1 # kernel-hardening-checker (formerly kconfig-hardened-check)
3 [](https://github.com/a13xp0p0v/kernel-hardening-checker/tags)<br />
4 [](https://github.com/a13xp0p0v/kernel-hardening-checker/actions/workflows/functional_test.yml)
5 [](https://codecov.io/gh/a13xp0p0v/kernel-hardening-checker)<br />
6 [](https://github.com/a13xp0p0v/kernel-hardening-checker/actions/workflows/engine_unit-test.yml)
7 [](https://codecov.io/gh/a13xp0p0v/kernel-hardening-checker)
11 There are plenty of security hardening options for the Linux kernel. A lot of them are
12 not enabled by the major distros. We have to enable these options ourselves to
13 make our systems more secure.
15 But nobody likes checking configs manually. So let the computers do their job!
17 __kernel-hardening-checker__ is a tool for checking the security hardening options of the Linux kernel. It supports checking:
19 - Kconfig options (compile-time)
20 - Kernel cmdline arguments (boot-time)
21 - Sysctl parameters (runtime)
23 The security hardening recommendations are based on:
25 - [KSPP recommended settings][1]
26 - [CLIP OS kernel configuration][2]
27 - Last public [grsecurity][3] patch (options which they disable)
28 - [SECURITY_LOCKDOWN_LSM][5] patchset
29 - [Direct feedback from the Linux kernel maintainers][23]
31 I also created the [__Linux Kernel Defence Map__][4], which is a graphical representation of the
32 relationships between security hardening features and the corresponding vulnerability classes
33 or exploitation techniques.
35 __Attention!__ Changing Linux kernel security parameters may also affect system performance
36 and functionality of userspace software. So for choosing these parameters, consider
37 the threat model of your Linux-based information system and perform thorough testing
38 of its typical workload.
42 - Main at GitHub <https://github.com/a13xp0p0v/kernel-hardening-checker>
43 - Mirror at Codeberg: <https://codeberg.org/a13xp0p0v/kernel-hardening-checker>
44 - Mirror at GitFlic: <https://gitflic.ru/project/a13xp0p0v/kernel-hardening-checker>
46 ## Supported microarchitectures
53 TODO: RISC-V (issue [#56][22])
57 You can install the package:
60 pip install git+https://github.com/a13xp0p0v/kernel-hardening-checker
63 or simply run `./bin/kernel-hardening-checker` from the cloned repository.
65 Some Linux distributions also provide `kernel-hardening-checker` as a package.
69 usage: kernel-hardening-checker [-h] [--version] [-m {verbose,json,show_ok,show_fail}]
70 [-c CONFIG] [-l CMDLINE] [-s SYSCTL]
71 [-p {X86_64,X86_32,ARM64,ARM}]
72 [-g {X86_64,X86_32,ARM64,ARM}]
74 A tool for checking the security hardening options of the Linux kernel
77 -h, --help show this help message and exit
78 --version show program's version number and exit
79 -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}
80 choose the report mode
81 -c CONFIG, --config CONFIG
82 check the security hardening options in the kernel Kconfig file
83 (also supports *.gz files)
84 -l CMDLINE, --cmdline CMDLINE
85 check the security hardening options in the kernel cmdline file
86 (contents of /proc/cmdline)
87 -s SYSCTL, --sysctl SYSCTL
88 check the security hardening options in the sysctl output file
89 (`sudo sysctl -a > file`)
90 -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
91 print the security hardening recommendations for the selected
93 -g {X86_64,X86_32,ARM64,ARM}, --generate {X86_64,X86_32,ARM64,ARM}
94 generate a Kconfig fragment with the security hardening options
95 for the selected microarchitecture
100 - no `-m` argument for the default output mode (see the example below)
101 - `-m verbose` for printing additional info:
