1 # kconfig-hardened-check
3 
4 
5 [](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check)
9 There are plenty of security hardening options for the Linux kernel. A lot of them are
10 not enabled by the major distros. We have to enable these options ourselves to
11 make our systems more secure.
13 But nobody likes checking configs manually. So let the computers do their job!
15 __kconfig-hardened-check.py__ helps me to check the Linux kernel options
16 against my security hardening preferences, which are based on the
18 - [KSPP recommended settings][1],
19 - [CLIP OS kernel configuration][2],
20 - Last public [grsecurity][3] patch (options which they disable),
21 - [SECURITY_LOCKDOWN_LSM][5] patchset,
22 - Direct feedback from Linux kernel maintainers (see [#38][6], [#53][15], [#54][16], [#62][17]).
24 This tool supports checking __Kconfig__ options and __kernel cmdline__ parameters.
26 I also created [__Linux Kernel Defence Map__][4] that is a graphical representation of the
27 relationships between security hardening features and the corresponding vulnerability classes
28 or exploitation techniques.
30 ## Supported microarchitectures
41 You can install the package:
44 pip install git+https://github.com/a13xp0p0v/kconfig-hardened-check
47 or simply run `./bin/kconfig-hardened-check` from the cloned repository.
49 Some Linux distributions also provide `kconfig-hardened-check` as a package.
53 usage: kconfig-hardened-check [-h] [--version] [-p {X86_64,X86_32,ARM64,ARM}]
56 [-m {verbose,json,show_ok,show_fail}]
58 A tool for checking the security hardening options of the Linux kernel
61 -h, --help show this help message and exit
62 --version show program's version number and exit
63 -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
64 print security hardening preferences for the selected architecture
65 -c CONFIG, --config CONFIG
66 check the kernel kconfig file against these preferences
67 -l CMDLINE, --cmdline CMDLINE
68 check the kernel cmdline file against these preferences
69 -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}
70 choose the report mode
75 - no `-m` argument for the default output mode (see the example below)
76 - `-m verbose` for printing additional info:
77 - config options without a corresponding check
78 - internals of complex checks with AND/OR, like this:
80 -------------------------------------------------------------------------------------------
82 CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface
83 CONFIG_DEVMEM | is not set | kspp | cut_attack_surface
84 -------------------------------------------------------------------------------------------
86 - `-m show_fail` for showing only the failed checks
87 - `-m show_ok` for showing only the successful checks
88 - `-m json` for printing the results in JSON format (for combining `kconfig-hardened-check` with other tools)
90 ## Example output for `Fedora 34` kernel config
92 $ ./bin/kconfig-hardened-check -c /boot/config-5.19.4-200.fc36.x86_64 -l /proc/cmdline
93 [+] Kconfig file to check: /boot/config-5.19.4-200.fc36.x86_64
94 [+] Kernel cmdline file to check: /proc/cmdline
95 [+] Detected architecture: X86_64
96 [+] Detected kernel version: 5.19
97 [+] Detected compiler: GCC 120201
98 =========================================================================================================================
99 option name | type |desired val | decision | reason | check result
100 =========================================================================================================================
101 CONFIG_BUG |kconfig| y |defconfig | self_protection | OK
102 CONFIG_SLUB_DEBUG |kconfig| y |defconfig | self_protection | OK
103 CONFIG_GCC_PLUGINS |kconfig| y |defconfig | self_protection | OK
104 CONFIG_STACKPROTECTOR |kconfig| y |defconfig | self_protection | OK
105 CONFIG_STACKPROTECTOR_STRONG |kconfig| y |defconfig | self_protection | FAIL: "is not set"
