1 # kernel-hardening-checker
3 __(formerly kconfig-hardened-check)__<br /><br />
4 [](https://github.com/a13xp0p0v/kernel-hardening-checker/actions/workflows/functional_test.yml)
5 [](https://codecov.io/gh/a13xp0p0v/kernel-hardening-checker)<br />
6 [](https://github.com/a13xp0p0v/kernel-hardening-checker/actions/workflows/engine_unit-test.yml)
7 [](https://codecov.io/gh/a13xp0p0v/kernel-hardening-checker)<br />
8 [](https://github.com/a13xp0p0v/kernel-hardening-checker/tags)
12 There are plenty of security hardening options for the Linux kernel. A lot of them are
13 not enabled by the major distros. We have to enable these options ourselves to
14 make our systems more secure.
16 But nobody likes checking configs manually. So let the computers do their job!
18 __kernel-hardening-checker__ (formerly __kconfig-hardened-check__) is a tool for checking the security hardening options of the Linux kernel. It supports checking:
20 - Kconfig options (compile-time)
21 - Kernel cmdline arguments (boot-time)
22 - Sysctl parameters (runtime)
24 The security hardening recommendations are based on:
26 - [KSPP recommended settings][1]
27 - [CLIP OS kernel configuration][2]
28 - Last public [grsecurity][3] patch (options which they disable)
29 - [SECURITY_LOCKDOWN_LSM][5] patchset
30 - [Direct feedback from the Linux kernel maintainers][23]
32 I also created the [__Linux Kernel Defence Map__][4], which is a graphical representation of the
33 relationships between security hardening features and the corresponding vulnerability classes
34 or exploitation techniques.
36 __Attention!__ Changing Linux kernel security parameters may also affect system performance
37 and functionality of userspace software. So for choosing these parameters, consider
38 the threat model of your Linux-based information system and perform thorough testing
39 of its typical workload.
43 - Main at GitHub <https://github.com/a13xp0p0v/kernel-hardening-checker>
44 - Mirror at Codeberg: <https://codeberg.org/a13xp0p0v/kernel-hardening-checker>
45 - Mirror at GitFlic: <https://gitflic.ru/project/a13xp0p0v/kernel-hardening-checker>
47 ## Supported microarchitectures
54 TODO: RISC-V (issue [#56][22])
58 You can install the package:
61 pip install git+https://github.com/a13xp0p0v/kernel-hardening-checker
64 or simply run `./bin/kernel-hardening-checker` from the cloned repository.
66 Some Linux distributions also provide `kernel-hardening-checker` as a package.
70 usage: kernel-hardening-checker [-h] [--version] [-m {verbose,json,show_ok,show_fail}]
71 [-c CONFIG] [-l CMDLINE] [-s SYSCTL] [-v KERNEL_VERSION]
72 [-p {X86_64,X86_32,ARM64,ARM}]
73 [-g {X86_64,X86_32,ARM64,ARM}]
75 A tool for checking the security hardening options of the Linux kernel
78 -h, --help show this help message and exit
79 --version show program's version number and exit
80 -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}
81 choose the report mode
82 -c CONFIG, --config CONFIG
83 check the security hardening options in the kernel Kconfig file
84 (also supports *.gz files)
85 -l CMDLINE, --cmdline CMDLINE
86 check the security hardening options in the kernel cmdline file
87 (contents of /proc/cmdline)
88 -s SYSCTL, --sysctl SYSCTL
89 check the security hardening options in the sysctl output file
90 (`sudo sysctl -a > file`)
91 -v KERNEL_VERSION, --kernel-version KERNEL_VERSION
92 extract the version from the kernel version file (contents of
94 -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
95 print the security hardening recommendations for the selected
97 -g {X86_64,X86_32,ARM64,ARM}, --generate {X86_64,X86_32,ARM64,ARM}