102 - config options without a corresponding check
103 - internals of complex checks with AND/OR, like this:
105 -------------------------------------------------------------------------------------------
107 CONFIG_STRICT_DEVMEM |kconfig| y |defconfig |cut_attack_surface
108 CONFIG_DEVMEM |kconfig| is not set | kspp |cut_attack_surface
109 -------------------------------------------------------------------------------------------
111 - `-m show_fail` for showing only the failed checks
112 - `-m show_ok` for showing only the successful checks
113 - `-m json` for printing the results in JSON format (for combining `kernel-hardening-checker` with other tools)
115 ## Example output for `Fedora 38` kernel configuration
117 $ ./bin/kernel-hardening-checker -c kernel_hardening_checker/config_files/distros/fedora_38.config -l /proc/cmdline -s kernel_hardening_checker/config_files/distros/example_sysctls.txt
118 [+] Kconfig file to check: kernel_hardening_checker/config_files/distros/fedora_38.config
119 [+] Kernel cmdline file to check: /proc/cmdline
120 [+] Sysctl output file to check: kernel_hardening_checker/config_files/distros/example_sysctls.txt
121 [+] Detected microarchitecture: X86_64
122 [+] Detected kernel version: 6.3
123 [+] Detected compiler: GCC 130101
124 =========================================================================================================================
125 option name | type |desired val | decision | reason | check result
126 =========================================================================================================================
127 CONFIG_BUG |kconfig| y |defconfig | self_protection | OK
128 CONFIG_SLUB_DEBUG |kconfig| y |defconfig | self_protection | OK
129 CONFIG_THREAD_INFO_IN_TASK |kconfig| y |defconfig | self_protection | OK
130 CONFIG_GCC_PLUGINS |kconfig| y |defconfig | self_protection | FAIL: "is not set"
131 CONFIG_IOMMU_SUPPORT |kconfig| y |defconfig | self_protection | OK
132 CONFIG_STACKPROTECTOR |kconfig| y |defconfig | self_protection | OK
133 CONFIG_STACKPROTECTOR_STRONG |kconfig| y |defconfig | self_protection | OK
134 CONFIG_STRICT_KERNEL_RWX |kconfig| y |defconfig | self_protection | OK
135 CONFIG_STRICT_MODULE_RWX |kconfig| y |defconfig | self_protection | OK
136 CONFIG_REFCOUNT_FULL |kconfig| y |defconfig | self_protection | OK: version >= 5.5
137 CONFIG_RANDOMIZE_BASE |kconfig| y |defconfig | self_protection | OK
138 CONFIG_VMAP_STACK |kconfig| y |defconfig | self_protection | OK
139 CONFIG_DEBUG_WX |kconfig| y |defconfig | self_protection | OK
140 CONFIG_WERROR |kconfig| y |defconfig | self_protection | FAIL: "is not set"
141 CONFIG_X86_MCE |kconfig| y |defconfig | self_protection | OK
142 CONFIG_X86_MCE_INTEL |kconfig| y |defconfig | self_protection | OK
143 CONFIG_X86_MCE_AMD |kconfig| y |defconfig | self_protection | OK
144 CONFIG_MICROCODE |kconfig| y |defconfig | self_protection | OK
145 CONFIG_RETPOLINE |kconfig| y |defconfig | self_protection | OK
146 CONFIG_SYN_COOKIES |kconfig| y |defconfig | self_protection | OK
147 CONFIG_X86_SMAP |kconfig| y |defconfig | self_protection | OK: version >= 5.19
148 CONFIG_X86_UMIP |kconfig| y |defconfig | self_protection | OK
149 CONFIG_PAGE_TABLE_ISOLATION |kconfig| y |defconfig | self_protection | OK
150 CONFIG_RANDOMIZE_MEMORY |kconfig| y |defconfig | self_protection | OK
151 CONFIG_X86_KERNEL_IBT |kconfig| y |defconfig | self_protection | OK
152 CONFIG_INTEL_IOMMU |kconfig| y |defconfig | self_protection | OK
153 CONFIG_AMD_IOMMU |kconfig| y |defconfig | self_protection | OK
154 CONFIG_BUG_ON_DATA_CORRUPTION |kconfig| y | kspp | self_protection | OK
155 CONFIG_SCHED_STACK_END_CHECK |kconfig| y | kspp | self_protection | OK
