |kconfig| is not set | kspp |cut_attack_surface| OK
198 CONFIG_DEVKMEM |kconfig| is not set | kspp |cut_attack_surface| OK: not found
199 CONFIG_COMPAT_VDSO |kconfig| is not set | kspp |cut_attack_surface| OK
200 CONFIG_BINFMT_MISC |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m"
201 CONFIG_INET_DIAG |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
202 CONFIG_KEXEC |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
203 CONFIG_PROC_KCORE |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
204 CONFIG_LEGACY_PTYS |kconfig| is not set | kspp |cut_attack_surface| OK
205 CONFIG_HIBERNATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
206 CONFIG_IA32_EMULATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
207 CONFIG_X86_X32 |kconfig| is not set | kspp |cut_attack_surface| OK: not found
208 CONFIG_MODIFY_LDT_SYSCALL |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
209 CONFIG_OABI_COMPAT |kconfig| is not set | kspp |cut_attack_surface| OK: not found
210 CONFIG_X86_MSR |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
211 CONFIG_MODULES |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
212 CONFIG_DEVMEM |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
213 CONFIG_IO_STRICT_DEVMEM |kconfig| y | kspp |cut_attack_surface| OK
214 CONFIG_LDISC_AUTOLOAD |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
215 CONFIG_LEGACY_VSYSCALL_NONE |kconfig| y | kspp |cut_attack_surface| FAIL: "is not set"
216 CONFIG_ZSMALLOC_STAT |kconfig| is not set | grsec |cut_attack_surface| OK
217 CONFIG_PAGE_OWNER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
218 CONFIG_DEBUG_KMEMLEAK |kconfig| is not set | grsec |cut_attack_surface| OK
219 CONFIG_BINFMT_AOUT |kconfig| is not set | grsec |cut_attack_surface| OK: not found
220 CONFIG_KPROBE_EVENTS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
221 CONFIG_UPROBE_EVENTS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
222 CONFIG_GENERIC_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
223 CONFIG_FUNCTION_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
224 CONFIG_STACK_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
225 CONFIG_HIST_TRIGGERS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
226 CONFIG_BLK_DEV_IO_TRACE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
227 CONFIG_PROC_VMCORE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
228 CONFIG_PROC_PAGE_MONITOR |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
229 CONFIG_USELIB |kconfig| is not set | grsec |cut_attack_surface| OK
230 CONFIG_CHECKPOINT_RESTORE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
231 CONFIG_USERFAULTFD |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
232 CONFIG_HWPOISON_INJECT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
233 CONFIG_MEM_SOFT_DIRTY |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
234 CONFIG_DEVPORT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
235 CONFIG_DEBUG_FS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
236 CONFIG_NOTIFIER_ERROR_INJECTION |kconfig| is not set | grsec |cut_attack_surface| OK
237 CONFIG_FAIL_FUTEX |kconfig| is not set | grsec |cut_attack_surface| OK: not found
238 CONFIG_PUNIT_ATOM_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK
239 CONFIG_ACPI_CONFIGFS |kconfig| is not set | grsec |cut_attack_surface| OK
240 CONFIG_EDAC_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK
241 CONFIG_DRM_I915_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK: not found
242 CONFIG_BCACHE_CLOSURES_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK
243 CONFIG_DVB_C8SECTPFE |kconfig| is not set | grsec |cut_attack_surface| OK: not found
244 CONFIG_MTD_SLRAM |kconfig| is not set | grsec |cut_attack_surface| OK
245 CONFIG_MTD_PHRAM |kconfig| is not set | grsec |cut_attack_surface| OK
246 CONFIG_IO_URING |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
247 CONFIG_KCMP |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
248 CONFIG_RSEQ |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
249 CONFIG_LATENCYTOP |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
250 CONFIG_KCOV |kconfig| is not set | grsec |cut_attack_surface| OK
251 CONFIG_PROVIDE_OHCI1394_DMA_INIT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
252 CONFIG_SUNRPC_DEBUG |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
253 CONFIG_PTDUMP_DEBUGFS |kconfig| is not set | grsec |cut_attack_surface| OK
254 CONFIG_DRM_LEGACY |kconfig| is not set |maintainer|cut_attack_surface| OK
255 CONFIG_FB |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
256 CONFIG_VT |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