98 generate a Kconfig fragment with the security hardening options
99 for the selected microarchitecture
104 - no `-m` argument for the default output mode (see the example below)
105 - `-m verbose` for printing additional info:
106 - config options without a corresponding check
107 - internals of complex checks with AND/OR, like this:
109 -------------------------------------------------------------------------------------------
111 CONFIG_STRICT_DEVMEM |kconfig| y |defconfig |cut_attack_surface
112 CONFIG_DEVMEM |kconfig| is not set | kspp |cut_attack_surface
113 -------------------------------------------------------------------------------------------
115 - `-m show_fail` for showing only the failed checks
116 - `-m show_ok` for showing only the successful checks
117 - `-m json` for printing the results in JSON format (for combining `kernel-hardening-checker` with other tools)
119 ## Example output for `Ubuntu 22.04` kernel configuration
121 $ ./bin/kernel-hardening-checker -c kernel_hardening_checker/config_files/distros/ubuntu-22.04.config -l /proc/cmdline -s kernel_hardening_checker/config_files/distros/example_sysctls.txt
122 [+] Kconfig file to check: kernel_hardening_checker/config_files/distros/ubuntu-22.04.config
123 [+] Kernel cmdline file to check: /proc/cmdline
124 [+] Sysctl output file to check: kernel_hardening_checker/config_files/distros/example_sysctls.txt
125 [+] Detected microarchitecture: X86_64
126 [+] Detected kernel version: (5, 15, 0)
127 [+] Detected compiler: GCC 110200
128 =========================================================================================================================
129 option_name | type |desired_val | decision | reason | check_result
130 =========================================================================================================================
131 CONFIG_BUG |kconfig| y |defconfig | self_protection | OK
132 CONFIG_SLUB_DEBUG |kconfig| y |defconfig | self_protection | OK
133 CONFIG_THREAD_INFO_IN_TASK |kconfig| y |defconfig | self_protection | OK
134 CONFIG_GCC_PLUGINS |kconfig| y |defconfig | self_protection | FAIL: is not found
135 CONFIG_IOMMU_SUPPORT |kconfig| y |defconfig | self_protection | OK
136 CONFIG_STACKPROTECTOR |kconfig| y |defconfig | self_protection | OK
137 CONFIG_STACKPROTECTOR_STRONG |kconfig| y |defconfig | self_protection | OK
138 CONFIG_STRICT_KERNEL_RWX |kconfig| y |defconfig | self_protection | OK
139 CONFIG_STRICT_MODULE_RWX |kconfig| y |defconfig | self_protection | OK
140 CONFIG_REFCOUNT_FULL |kconfig| y |defconfig | self_protection | OK: version >= (5, 4, 208)
141 CONFIG_INIT_STACK_ALL_ZERO |kconfig| y |defconfig | self_protection | FAIL: is not found
142 CONFIG_RANDOMIZE_BASE |kconfig| y |defconfig | self_protection | OK
143 CONFIG_VMAP_STACK |kconfig| y |defconfig | self_protection | OK
144 CONFIG_SPECULATION_MITIGATIONS |kconfig| y |defconfig | self_protection | FAIL: is not found
145 CONFIG_DEBUG_WX |kconfig| y |defconfig | self_protection | OK
146 CONFIG_WERROR |kconfig| y |defconfig | self_protection | FAIL: "is not set"
147 CONFIG_X86_MCE |kconfig| y |defconfig | self_protection | OK
148 CONFIG_X86_MCE_INTEL |kconfig| y |defconfig | self_protection | OK
149 CONFIG_X86_MCE_AMD |kconfig| y |defconfig | self_protection | OK
150 CONFIG_RETPOLINE |kconfig| y |defconfig | self_protection | OK
151 CONFIG_SYN_COOKIES |kconfig| y |defconfig | self_protection | OK
152 CONFIG_MICROCODE |kconfig| y |defconfig | self_protection | OK
153 CONFIG_MICROCODE_INTEL |kconfig| y |defconfig | self_protection | OK
154 CONFIG_MICROCODE_AMD |kconfig| y |defconfig | self_protection | OK