106 CONFIG_STRICT_KERNEL_RWX |kconfig| y |defconfig | self_protection | OK
107 CONFIG_STRICT_MODULE_RWX |kconfig| y |defconfig | self_protection | OK
108 CONFIG_REFCOUNT_FULL |kconfig| y |defconfig | self_protection | OK: version >= 5.5
109 CONFIG_THREAD_INFO_IN_TASK |kconfig| y |defconfig | self_protection | OK
110 CONFIG_IOMMU_SUPPORT |kconfig| y |defconfig | self_protection | OK
111 CONFIG_RANDOMIZE_BASE |kconfig| y |defconfig | self_protection | OK
112 CONFIG_VMAP_STACK |kconfig| y |defconfig | self_protection | OK
113 CONFIG_MICROCODE |kconfig| y |defconfig | self_protection | OK
114 CONFIG_RETPOLINE |kconfig| y |defconfig | self_protection | OK
115 CONFIG_X86_SMAP |kconfig| y |defconfig | self_protection | OK: version >= 5.19
116 CONFIG_SYN_COOKIES |kconfig| y |defconfig | self_protection | OK
117 CONFIG_X86_UMIP |kconfig| y |defconfig | self_protection | OK
118 CONFIG_PAGE_TABLE_ISOLATION |kconfig| y |defconfig | self_protection | OK
119 CONFIG_RANDOMIZE_MEMORY |kconfig| y |defconfig | self_protection | OK
120 CONFIG_INTEL_IOMMU |kconfig| y |defconfig | self_protection | OK
121 CONFIG_AMD_IOMMU |kconfig| y |defconfig | self_protection | OK
122 CONFIG_BUG_ON_DATA_CORRUPTION |kconfig| y | kspp | self_protection | OK
123 CONFIG_DEBUG_WX |kconfig| y | kspp | self_protection | OK
124 CONFIG_SCHED_STACK_END_CHECK |kconfig| y | kspp | self_protection | OK
125 CONFIG_SLAB_FREELIST_HARDENED |kconfig| y | kspp | self_protection | OK
126 CONFIG_SLAB_FREELIST_RANDOM |kconfig| y | kspp | self_protection | OK
127 CONFIG_SHUFFLE_PAGE_ALLOCATOR |kconfig| y | kspp | self_protection | OK
128 CONFIG_FORTIFY_SOURCE |kconfig| y | kspp | self_protection | OK
129 CONFIG_DEBUG_LIST |kconfig| y | kspp | self_protection | OK
130 CONFIG_DEBUG_SG |kconfig| y | kspp | self_protection | FAIL: "is not set"
131 CONFIG_DEBUG_CREDENTIALS |kconfig| y | kspp | self_protection | FAIL: "is not set"
132 CONFIG_DEBUG_NOTIFIERS |kconfig| y | kspp | self_protection | FAIL: "is not set"
133 CONFIG_INIT_ON_ALLOC_DEFAULT_ON |kconfig| y | kspp | self_protection | FAIL: "is not set"
134 CONFIG_GCC_PLUGIN_LATENT_ENTROPY |kconfig| y | kspp | self_protection | FAIL: "is not set"
135 CONFIG_KFENCE |kconfig| y | kspp | self_protection | OK
136 CONFIG_WERROR |kconfig| y | kspp | self_protection | FAIL: "is not set"
137 CONFIG_IOMMU_DEFAULT_DMA_STRICT |kconfig| y | kspp | self_protection | FAIL: "is not set"
138 CONFIG_IOMMU_DEFAULT_PASSTHROUGH |kconfig| is not set | kspp | self_protection | OK
139 CONFIG_ZERO_CALL_USED_REGS |kconfig| y | kspp | self_protection | FAIL: "is not set"
140 CONFIG_RANDSTRUCT_FULL |kconfig| y | kspp | self_protection | FAIL: "is not set"
141 CONFIG_HARDENED_USERCOPY |kconfig| y | kspp | self_protection | OK
142 CONFIG_HARDENED_USERCOPY_FALLBACK |kconfig| is not set | kspp | self_protection | OK: not found
143 CONFIG_HARDENED_USERCOPY_PAGESPAN |kconfig| is not set | kspp | self_protection | OK: not found
144 CONFIG_MODULE_SIG |kconfig| y | kspp | self_protection | OK
145 CONFIG_MODULE_SIG_ALL |kconfig| y | kspp | self_protection | OK
146 CONFIG_MODULE_SIG_SHA512 |kconfig| y | kspp | self_protection | OK
147 CONFIG_MODULE_SIG_FORCE |kconfig| y | kspp | self_protection | FAIL: "is not set"
148 CONFIG_INIT_STACK_ALL_ZERO |kconfig| y | kspp | self_protection | FAIL: "is not set"
149 CONFIG_INIT_ON_FREE_DEFAULT_ON |kconfig| y | kspp | self_protection | FAIL: "is not set"
150 CONFIG_GCC_PLUGIN_STACKLEAK |kconfig| y | kspp | self_protection | FAIL: "is not set"
151 CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT |kconfig| y | kspp | self_protection | OK
152 CONFIG_SCHED_CORE |kconfig| y | kspp | self_protection | OK
153 CONFIG_DEFAULT_MMAP_MIN_ADDR |kconfig| 65536 | kspp | self_protection | OK
154 CONFIG_UBSAN_BOUNDS |kconfig| y |maintainer| self_protection | FAIL: not found