156 CONFIG_SLAB_FREELIST_HARDENED |kconfig| y | kspp | self_protection | OK
157 CONFIG_SLAB_FREELIST_RANDOM |kconfig| y | kspp | self_protection | OK
158 CONFIG_SHUFFLE_PAGE_ALLOCATOR |kconfig| y | kspp | self_protection | OK
159 CONFIG_FORTIFY_SOURCE |kconfig| y | kspp | self_protection | OK
160 CONFIG_DEBUG_LIST |kconfig| y | kspp | self_protection | OK
161 CONFIG_DEBUG_VIRTUAL |kconfig| y | kspp | self_protection | FAIL: "is not set"
162 CONFIG_DEBUG_SG |kconfig| y | kspp | self_protection | FAIL: "is not set"
163 CONFIG_DEBUG_CREDENTIALS |kconfig| y | kspp | self_protection | FAIL: "is not set"
164 CONFIG_DEBUG_NOTIFIERS |kconfig| y | kspp | self_protection | FAIL: "is not set"
165 CONFIG_INIT_ON_ALLOC_DEFAULT_ON |kconfig| y | kspp | self_protection | FAIL: "is not set"
166 CONFIG_KFENCE |kconfig| y | kspp | self_protection | OK
167 CONFIG_ZERO_CALL_USED_REGS |kconfig| y | kspp | self_protection | FAIL: "is not set"
168 CONFIG_HW_RANDOM_TPM |kconfig| y | kspp | self_protection | OK
169 CONFIG_STATIC_USERMODEHELPER |kconfig| y | kspp | self_protection | FAIL: "is not set"
170 CONFIG_RANDSTRUCT_FULL |kconfig| y | kspp | self_protection | FAIL: is not found
171 CONFIG_RANDSTRUCT_PERFORMANCE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_RANDSTRUCT_FULL is not "y"
172 CONFIG_HARDENED_USERCOPY |kconfig| y | kspp | self_protection | OK
173 CONFIG_HARDENED_USERCOPY_FALLBACK |kconfig| is not set | kspp | self_protection | OK: is not found
174 CONFIG_HARDENED_USERCOPY_PAGESPAN |kconfig| is not set | kspp | self_protection | OK: is not found
175 CONFIG_GCC_PLUGIN_LATENT_ENTROPY |kconfig| y | kspp | self_protection | FAIL: CONFIG_GCC_PLUGINS is not "y"
176 CONFIG_MODULE_SIG |kconfig| y | kspp | self_protection | OK
177 CONFIG_MODULE_SIG_ALL |kconfig| y | kspp | self_protection | OK
178 CONFIG_MODULE_SIG_SHA512 |kconfig| y | kspp | self_protection | OK
179 CONFIG_MODULE_SIG_FORCE |kconfig| y | kspp | self_protection | FAIL: "is not set"
180 CONFIG_INIT_STACK_ALL_ZERO |kconfig| y | kspp | self_protection | OK
181 CONFIG_INIT_ON_FREE_DEFAULT_ON |kconfig| y | kspp | self_protection | FAIL: "is not set"
182 CONFIG_EFI_DISABLE_PCI_DMA |kconfig| y | kspp | self_protection | FAIL: "is not set"
183 CONFIG_RESET_ATTACK_MITIGATION |kconfig| y | kspp | self_protection | FAIL: "is not set"
184 CONFIG_UBSAN_BOUNDS |kconfig| y | kspp | self_protection | FAIL: is not found
185 CONFIG_UBSAN_LOCAL_BOUNDS |kconfig| y | kspp | self_protection | FAIL: is not found
186 CONFIG_UBSAN_TRAP |kconfig| y | kspp | self_protection | FAIL: CONFIG_UBSAN_BOUNDS is not "y"
187 CONFIG_UBSAN_SANITIZE_ALL |kconfig| y | kspp | self_protection | FAIL: CONFIG_UBSAN_BOUNDS is not "y"
188 CONFIG_GCC_PLUGIN_STACKLEAK |kconfig| y | kspp | self_protection | FAIL: CONFIG_GCC_PLUGINS is not "y"
189 CONFIG_STACKLEAK_METRICS |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGINS is not "y"
190 CONFIG_STACKLEAK_RUNTIME_DISABLE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGINS is not "y"
191 CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT |kconfig| y | kspp | self_protection | OK
192 CONFIG_CFI_CLANG |kconfig| y | kspp | self_protection | FAIL: is not found
193 CONFIG_CFI_PERMISSIVE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_CFI_CLANG is not "y"
194 CONFIG_SCHED_CORE |kconfig| y | kspp | self_protection | OK
195 CONFIG_DEFAULT_MMAP_MIN_ADDR |kconfig| 65536 | kspp | self_protection | OK
196 CONFIG_IOMMU_DEFAULT_DMA_STRICT |kconfig| y | kspp | self_protection | FAIL: "is not set"
197 CONFIG_IOMMU_DEFAULT_PASSTHROUGH |kconfig| is not set | kspp | self_protection | OK
198 CONFIG_INTEL_IOMMU_DEFAULT_ON |kconfig| y | kspp | self_protection | FAIL: "is not set"