155 CONFIG_X86_SMAP |kconfig| y |defconfig | self_protection | OK
156 CONFIG_X86_UMIP |kconfig| y |defconfig | self_protection | OK
157 CONFIG_PAGE_TABLE_ISOLATION |kconfig| y |defconfig | self_protection | OK
158 CONFIG_RANDOMIZE_MEMORY |kconfig| y |defconfig | self_protection | OK
159 CONFIG_X86_KERNEL_IBT |kconfig| y |defconfig | self_protection | FAIL: is not found
160 CONFIG_CPU_SRSO |kconfig| y |defconfig | self_protection | FAIL: is not found
161 CONFIG_INTEL_IOMMU |kconfig| y |defconfig | self_protection | OK
162 CONFIG_AMD_IOMMU |kconfig| y |defconfig | self_protection | OK
163 CONFIG_BUG_ON_DATA_CORRUPTION |kconfig| y | kspp | self_protection | FAIL: "is not set"
164 CONFIG_SLAB_FREELIST_HARDENED |kconfig| y | kspp | self_protection | OK
165 CONFIG_SLAB_FREELIST_RANDOM |kconfig| y | kspp | self_protection | OK
166 CONFIG_SHUFFLE_PAGE_ALLOCATOR |kconfig| y | kspp | self_protection | OK
167 CONFIG_FORTIFY_SOURCE |kconfig| y | kspp | self_protection | OK
168 CONFIG_DEBUG_LIST |kconfig| y | kspp | self_protection | FAIL: "is not set"
169 CONFIG_DEBUG_VIRTUAL |kconfig| y | kspp | self_protection | FAIL: "is not set"
170 CONFIG_DEBUG_SG |kconfig| y | kspp | self_protection | FAIL: "is not set"
171 CONFIG_INIT_ON_ALLOC_DEFAULT_ON |kconfig| y | kspp | self_protection | OK
172 CONFIG_STATIC_USERMODEHELPER |kconfig| y | kspp | self_protection | FAIL: "is not set"
173 CONFIG_SCHED_CORE |kconfig| y | kspp | self_protection | OK
174 CONFIG_SECURITY_LOCKDOWN_LSM |kconfig| y | kspp | self_protection | OK
175 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY |kconfig| y | kspp | self_protection | OK
176 CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|kconfig| y | kspp | self_protection | FAIL: "is not set"
177 CONFIG_DEBUG_CREDENTIALS |kconfig| y | kspp | self_protection | FAIL: "is not set"
178 CONFIG_DEBUG_NOTIFIERS |kconfig| y | kspp | self_protection | FAIL: "is not set"
179 CONFIG_SCHED_STACK_END_CHECK |kconfig| y | kspp | self_protection | OK
180 CONFIG_KFENCE |kconfig| y | kspp | self_protection | OK
181 CONFIG_KFENCE_SAMPLE_INTERVAL |kconfig| is not off | my | self_protection | FAIL: is off, "0"
182 CONFIG_RANDSTRUCT_FULL |kconfig| y | kspp | self_protection | FAIL: is not found
183 CONFIG_RANDSTRUCT_PERFORMANCE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_RANDSTRUCT_FULL is not "y"
184 CONFIG_HARDENED_USERCOPY |kconfig| y | kspp | self_protection | OK
185 CONFIG_HARDENED_USERCOPY_FALLBACK |kconfig| is not set | kspp | self_protection | OK
186 CONFIG_HARDENED_USERCOPY_PAGESPAN |kconfig| is not set | kspp | self_protection | OK
187 CONFIG_GCC_PLUGIN_LATENT_ENTROPY |kconfig| y | kspp | self_protection | FAIL: CONFIG_GCC_PLUGINS is not "y"
188 CONFIG_MODULE_SIG |kconfig| y | kspp | self_protection | OK
189 CONFIG_MODULE_SIG_ALL |kconfig| y | kspp | self_protection | OK
190 CONFIG_MODULE_SIG_SHA512 |kconfig| y | kspp | self_protection | OK
191 CONFIG_MODULE_SIG_FORCE |kconfig| y | kspp | self_protection | FAIL: "is not set"
192 CONFIG_INIT_ON_FREE_DEFAULT_ON |kconfig| y | kspp | self_protection | FAIL: "is not set"
193 CONFIG_EFI_DISABLE_PCI_DMA |kconfig| y | kspp | self_protection | FAIL: "is not set"
194 CONFIG_RESET_ATTACK_MITIGATION |kconfig| y | kspp | self_protection | OK
195 CONFIG_UBSAN_BOUNDS |kconfig| y | kspp | self_protection | OK
196 CONFIG_UBSAN_LOCAL_BOUNDS |kconfig| y | kspp | self_protection | OK: CONFIG_UBSAN_BOUNDS is "y"
197 CONFIG_UBSAN_TRAP |kconfig| y | kspp | self_protection | FAIL: CONFIG_UBSAN_ENUM is not "is not set"
198 CONFIG_UBSAN_SANITIZE_ALL |kconfig| y | kspp | self_protection | OK