155 CONFIG_UBSAN_SANITIZE_ALL |kconfig| y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y"
156 CONFIG_UBSAN_TRAP |kconfig| y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y"
157 CONFIG_DEBUG_VIRTUAL |kconfig| y | clipos | self_protection | FAIL: "is not set"
158 CONFIG_STATIC_USERMODEHELPER |kconfig| y | clipos | self_protection | FAIL: "is not set"
159 CONFIG_EFI_DISABLE_PCI_DMA |kconfig| y | clipos | self_protection | FAIL: "is not set"
160 CONFIG_SLAB_MERGE_DEFAULT |kconfig| is not set | clipos | self_protection | OK
161 CONFIG_RANDOM_TRUST_BOOTLOADER |kconfig| is not set | clipos | self_protection | FAIL: "y"
162 CONFIG_RANDOM_TRUST_CPU |kconfig| is not set | clipos | self_protection | FAIL: "y"
163 CONFIG_RANDSTRUCT_PERFORMANCE |kconfig| is not set | clipos | self_protection | FAIL: CONFIG_RANDSTRUCT_FULL not "y"
164 CONFIG_STACKLEAK_METRICS |kconfig| is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y"
165 CONFIG_STACKLEAK_RUNTIME_DISABLE |kconfig| is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y"
166 CONFIG_INTEL_IOMMU_DEFAULT_ON |kconfig| y | clipos | self_protection | FAIL: "is not set"
167 CONFIG_INTEL_IOMMU_SVM |kconfig| y | clipos | self_protection | OK
168 CONFIG_RESET_ATTACK_MITIGATION |kconfig| y | my | self_protection | FAIL: "is not set"
169 CONFIG_SLS |kconfig| y | my | self_protection | OK
170 CONFIG_AMD_IOMMU_V2 |kconfig| y | my | self_protection | FAIL: "m"
171 CONFIG_SECURITY |kconfig| y |defconfig | security_policy | OK
172 CONFIG_SECURITY_YAMA |kconfig| y | kspp | security_policy | OK
173 CONFIG_SECURITY_LANDLOCK |kconfig| y | kspp | security_policy | OK
174 CONFIG_SECURITY_SELINUX_DISABLE |kconfig| is not set | kspp | security_policy | OK
175 CONFIG_SECURITY_LOCKDOWN_LSM |kconfig| y | clipos | security_policy | OK
176 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY |kconfig| y | clipos | security_policy | OK
177 CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|kconfig| y | clipos | security_policy | FAIL: "is not set"
178 CONFIG_SECURITY_WRITABLE_HOOKS |kconfig| is not set | my | security_policy | OK: not found
179 CONFIG_SECURITY_SAFESETID |kconfig| y | my | security_policy | FAIL: "is not set"
180 CONFIG_SECURITY_LOADPIN |kconfig| y | my | security_policy | FAIL: "is not set"
181 CONFIG_SECURITY_LOADPIN_ENFORCE |kconfig| y | my | security_policy | FAIL: CONFIG_SECURITY_LOADPIN not "y"
182 CONFIG_BPF_UNPRIV_DEFAULT_OFF |kconfig| y |defconfig |cut_attack_surface| OK
183 CONFIG_SECCOMP |kconfig| y |defconfig |cut_attack_surface| OK
184 CONFIG_SECCOMP_FILTER |kconfig| y |defconfig |cut_attack_surface| OK
185 CONFIG_STRICT_DEVMEM |kconfig| y |defconfig |cut_attack_surface| OK
186 CONFIG_SECURITY_DMESG_RESTRICT |kconfig| y | kspp |cut_attack_surface| FAIL: "is not set"
187 CONFIG_ACPI_CUSTOM_METHOD |kconfig| is not set | kspp |cut_attack_surface| OK
188 CONFIG_COMPAT_BRK |kconfig| is not set | kspp |cut_attack_surface| OK
189 CONFIG_DEVKMEM |kconfig| is not set | kspp |cut_attack_surface| OK: not found
190 CONFIG_COMPAT_VDSO |kconfig| is not set | kspp |cut_attack_surface| OK
191 CONFIG_BINFMT_MISC |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m"
192 CONFIG_INET_DIAG |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
193 CONFIG_KEXEC |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
194 CONFIG_PROC_KCORE |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
195 CONFIG_LEGACY_PTYS |kconfig| is not set | kspp |cut_attack_surface| OK
196 CONFIG_HIBERNATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
197 CONFIG_IA32_EMULATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
198 CONFIG_X86_X32 |kconfig| is not set | kspp |cut_attack_surface| OK: not found
199 CONFIG_MODIFY_LDT_SYSCALL |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
200 CONFIG_OABI_COMPAT |kconfig| is not set | kspp |cut_attack_surface| OK: not found
201 CONFIG_X86_MSR |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