199 CONFIG_SLS |kconfig| y | kspp | self_protection | OK
200 CONFIG_INTEL_IOMMU_SVM |kconfig| y | kspp | self_protection | OK
201 CONFIG_AMD_IOMMU_V2 |kconfig| y | kspp | self_protection | FAIL: "m"
202 CONFIG_SLAB_MERGE_DEFAULT |kconfig| is not set | clipos | self_protection | OK
203 CONFIG_SECURITY |kconfig| y |defconfig | security_policy | OK
204 CONFIG_SECURITY_YAMA |kconfig| y | kspp | security_policy | OK
205 CONFIG_SECURITY_LANDLOCK |kconfig| y | kspp | security_policy | OK
206 CONFIG_SECURITY_SELINUX_DISABLE |kconfig| is not set | kspp | security_policy | OK
207 CONFIG_SECURITY_SELINUX_BOOTPARAM |kconfig| is not set | kspp | security_policy | FAIL: "y"
208 CONFIG_SECURITY_SELINUX_DEVELOP |kconfig| is not set | kspp | security_policy | FAIL: "y"
209 CONFIG_SECURITY_LOCKDOWN_LSM |kconfig| y | kspp | security_policy | OK
210 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY |kconfig| y | kspp | security_policy | OK
211 CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|kconfig| y | kspp | security_policy | FAIL: "is not set"
212 CONFIG_SECURITY_WRITABLE_HOOKS |kconfig| is not set | kspp | security_policy | OK: is not found
213 CONFIG_SECURITY_SELINUX |kconfig| y | my | security_policy | OK
214 CONFIG_SECCOMP |kconfig| y |defconfig |cut_attack_surface| OK
215 CONFIG_SECCOMP_FILTER |kconfig| y |defconfig |cut_attack_surface| OK
216 CONFIG_BPF_UNPRIV_DEFAULT_OFF |kconfig| y |defconfig |cut_attack_surface| OK
217 CONFIG_STRICT_DEVMEM |kconfig| y |defconfig |cut_attack_surface| OK
218 CONFIG_X86_INTEL_TSX_MODE_OFF |kconfig| y |defconfig |cut_attack_surface| OK
219 CONFIG_SECURITY_DMESG_RESTRICT |kconfig| y | kspp |cut_attack_surface| FAIL: "is not set"
220 CONFIG_ACPI_CUSTOM_METHOD |kconfig| is not set | kspp |cut_attack_surface| OK
221 CONFIG_COMPAT_BRK |kconfig| is not set | kspp |cut_attack_surface| OK
222 CONFIG_DEVKMEM |kconfig| is not set | kspp |cut_attack_surface| OK: is not found
223 CONFIG_BINFMT_MISC |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m"
224 CONFIG_INET_DIAG |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
225 CONFIG_KEXEC |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
226 CONFIG_PROC_KCORE |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
227 CONFIG_LEGACY_PTYS |kconfig| is not set | kspp |cut_attack_surface| OK
228 CONFIG_HIBERNATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
229 CONFIG_COMPAT |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
230 CONFIG_IA32_EMULATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
231 CONFIG_X86_X32 |kconfig| is not set | kspp |cut_attack_surface| OK: is not found
232 CONFIG_X86_X32_ABI |kconfig| is not set | kspp |cut_attack_surface| OK
233 CONFIG_MODIFY_LDT_SYSCALL |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
234 CONFIG_OABI_COMPAT |kconfig| is not set | kspp |cut_attack_surface| OK: is not found
235 CONFIG_X86_MSR |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
236 CONFIG_MODULES |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
237 CONFIG_DEVMEM |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
238 CONFIG_IO_STRICT_DEVMEM |kconfig| y | kspp |cut_attack_surface| OK
239 CONFIG_LDISC_AUTOLOAD |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
240 CONFIG_COMPAT_VDSO |kconfig| is not set | kspp |cut_attack_surface| OK
241 CONFIG_ZSMALLOC_STAT |kconfig| is not set | grsec |cut_attack_surface| OK
242 CONFIG_PAGE_OWNER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
243 CONFIG_DEBUG_KMEMLEAK |kconfig| is not set | grsec |cut_attack_surface| OK
244 CONFIG_BINFMT_AOUT |kconfig| is not set | grsec |cut_attack_surface| OK: is not found