199 CONFIG_GCC_PLUGIN_STACKLEAK |kconfig| y | kspp | self_protection | FAIL: CONFIG_GCC_PLUGINS is not "y"
200 CONFIG_STACKLEAK_METRICS |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGINS is not "y"
201 CONFIG_STACKLEAK_RUNTIME_DISABLE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGINS is not "y"
202 CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT |kconfig| y | kspp | self_protection | OK
203 CONFIG_CFI_CLANG |kconfig| y | kspp | self_protection | FAIL: is not found
204 CONFIG_CFI_PERMISSIVE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_CFI_CLANG is not "y"
205 CONFIG_HW_RANDOM_TPM |kconfig| y | kspp | self_protection | OK
206 CONFIG_DEFAULT_MMAP_MIN_ADDR |kconfig| 65536 | kspp | self_protection | OK
207 CONFIG_IOMMU_DEFAULT_DMA_STRICT |kconfig| y | kspp | self_protection | FAIL: "is not set"
208 CONFIG_IOMMU_DEFAULT_PASSTHROUGH |kconfig| is not set | kspp | self_protection | OK
209 CONFIG_INTEL_IOMMU_DEFAULT_ON |kconfig| y | kspp | self_protection | OK
210 CONFIG_SLS |kconfig| y | kspp | self_protection | FAIL: is not found
211 CONFIG_INTEL_IOMMU_SVM |kconfig| y | kspp | self_protection | OK
212 CONFIG_AMD_IOMMU_V2 |kconfig| y | kspp | self_protection | FAIL: "m"
213 CONFIG_SLAB_MERGE_DEFAULT |kconfig| is not set | clipos | self_protection | FAIL: "y"
214 CONFIG_LIST_HARDENED |kconfig| y | my | self_protection | FAIL: is not found
215 CONFIG_RANDOM_KMALLOC_CACHES |kconfig| y | my | self_protection | FAIL: is not found
216 CONFIG_SECURITY |kconfig| y |defconfig | security_policy | OK
217 CONFIG_SECURITY_YAMA |kconfig| y | kspp | security_policy | OK
218 CONFIG_SECURITY_LANDLOCK |kconfig| y | kspp | security_policy | OK
219 CONFIG_SECURITY_SELINUX_DISABLE |kconfig| is not set | kspp | security_policy | OK
220 CONFIG_SECURITY_SELINUX_BOOTPARAM |kconfig| is not set | kspp | security_policy | FAIL: "y"
221 CONFIG_SECURITY_SELINUX_DEVELOP |kconfig| is not set | kspp | security_policy | FAIL: "y"
222 CONFIG_SECURITY_WRITABLE_HOOKS |kconfig| is not set | kspp | security_policy | OK: is not found
223 CONFIG_SECURITY_SELINUX_DEBUG |kconfig| is not set | my | security_policy | OK: is not found
224 CONFIG_SECURITY_SELINUX |kconfig| y | my | security_policy | OK
225 CONFIG_SECCOMP |kconfig| y |defconfig |cut_attack_surface| OK
226 CONFIG_SECCOMP_FILTER |kconfig| y |defconfig |cut_attack_surface| OK
227 CONFIG_BPF_UNPRIV_DEFAULT_OFF |kconfig| y |defconfig |cut_attack_surface| OK
228 CONFIG_STRICT_DEVMEM |kconfig| y |defconfig |cut_attack_surface| OK
229 CONFIG_X86_INTEL_TSX_MODE_OFF |kconfig| y |defconfig |cut_attack_surface| OK
230 CONFIG_SECURITY_DMESG_RESTRICT |kconfig| y | kspp |cut_attack_surface| OK
231 CONFIG_ACPI_CUSTOM_METHOD |kconfig| is not set | kspp |cut_attack_surface| OK
232 CONFIG_COMPAT_BRK |kconfig| is not set | kspp |cut_attack_surface| OK
233 CONFIG_DEVKMEM |kconfig| is not set | kspp |cut_attack_surface| OK: is not found
234 CONFIG_BINFMT_MISC |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m"
235 CONFIG_INET_DIAG |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m"
236 CONFIG_KEXEC |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
237 CONFIG_PROC_KCORE |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
238 CONFIG_LEGACY_PTYS |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
239 CONFIG_HIBERNATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
240 CONFIG_COMPAT |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
241 CONFIG_IA32_EMULATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
242 CONFIG_X86_X32 |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
243 CONFIG_X86_X32_ABI |kconfig| is not set | kspp |cut_attack_surface| OK: is not found