257 CONFIG_BLK_DEV_FD |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "m"
258 CONFIG_BLK_DEV_FD_RAWCMD |kconfig| is not set |maintainer|cut_attack_surface| OK
259 CONFIG_AIO |kconfig| is not set |grapheneos|cut_attack_surface| FAIL: "y"
260 CONFIG_STAGING |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
261 CONFIG_KSM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
262 CONFIG_KALLSYMS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
263 CONFIG_X86_VSYSCALL_EMULATION |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
264 CONFIG_MAGIC_SYSRQ |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
265 CONFIG_KEXEC_FILE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
266 CONFIG_USER_NS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
267 CONFIG_X86_CPUID |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
268 CONFIG_X86_IOPL_IOPERM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
269 CONFIG_ACPI_TABLE_UPGRADE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
270 CONFIG_EFI_CUSTOM_SSDT_OVERLAYS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
271 CONFIG_COREDUMP |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
272 CONFIG_X86_INTEL_TSX_MODE_OFF |kconfig| y | clipos |cut_attack_surface| OK
273 CONFIG_BPF_SYSCALL |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
274 CONFIG_EFI_TEST |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "m"
275 CONFIG_MMIOTRACE_TEST |kconfig| is not set | lockdown |cut_attack_surface| OK
276 CONFIG_KPROBES |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
277 CONFIG_TRIM_UNUSED_KSYMS |kconfig| y | my |cut_attack_surface| FAIL: not found
278 CONFIG_MMIOTRACE |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
279 CONFIG_LIVEPATCH |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
280 CONFIG_IP_DCCP |kconfig| is not set | my |cut_attack_surface| OK
281 CONFIG_IP_SCTP |kconfig| is not set | my |cut_attack_surface| FAIL: "m"
282 CONFIG_FTRACE |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
283 CONFIG_VIDEO_VIVID |kconfig| is not set | my |cut_attack_surface| OK: not found
284 CONFIG_INPUT_EVBUG |kconfig| is not set | my |cut_attack_surface| OK
285 CONFIG_KGDB |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
286 CONFIG_INTEGRITY |kconfig| y |defconfig | harden_userspace | OK
287 CONFIG_ARCH_MMAP_RND_BITS |kconfig| 32 | clipos | harden_userspace | FAIL: "28"
288 nosmep |cmdline| is not set |defconfig | self_protection | OK: not found
289 nosmap |cmdline| is not set |defconfig | self_protection | OK: not found
290 nokaslr |cmdline| is not set |defconfig | self_protection | OK: not found
291 nopti |cmdline| is not set |defconfig | self_protection | OK: not found
292 nospectre_v1 |cmdline| is not set |defconfig | self_protection | OK: not found
293 nospectre_v2 |cmdline| is not set |defconfig | self_protection | OK: not found
294 rodata |cmdline| 1 |defconfig | self_protection | OK: rodata not found
295 init_on_alloc |cmdline| 1 | kspp | self_protection | FAIL: not found
296 init_on_free |cmdline| 1 | kspp | self_protection | FAIL: not found
297 slab_nomerge |cmdline| | kspp | self_protection | OK: CONFIG_SLAB_MERGE_DEFAULT "is not set"
298 iommu.strict |cmdline| 1 | kspp | self_protection | FAIL: not found
299 iommu.passthrough |cmdline| 0 | kspp | self_protection | OK: CONFIG_IOMMU_DEFAULT_PASSTHROUGH "is not set"
300 hardened_usercopy |cmdline| 1 | kspp | self_protection | OK: CONFIG_HARDENED_USERCOPY "y"
301 slab_common.usercopy_fallback |cmdline| 0 | kspp | self_protection | OK: CONFIG_HARDENED_USERCOPY_FALLBACK not found
302 randomize_kstack_offset |cmdline| 1 | kspp | self_protection | OK: CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT "y"
303 pti |cmdline| on | kspp | self_protection | FAIL: not found
304 page_alloc.shuffle |cmdline| 1 | clipos | self_protection | FAIL: not found
305 spectre_v2 |cmdline| on | clipos | self_protection | FAIL: not found
306 vsyscall |cmdline| none | kspp |cut_attack_surface| FAIL: not found
307 debugfs |cmdline| off | grsec |cut_attack_surface| FAIL: not found
309 [+] Config check is finished: 'OK' - 101 / 'FAIL' - 101
312 ## kconfig-hardened-check versioning
314 I usually update the kernel security hardening recommendations every few kernel releases.
316 So the version of `kconfig-hardened-check` is associated with the corresponding version of the kernel.
318 The version format is: __[major_number].[kernel_version].[kernel_patchlevel]__
321 ## Questions and answers
323 __Q:__ How all these kernel parameters influence the Linux kernel security?