245 CONFIG_KPROBE_EVENTS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
246 CONFIG_UPROBE_EVENTS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
247 CONFIG_GENERIC_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
248 CONFIG_FUNCTION_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
249 CONFIG_STACK_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
250 CONFIG_HIST_TRIGGERS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
251 CONFIG_BLK_DEV_IO_TRACE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
252 CONFIG_PROC_VMCORE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
253 CONFIG_PROC_PAGE_MONITOR |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
254 CONFIG_USELIB |kconfig| is not set | grsec |cut_attack_surface| OK
255 CONFIG_CHECKPOINT_RESTORE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
256 CONFIG_USERFAULTFD |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
257 CONFIG_HWPOISON_INJECT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
258 CONFIG_MEM_SOFT_DIRTY |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
259 CONFIG_DEVPORT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
260 CONFIG_DEBUG_FS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
261 CONFIG_NOTIFIER_ERROR_INJECTION |kconfig| is not set | grsec |cut_attack_surface| OK
262 CONFIG_FAIL_FUTEX |kconfig| is not set | grsec |cut_attack_surface| OK: is not found
263 CONFIG_PUNIT_ATOM_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK
264 CONFIG_ACPI_CONFIGFS |kconfig| is not set | grsec |cut_attack_surface| OK
265 CONFIG_EDAC_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK
266 CONFIG_DRM_I915_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK: is not found
267 CONFIG_BCACHE_CLOSURES_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK
268 CONFIG_DVB_C8SECTPFE |kconfig| is not set | grsec |cut_attack_surface| OK: is not found
269 CONFIG_MTD_SLRAM |kconfig| is not set | grsec |cut_attack_surface| OK
270 CONFIG_MTD_PHRAM |kconfig| is not set | grsec |cut_attack_surface| OK
271 CONFIG_IO_URING |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
272 CONFIG_KCMP |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
273 CONFIG_RSEQ |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
274 CONFIG_LATENCYTOP |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
275 CONFIG_KCOV |kconfig| is not set | grsec |cut_attack_surface| OK
276 CONFIG_PROVIDE_OHCI1394_DMA_INIT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
277 CONFIG_SUNRPC_DEBUG |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
278 CONFIG_PTDUMP_DEBUGFS |kconfig| is not set | grsec |cut_attack_surface| OK
279 CONFIG_DRM_LEGACY |kconfig| is not set |maintainer|cut_attack_surface| OK
280 CONFIG_FB |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
281 CONFIG_VT |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
282 CONFIG_BLK_DEV_FD |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "m"
283 CONFIG_BLK_DEV_FD_RAWCMD |kconfig| is not set |maintainer|cut_attack_surface| OK
284 CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT |kconfig| is not set |maintainer|cut_attack_surface| OK: is not found
285 CONFIG_STAGING |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
286 CONFIG_KSM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
287 CONFIG_KALLSYMS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
288 CONFIG_MAGIC_SYSRQ |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
289 CONFIG_KEXEC_FILE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
290 CONFIG_USER_NS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
291 CONFIG_X86_CPUID |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