244 CONFIG_MODIFY_LDT_SYSCALL |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
245 CONFIG_OABI_COMPAT |kconfig| is not set | kspp |cut_attack_surface| OK: is not found
246 CONFIG_X86_MSR |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m"
247 CONFIG_LEGACY_TIOCSTI |kconfig| is not set | kspp |cut_attack_surface| OK: is not found
248 CONFIG_MODULES |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
249 CONFIG_DEVMEM |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
250 CONFIG_IO_STRICT_DEVMEM |kconfig| y | kspp |cut_attack_surface| FAIL: "is not set"
251 CONFIG_LDISC_AUTOLOAD |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
252 CONFIG_COMPAT_VDSO |kconfig| is not set | kspp |cut_attack_surface| OK
253 CONFIG_X86_VSYSCALL_EMULATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
254 CONFIG_ZSMALLOC_STAT |kconfig| is not set | grsec |cut_attack_surface| OK
255 CONFIG_PAGE_OWNER |kconfig| is not set | grsec |cut_attack_surface| OK
256 CONFIG_DEBUG_KMEMLEAK |kconfig| is not set | grsec |cut_attack_surface| OK
257 CONFIG_BINFMT_AOUT |kconfig| is not set | grsec |cut_attack_surface| OK: is not found
258 CONFIG_KPROBE_EVENTS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
259 CONFIG_UPROBE_EVENTS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
260 CONFIG_GENERIC_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
261 CONFIG_FUNCTION_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
262 CONFIG_STACK_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
263 CONFIG_HIST_TRIGGERS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
264 CONFIG_BLK_DEV_IO_TRACE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
265 CONFIG_PROC_VMCORE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
266 CONFIG_PROC_PAGE_MONITOR |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
267 CONFIG_USELIB |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
268 CONFIG_CHECKPOINT_RESTORE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
269 CONFIG_USERFAULTFD |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
270 CONFIG_HWPOISON_INJECT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
271 CONFIG_MEM_SOFT_DIRTY |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
272 CONFIG_DEVPORT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
273 CONFIG_DEBUG_FS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
274 CONFIG_NOTIFIER_ERROR_INJECTION |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
275 CONFIG_FAIL_FUTEX |kconfig| is not set | grsec |cut_attack_surface| OK: is not found
276 CONFIG_PUNIT_ATOM_DEBUG |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
277 CONFIG_ACPI_CONFIGFS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
278 CONFIG_EDAC_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK
279 CONFIG_DRM_I915_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK
280 CONFIG_BCACHE_CLOSURES_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK
281 CONFIG_DVB_C8SECTPFE |kconfig| is not set | grsec |cut_attack_surface| OK: is not found
282 CONFIG_MTD_SLRAM |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
283 CONFIG_MTD_PHRAM |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
284 CONFIG_IO_URING |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
285 CONFIG_KCMP |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
286 CONFIG_RSEQ |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
287 CONFIG_LATENCYTOP |kconfig| is not set | grsec |cut_attack_surface| OK
288 CONFIG_KCOV |kconfig| is not set | grsec |cut_attack_surface| OK
289 CONFIG_PROVIDE_OHCI1394_DMA_INIT |kconfig| is not set | grsec |cut_attack_surface| OK