202 CONFIG_MODULES |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
203 CONFIG_DEVMEM |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
204 CONFIG_IO_STRICT_DEVMEM |kconfig| y | kspp |cut_attack_surface| OK
205 CONFIG_LEGACY_VSYSCALL_NONE |kconfig| y | kspp |cut_attack_surface| FAIL: "is not set"
206 CONFIG_ZSMALLOC_STAT |kconfig| is not set | grsec |cut_attack_surface| OK
207 CONFIG_PAGE_OWNER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
208 CONFIG_DEBUG_KMEMLEAK |kconfig| is not set | grsec |cut_attack_surface| OK
209 CONFIG_BINFMT_AOUT |kconfig| is not set | grsec |cut_attack_surface| OK: not found
210 CONFIG_KPROBE_EVENTS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
211 CONFIG_UPROBE_EVENTS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
212 CONFIG_GENERIC_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
213 CONFIG_FUNCTION_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
214 CONFIG_STACK_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
215 CONFIG_HIST_TRIGGERS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
216 CONFIG_BLK_DEV_IO_TRACE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
217 CONFIG_PROC_VMCORE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
218 CONFIG_PROC_PAGE_MONITOR |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
219 CONFIG_USELIB |kconfig| is not set | grsec |cut_attack_surface| OK
220 CONFIG_CHECKPOINT_RESTORE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
221 CONFIG_USERFAULTFD |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
222 CONFIG_HWPOISON_INJECT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
223 CONFIG_MEM_SOFT_DIRTY |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
224 CONFIG_DEVPORT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
225 CONFIG_DEBUG_FS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
226 CONFIG_NOTIFIER_ERROR_INJECTION |kconfig| is not set | grsec |cut_attack_surface| OK
227 CONFIG_FAIL_FUTEX |kconfig| is not set | grsec |cut_attack_surface| OK: not found
228 CONFIG_PUNIT_ATOM_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK
229 CONFIG_ACPI_CONFIGFS |kconfig| is not set | grsec |cut_attack_surface| OK
230 CONFIG_EDAC_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK
231 CONFIG_DRM_I915_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK: not found
232 CONFIG_BCACHE_CLOSURES_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK
233 CONFIG_DVB_C8SECTPFE |kconfig| is not set | grsec |cut_attack_surface| OK: not found
234 CONFIG_MTD_SLRAM |kconfig| is not set | grsec |cut_attack_surface| OK
235 CONFIG_MTD_PHRAM |kconfig| is not set | grsec |cut_attack_surface| OK
236 CONFIG_IO_URING |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
237 CONFIG_KCMP |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
238 CONFIG_RSEQ |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
239 CONFIG_LATENCYTOP |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
240 CONFIG_KCOV |kconfig| is not set | grsec |cut_attack_surface| OK
241 CONFIG_PROVIDE_OHCI1394_DMA_INIT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
242 CONFIG_SUNRPC_DEBUG |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
243 CONFIG_PTDUMP_DEBUGFS |kconfig| is not set | grsec |cut_attack_surface| OK
244 CONFIG_DRM_LEGACY |kconfig| is not set |maintainer|cut_attack_surface| OK
245 CONFIG_FB |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
246 CONFIG_VT |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
247 CONFIG_BLK_DEV_FD |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "m"
248 CONFIG_BLK_DEV_FD_RAWCMD |kconfig| is not set |maintainer|cut_attack_surface| OK
249 CONFIG_AIO |kconfig| is not set |grapheneos|cut_attack_surface| FAIL: "y"
250 CONFIG_STAGING |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
251 CONFIG_KSM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