292 CONFIG_X86_IOPL_IOPERM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
293 CONFIG_ACPI_TABLE_UPGRADE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
294 CONFIG_EFI_CUSTOM_SSDT_OVERLAYS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
295 CONFIG_COREDUMP |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
296 CONFIG_X86_VSYSCALL_EMULATION |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
297 CONFIG_EFI_TEST |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "m"
298 CONFIG_MMIOTRACE_TEST |kconfig| is not set | lockdown |cut_attack_surface| OK
299 CONFIG_KPROBES |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
300 CONFIG_BPF_SYSCALL |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
301 CONFIG_LEGACY_TIOCSTI |kconfig| is not set | my |cut_attack_surface| OK
302 CONFIG_MMIOTRACE |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
303 CONFIG_LIVEPATCH |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
304 CONFIG_IP_DCCP |kconfig| is not set | my |cut_attack_surface| OK
305 CONFIG_IP_SCTP |kconfig| is not set | my |cut_attack_surface| FAIL: "m"
306 CONFIG_FTRACE |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
307 CONFIG_VIDEO_VIVID |kconfig| is not set | my |cut_attack_surface| FAIL: "m"
308 CONFIG_INPUT_EVBUG |kconfig| is not set | my |cut_attack_surface| OK
309 CONFIG_KGDB |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
310 CONFIG_AIO |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
311 CONFIG_CORESIGHT |kconfig| is not set | my |cut_attack_surface| OK: is not found
312 CONFIG_XFS_SUPPORT_V4 |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
313 CONFIG_TRIM_UNUSED_KSYMS |kconfig| y | my |cut_attack_surface| FAIL: is not found
314 CONFIG_ARCH_MMAP_RND_BITS |kconfig| 32 | my | harden_userspace | FAIL: "28"
315 nosmep |cmdline| is not set |defconfig | self_protection | OK: is not found
316 nosmap |cmdline| is not set |defconfig | self_protection | OK: is not found
317 nokaslr |cmdline| is not set |defconfig | self_protection | OK: is not found
318 nopti |cmdline| is not set |defconfig | self_protection | OK: is not found
319 nospectre_v1 |cmdline| is not set |defconfig | self_protection | OK: is not found
320 nospectre_v2 |cmdline| is not set |defconfig | self_protection | OK: is not found
321 nospectre_bhb |cmdline| is not set |defconfig | self_protection | OK: is not found
322 nospec_store_bypass_disable |cmdline| is not set |defconfig | self_protection | OK: is not found
323 arm64.nobti |cmdline| is not set |defconfig | self_protection | OK: is not found
324 arm64.nopauth |cmdline| is not set |defconfig | self_protection | OK: is not found
325 arm64.nomte |cmdline| is not set |defconfig | self_protection | OK: is not found
326 spectre_v2 |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
327 spectre_v2_user |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
328 spec_store_bypass_disable |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
329 l1tf |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
330 mds |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
331 tsx_async_abort |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
332 srbds |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
333 mmio_stale_data |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
334 retbleed |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
335 kpti |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
336 rodata |cmdline| on |defconfig | self_protection | OK: rodata is not found
337 nosmt |cmdline| is present | kspp | self_protection | FAIL: is not present
338 mitigations |cmdline| auto,nosmt | kspp | self_protection | FAIL: is not found