325 __A:__ To answer this question, you can use the `kconfig-hardened-check` [sources of recommendations][24]
326 and the [Linux Kernel Defence Map][4] with its references.
330 __Q:__ How disabling `CONFIG_USER_NS` cuts the attack surface? It's needed for containers!
332 __A:__ Yes, the `CONFIG_USER_NS` option provides some isolation between the userspace programs,
333 but the tool recommends disabling it to cut the attack surface __of the kernel__.
337 - An LWN article about the corresponding LKML discussion: https://lwn.net/Articles/673597/
339 - A twitter thread about `CONFIG_USER_NS` and security: https://twitter.com/robertswiecki/status/1095447678949953541
341 - A good overview of the trade-off between having user namespaces enabled, disabled and available only for root: https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
345 __Q:__ KSPP and CLIP OS recommend `CONFIG_PANIC_ON_OOPS=y`. Why doesn't this tool do the same?
347 __A:__ I personally don't support this recommendation because:
348 - It decreases system safety (kernel oops is still not a rare situation)
349 - It allows easier denial-of-service attacks for the whole system
351 I think having `CONFIG_BUG` is enough here.
352 If a kernel oops happens in the process context, the offending/attacking process is killed.
353 In other cases, the kernel panics, which is similar to `CONFIG_PANIC_ON_OOPS=y`.
357 __Q:__ Why enabling `CONFIG_STATIC_USERMODEHELPER` breaks various things in my GNU/Linux system?
358 Do I really need that feature?
360 __A:__ Linux kernel usermode helpers can be used for privilege escalation in kernel exploits
361 ([example 1][9], [example 2][10]). `CONFIG_STATIC_USERMODEHELPER` prevents that method. But it
362 requires the corresponding support in the userspace: see the [example implementation][11] by
363 Tycho Andersen [@tych0][12].
367 __Q:__ What about performance impact of these security hardening options?
369 __A:__ Ike Devolder [@BlackIkeEagle][7] made some performance tests and described the results in [this article][8].
370 A more detailed evaluation is in the TODO list (the issue [#66][21]).
374 __Q:__ Can I easily check which kernel versions support some Kconfig option?
376 __A:__ Yes. See the [LKDDb][18] project (Linux Kernel Driver Database) by Giacomo Catenazzi [@cateee][19].
377 You can use it for the `mainline` or `stable` tree from [kernel.org][20] or for your custom kernel sources.
381 __Q:__ Does my kernel have all those mitigations of Transient Execution Vulnerabilities in my hardware?
383 __A:__ Checking the kernel config is not enough to answer this question.
384 I highly recommend using [spectre-meltdown-checker][13] tool maintained by Stéphane Lesimple [@speed47][14].
388 __Q:__ Why the `CONFIG_GCC_PLUGINS` option is automatically disabled during the kernel compilation?
390 __A:__ It means that your gcc doesn't support plugins. For example, if you have `gcc-7` on Ubuntu,
391 try to install `gcc-7-plugin-dev` package, it should help.
394 [1]: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
395 [2]: https://docs.clip-os.org/clipos/kernel.html#configuration
396 [3]: https://grsecurity.net/
397 [4]: https://github.com/a13xp0p0v/linux-kernel-defence-map
398 [5]: https://lwn.net/Articles/791863/
399 [6]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/38
400 [7]: https://github.com/BlackIkeEagle
401 [8]: https://blog.herecura.eu/blog/2020-05-30-kconfig-hardening-tests/
402 [9]: https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html
403 [10]: https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html
404 [11]: https://github.com/tych0/huldufolk
405 [12]: https://github.com/tych0
406 [13]: https://github.com/speed47/spectre-meltdown-checker
407 [14]: https://github.com/speed47
408 [15]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/53
409 [16]: https://github.com/a13xp0p0v/kconfig-hardened-check/pull/54
410 [17]: https://github.com/a13xp0p0v/kconfig-hardened-check/pull/62
411 [18]: https://cateee.net/lkddb/web-lkddb/
412 [19]: https://github.com/cateee/lkddb
413 [20]: https://kernel.org/
414 [21]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/66
415 [22]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/56
416 [23]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues?q=label%3Akernel_maintainer_feedback
417 [24]: https://github.com/a13xp0p0v/kconfig-hardened-check#motivation
projects / kconfig-hardened-check.git / blob