290 CONFIG_SUNRPC_DEBUG |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
291 CONFIG_PTDUMP_DEBUGFS |kconfig| is not set | grsec |cut_attack_surface| OK
292 CONFIG_DRM_LEGACY |kconfig| is not set |maintainer|cut_attack_surface| OK
293 CONFIG_FB |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
294 CONFIG_VT |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
295 CONFIG_BLK_DEV_FD |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "m"
296 CONFIG_BLK_DEV_FD_RAWCMD |kconfig| is not set |maintainer|cut_attack_surface| OK: is not found
297 CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT |kconfig| is not set |maintainer|cut_attack_surface| OK
298 CONFIG_STAGING |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
299 CONFIG_KSM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
300 CONFIG_KALLSYMS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
301 CONFIG_MAGIC_SYSRQ |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
302 CONFIG_KEXEC_FILE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
303 CONFIG_USER_NS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
304 CONFIG_X86_CPUID |kconfig| is not set | clipos |cut_attack_surface| FAIL: "m"
305 CONFIG_X86_IOPL_IOPERM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
306 CONFIG_ACPI_TABLE_UPGRADE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
307 CONFIG_EFI_CUSTOM_SSDT_OVERLAYS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
308 CONFIG_AIO |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
309 CONFIG_EFI_TEST |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "m"
310 CONFIG_MMIOTRACE_TEST |kconfig| is not set | lockdown |cut_attack_surface| OK
311 CONFIG_KPROBES |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
312 CONFIG_BPF_SYSCALL |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
313 CONFIG_MMIOTRACE |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
314 CONFIG_LIVEPATCH |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
315 CONFIG_IP_DCCP |kconfig| is not set | my |cut_attack_surface| FAIL: "m"
316 CONFIG_IP_SCTP |kconfig| is not set | my |cut_attack_surface| FAIL: "m"
317 CONFIG_FTRACE |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
318 CONFIG_VIDEO_VIVID |kconfig| is not set | my |cut_attack_surface| FAIL: "m"
319 CONFIG_INPUT_EVBUG |kconfig| is not set | my |cut_attack_surface| FAIL: "m"
320 CONFIG_KGDB |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
321 CONFIG_CORESIGHT |kconfig| is not set | my |cut_attack_surface| OK: is not found
322 CONFIG_XFS_SUPPORT_V4 |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
323 CONFIG_TRIM_UNUSED_KSYMS |kconfig| y | my |cut_attack_surface| FAIL: "is not set"
324 CONFIG_MODULE_FORCE_LOAD |kconfig| is not set | my |cut_attack_surface| OK
325 CONFIG_COREDUMP |kconfig| is not set | clipos | harden_userspace | FAIL: "y"
326 CONFIG_ARCH_MMAP_RND_BITS |kconfig| 32 | my | harden_userspace | FAIL: "28"
327 nosmep |cmdline| is not set |defconfig | self_protection | OK: is not found
328 nosmap |cmdline| is not set |defconfig | self_protection | OK: is not found
329 nokaslr |cmdline| is not set |defconfig | self_protection | OK: is not found
330 nopti |cmdline| is not set |defconfig | self_protection | OK: is not found
331 nospectre_v1 |cmdline| is not set |defconfig | self_protection | OK: is not found
332 nospectre_v2 |cmdline| is not set |defconfig | self_protection | OK: is not found
333 nospectre_bhb |cmdline| is not set |defconfig | self_protection | OK: is not found
334 nospec_store_bypass_disable |cmdline| is not set |defconfig | self_protection | OK: is not found