339 slab_merge |cmdline| is not set | kspp | self_protection | OK: is not found
340 slub_merge |cmdline| is not set | kspp | self_protection | OK: is not found
341 slab_nomerge |cmdline| is present | kspp | self_protection | OK: CONFIG_SLAB_MERGE_DEFAULT is "is not set"
342 init_on_alloc |cmdline| 1 | kspp | self_protection | FAIL: is not found
343 init_on_free |cmdline| 1 | kspp | self_protection | FAIL: is not found
344 iommu.strict |cmdline| 1 | kspp | self_protection | FAIL: is not found
345 iommu.passthrough |cmdline| 0 | kspp | self_protection | OK: CONFIG_IOMMU_DEFAULT_PASSTHROUGH is "is not set"
346 hardened_usercopy |cmdline| 1 | kspp | self_protection | OK: CONFIG_HARDENED_USERCOPY is "y"
347 slab_common.usercopy_fallback |cmdline| 0 | kspp | self_protection | OK: CONFIG_HARDENED_USERCOPY_FALLBACK is not found
348 randomize_kstack_offset |cmdline| 1 | kspp | self_protection | OK: CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT is "y"
349 pti |cmdline| on | kspp | self_protection | FAIL: is not found
350 page_alloc.shuffle |cmdline| 1 | clipos | self_protection | FAIL: is not found
351 iommu |cmdline| force | clipos | self_protection | FAIL: is not found
352 tsx |cmdline| off |defconfig |cut_attack_surface| OK: CONFIG_X86_INTEL_TSX_MODE_OFF is "y"
353 vsyscall |cmdline| none | kspp |cut_attack_surface| FAIL: is not found
354 vdso32 |cmdline| 1 | my |cut_attack_surface| OK: CONFIG_COMPAT_VDSO is "is not set"
355 debugfs |cmdline| off | grsec |cut_attack_surface| FAIL: is not found
356 sysrq_always_enabled |cmdline| is not set | my |cut_attack_surface| OK: is not found
357 norandmaps |cmdline| is not set |defconfig | harden_userspace | OK: is not found
358 net.core.bpf_jit_harden |sysctl | 2 | kspp | self_protection | FAIL: "0"
359 kernel.dmesg_restrict |sysctl | 1 | kspp |cut_attack_surface| FAIL: "0"
360 kernel.perf_event_paranoid |sysctl | 3 | kspp |cut_attack_surface| FAIL: "2"
361 kernel.kexec_load_disabled |sysctl | 1 | kspp |cut_attack_surface| FAIL: "0"
362 user.max_user_namespaces |sysctl | 0 | kspp |cut_attack_surface| FAIL: "31021"
363 dev.tty.ldisc_autoload |sysctl | 0 | kspp |cut_attack_surface| FAIL: "1"
364 kernel.unprivileged_bpf_disabled |sysctl | 1 | kspp |cut_attack_surface| OK
365 kernel.kptr_restrict |sysctl | 1 | kspp |cut_attack_surface| FAIL: "0"
366 kernel.yama.ptrace_scope |sysctl | 1 | kspp |cut_attack_surface| FAIL: "0"
368 [+] Config check is finished: 'OK' - 118 / 'FAIL' - 122
371 ## Generating a Kconfig fragment with the security hardening options
373 With the `-g` argument, the tool generates a Kconfig fragment with the security hardening options for the selected microarchitecture.
375 This Kconfig fragment can be merged with the existing Linux kernel config:
377 $ ./bin/kernel-hardening-checker -g X86_64 > /tmp/fragment
379 $ ./scripts/kconfig/merge_config.sh .config /tmp/fragment
380 Using .config as base
381 Merging /tmp/fragment
382 Value of CONFIG_BUG_ON_DATA_CORRUPTION is redefined by fragment /tmp/fragment:
383 Previous value: # CONFIG_BUG_ON_DATA_CORRUPTION is not set
384 New value: CONFIG_BUG_ON_DATA_CORRUPTION=y
388 ## Questions and answers
390 __Q:__ How all these kernel parameters influence the Linux kernel security?
392 __A:__ To answer this question, you can use the `kernel-hardening-checker` [sources of recommendations][24]
393 and the [Linux Kernel Defence Map][4] with its references.
397 __Q:__ How disabling `CONFIG_USER_NS` cuts the attack surface? It's needed for containers!
399 __A:__ Yes, the `CONFIG_USER_NS` option provides some isolation between the userspace programs,
400 but the tool recommends disabling it to cut the attack surface __of the kernel__.