252 CONFIG_KALLSYMS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
253 CONFIG_X86_VSYSCALL_EMULATION |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
254 CONFIG_MAGIC_SYSRQ |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
255 CONFIG_KEXEC_FILE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
256 CONFIG_USER_NS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
257 CONFIG_X86_CPUID |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
258 CONFIG_X86_IOPL_IOPERM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
259 CONFIG_ACPI_TABLE_UPGRADE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
260 CONFIG_EFI_CUSTOM_SSDT_OVERLAYS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
261 CONFIG_LDISC_AUTOLOAD |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
262 CONFIG_X86_INTEL_TSX_MODE_OFF |kconfig| y | clipos |cut_attack_surface| OK
263 CONFIG_BPF_SYSCALL |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
264 CONFIG_EFI_TEST |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "m"
265 CONFIG_MMIOTRACE_TEST |kconfig| is not set | lockdown |cut_attack_surface| OK
266 CONFIG_KPROBES |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
267 CONFIG_TRIM_UNUSED_KSYMS |kconfig| y | my |cut_attack_surface| FAIL: not found
268 CONFIG_MMIOTRACE |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
269 CONFIG_LIVEPATCH |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
270 CONFIG_IP_DCCP |kconfig| is not set | my |cut_attack_surface| OK
271 CONFIG_IP_SCTP |kconfig| is not set | my |cut_attack_surface| FAIL: "m"
272 CONFIG_FTRACE |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
273 CONFIG_VIDEO_VIVID |kconfig| is not set | my |cut_attack_surface| OK: not found
274 CONFIG_INPUT_EVBUG |kconfig| is not set | my |cut_attack_surface| OK
275 CONFIG_KGDB |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
276 CONFIG_INTEGRITY |kconfig| y |defconfig | harden_userspace | OK
277 CONFIG_ARCH_MMAP_RND_BITS |kconfig| 32 | clipos | harden_userspace | FAIL: "28"
278 rodata |cmdline| 1 |defconfig | self_protection | OK: rodata not found
279 init_on_alloc |cmdline| 1 | kspp | self_protection | FAIL: not found
280 init_on_free |cmdline| 1 | kspp | self_protection | FAIL: not found
281 slab_nomerge |cmdline| | kspp | self_protection | OK: CONFIG_SLAB_MERGE_DEFAULT "is not set"
282 iommu.strict |cmdline| 1 | kspp | self_protection | FAIL: not found
283 iommu.passthrough |cmdline| 0 | kspp | self_protection | OK: CONFIG_IOMMU_DEFAULT_PASSTHROUGH "is not set"
284 nokaslr |cmdline| is not set | kspp | self_protection | OK: not found
285 hardened_usercopy |cmdline| 1 | kspp | self_protection | OK: CONFIG_HARDENED_USERCOPY "y"
286 slab_common.usercopy_fallback |cmdline| 0 | kspp | self_protection | OK: CONFIG_HARDENED_USERCOPY_FALLBACK not found
287 randomize_kstack_offset |cmdline| 1 | kspp | self_protection | OK: CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT "y"
288 pti |cmdline| on | kspp | self_protection | FAIL: not found
289 page_alloc.shuffle |cmdline| 1 | clipos | self_protection | FAIL: not found
290 nosmep |cmdline| is not set | my | self_protection | OK: not found
291 nosmap |cmdline| is not set | my | self_protection | OK: not found
292 vsyscall |cmdline| none | kspp |cut_attack_surface| FAIL: not found
293 debugfs |cmdline| off | grsec |cut_attack_surface| FAIL: not found
295 [+] Config check is finished: 'OK' - 94 / 'FAIL' - 99
298 ## kconfig-hardened-check versioning
300 I usually update the kernel security hardening recommendations after each Linux kernel release.
302 So the version of `kconfig-hardened-check` is associated with the corresponding version of the kernel.
304 The version format is: __[major_number].[kernel_version].[kernel_patchlevel]__
307 ## Questions and answers
309 __Q:__ How disabling `CONFIG_USER_NS` cuts the attack surface? It's needed for containers!
311 __A:__ Yes, the `CONFIG_USER_NS` option provides some isolation between the userspace programs,
312 but the tool recommends disabling it to cut the attack surface __of the kernel__.
316 - A nice LWN article about the corresponding LKML discussion: https://lwn.net/Articles/673597/
318 - A twitter thread about `CONFIG_USER_NS` and security: https://twitter.com/robertswiecki/status/1095447678949953541
320 - A good overview of the trade-off between having user namespaces enabled, disabled and available only for root: https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
324 __Q:__ Why `CONFIG_GCC_PLUGINS` is automatically disabled during the kernel compilation?
326 __A:__ It means that your gcc doesn't support plugins. For example, if you have `gcc-7` on Ubuntu,
327 try to install `gcc-7-plugin-dev` package, it should help.
331 __Q:__ KSPP and CLIP OS recommend `CONFIG_PANIC_ON_OOPS=y`. Why doesn't this tool do the same?
333 __A:__ I personally don't support this recommendation because it provides easy denial-of-service
334 attacks for the whole system (kernel oops is not a rare situation). I think having `CONFIG_BUG` is enough here --
335 if we have a kernel oops in the process context, the offending/attacking process is killed.
339 __Q:__ What about performance impact of these security hardening options?
341 __A:__ Ike Devolder [@BlackIkeEagle][7] made some performance tests and described the results in [this article][8].
345 __Q:__ Can I easily check which kernel versions support some Kconfig option?
347 __A:__ Yes, see the [LKDDb][18] project (Linux Kernel Driver Database) by Giacomo Catenazzi [@cateee][19].
348 You can use it for the `mainline` or `stable` tree from [kernel.org][20] or for your custom kernel sources.
352 __Q:__ Why enabling `CONFIG_STATIC_USERMODEHELPER` breaks various things in my GNU/Linux system?
353 Do I really need that feature?
355 __A:__ Linux kernel usermode helpers can be used for privilege escalation in kernel exploits
356 ([example 1][9], [example 2][10]). `CONFIG_STATIC_USERMODEHELPER` prevents that method. But it
357 requires the corresponding support in the userspace: see the [example implementation][11] by
358 Tycho Andersen [@tych0][12].
362 __Q:__ Does my kernel have all those mitigations of Transient Execution Vulnerabilities in my hardware?
364 __A:__ Checking the kernel config is not enough to answer this question.
365 I highly recommend using [spectre-meltdown-checker][13] tool maintained by Stéphane Lesimple [@speed47][14].
368 [1]: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
369 [2]: https://docs.clip-os.org/clipos/kernel.html#configuration
370 [3]: https://grsecurity.net/
371 [4]: https://github.com/a13xp0p0v/linux-kernel-defence-map
372 [5]: https://lwn.net/Articles/791863/
373 [6]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/38
374 [7]: https://github.com/BlackIkeEagle
375 [8]: https://blog.herecura.eu/blog/2020-05-30-kconfig-hardening-tests/
376 [9]: https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html
377 [10]: https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html
378 [11]: https://github.com/tych0/huldufolk
379 [12]: https://github.com/tych0
380 [13]: https://github.com/speed47/spectre-meltdown-checker
381 [14]: https://github.com/speed47
382 [15]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/53
383 [16]: https://github.com/a13xp0p0v/kconfig-hardened-check/pull/54
384 [17]: https://github.com/a13xp0p0v/kconfig-hardened-check/pull/62
385 [18]: https://cateee.net/lkddb/web-lkddb/
386 [19]: https://github.com/cateee/lkddb
387 [20]: https://kernel.org/
projects / kconfig-hardened-check.git / blob