404 - An LWN article about the corresponding LKML discussion: https://lwn.net/Articles/673597/
406 - A twitter thread about `CONFIG_USER_NS` and security: https://twitter.com/robertswiecki/status/1095447678949953541
408 - A good overview of the trade-off between having user namespaces enabled, disabled and available only for root: https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
412 __Q:__ KSPP and CLIP OS recommend `CONFIG_PANIC_ON_OOPS=y`. Why doesn't this tool do the same?
414 __A:__ I personally don't support this recommendation because:
415 - It decreases system safety (kernel oops is still not a rare situation)
416 - It allows easier denial-of-service attacks for the whole system
418 I think having `CONFIG_BUG` is enough here.
419 If a kernel oops happens in the process context, the offending/attacking process is killed.
420 In other cases, the kernel panics, which is similar to `CONFIG_PANIC_ON_OOPS=y`.
424 __Q:__ Why enabling `CONFIG_STATIC_USERMODEHELPER` breaks various things in my GNU/Linux system?
425 Do I really need that feature?
427 __A:__ Linux kernel usermode helpers can be used for privilege escalation in kernel exploits
428 ([example 1][9], [example 2][10]). `CONFIG_STATIC_USERMODEHELPER` prevents that method. But it
429 requires the corresponding support in the userspace: see the [example implementation][11] by
430 Tycho Andersen [@tych0][12].
434 __Q:__ What about performance impact of these security hardening options?
436 __A:__ Ike Devolder [@BlackIkeEagle][7] made some performance tests and described the results in [this article][8].
437 A more detailed evaluation is in the TODO list (the issue [#66][21]).
441 __Q:__ Can I easily check which kernel versions support some Kconfig option?
443 __A:__ Yes. See the [LKDDb][18] project (Linux Kernel Driver Database) by Giacomo Catenazzi [@cateee][19].
444 You can use it for the `mainline` or `stable` tree from [kernel.org][20] or for your custom kernel sources.
448 __Q:__ Does my kernel have all those mitigations of Transient Execution Vulnerabilities in my hardware?
450 __A:__ Checking the kernel config is not enough to answer this question.
451 I highly recommend using [spectre-meltdown-checker][13] tool maintained by Stéphane Lesimple [@speed47][14].
455 __Q:__ Why the `CONFIG_GCC_PLUGINS` option is automatically disabled during the kernel compilation?
457 __A:__ It means that your gcc doesn't support plugins. For example, if you have `gcc-7` on Ubuntu,
458 try to install `gcc-7-plugin-dev` package, it should help.
461 [1]: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
462 [2]: https://docs.clip-os.org/clipos/kernel.html#configuration
463 [3]: https://grsecurity.net/
464 [4]: https://github.com/a13xp0p0v/linux-kernel-defence-map
465 [5]: https://lwn.net/Articles/791863/
466 [6]: https://github.com/a13xp0p0v/kernel-hardening-checker/issues/38
467 [7]: https://github.com/BlackIkeEagle
468 [8]: https://blog.herecura.eu/blog/2020-05-30-kconfig-hardening-tests/
469 [9]: https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html
470 [10]: https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html
471 [11]: https://github.com/tych0/huldufolk
472 [12]: https://github.com/tych0
473 [13]: https://github.com/speed47/spectre-meltdown-checker
474 [14]: https://github.com/speed47
475 [15]: https://github.com/a13xp0p0v/kernel-hardening-checker/issues/53
476 [16]: https://github.com/a13xp0p0v/kernel-hardening-checker/pull/54
477 [17]: https://github.com/a13xp0p0v/kernel-hardening-checker/pull/62
478 [18]: https://cateee.net/lkddb/web-lkddb/
479 [19]: https://github.com/cateee/lkddb
480 [20]: https://kernel.org/
481 [21]: https://github.com/a13xp0p0v/kernel-hardening-checker/issues/66
482 [22]: https://github.com/a13xp0p0v/kernel-hardening-checker/issues/56
483 [23]: https://github.com/a13xp0p0v/kernel-hardening-checker/issues?q=label%3Akernel_maintainer_feedback
484 [24]: https://github.com/a13xp0p0v/kernel-hardening-checker#motivation
projects / kconfig-hardened-check.git / blob