335 dis_ucode_ldr |cmdline| is not set |defconfig | self_protection | OK: is not found
336 arm64.nobti |cmdline| is not set |defconfig | self_protection | OK: is not found
337 arm64.nopauth |cmdline| is not set |defconfig | self_protection | OK: is not found
338 arm64.nomte |cmdline| is not set |defconfig | self_protection | OK: is not found
339 spectre_v2 |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
340 spectre_v2_user |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
341 spec_store_bypass_disable |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
342 l1tf |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
343 mds |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
344 tsx_async_abort |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
345 srbds |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
346 mmio_stale_data |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
347 retbleed |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
348 spec_rstack_overflow |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
349 gather_data_sampling |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
350 rodata |cmdline| on |defconfig | self_protection | OK: rodata is not found
351 mitigations |cmdline| auto,nosmt | kspp | self_protection | FAIL: is not found
352 slab_merge |cmdline| is not set | kspp | self_protection | OK: is not found
353 slub_merge |cmdline| is not set | kspp | self_protection | OK: is not found
354 page_alloc.shuffle |cmdline| 1 | kspp | self_protection | FAIL: is not found
355 slab_nomerge |cmdline| is present | kspp | self_protection | FAIL: is not present
356 init_on_alloc |cmdline| 1 | kspp | self_protection | OK: CONFIG_INIT_ON_ALLOC_DEFAULT_ON is "y"
357 init_on_free |cmdline| 1 | kspp | self_protection | FAIL: is not found
358 hardened_usercopy |cmdline| 1 | kspp | self_protection | OK: CONFIG_HARDENED_USERCOPY is "y"
359 slab_common.usercopy_fallback |cmdline| is not set | kspp | self_protection | OK: is not found
360 iommu.strict |cmdline| 1 | kspp | self_protection | FAIL: is not found
361 iommu.passthrough |cmdline| 0 | kspp | self_protection | OK: CONFIG_IOMMU_DEFAULT_PASSTHROUGH is "is not set"
362 randomize_kstack_offset |cmdline| 1 | kspp | self_protection | OK: CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT is "y"
363 pti |cmdline| on | kspp | self_protection | FAIL: is not found
364 iommu |cmdline| force | clipos | self_protection | FAIL: is not found
365 kfence.sample_interval |cmdline| is not off | my | self_protection | FAIL: is off, not found
366 tsx |cmdline| off |defconfig |cut_attack_surface| OK: CONFIG_X86_INTEL_TSX_MODE_OFF is "y"
367 nosmt |cmdline| is present | kspp |cut_attack_surface| FAIL: is not present
368 vsyscall |cmdline| none | kspp |cut_attack_surface| FAIL: is not found
369 vdso32 |cmdline| 0 | kspp |cut_attack_surface| OK: CONFIG_COMPAT_VDSO is "is not set"
370 debugfs |cmdline| off | grsec |cut_attack_surface| FAIL: is not found
371 sysrq_always_enabled |cmdline| is not set | my |cut_attack_surface| OK: is not found
372 ia32_emulation |cmdline| 0 | my |cut_attack_surface| FAIL: is not found
373 norandmaps |cmdline| is not set |defconfig | harden_userspace | OK: is not found
374 net.core.bpf_jit_harden |sysctl | 2 | kspp | self_protection | FAIL: "0"
375 kernel.dmesg_restrict |sysctl | 1 | kspp |cut_attack_surface| OK
376 kernel.perf_event_paranoid |sysctl | 3 | kspp |cut_attack_surface| FAIL: "4"
377 kernel.kexec_load_disabled |sysctl | 1 | kspp |cut_attack_surface| FAIL: "0"
378 user.max_user_namespaces |sysctl | 0 | kspp |cut_attack_surface| FAIL: "31231"
379 dev.tty.ldisc_autoload |sysctl | 0 | kspp |cut_attack_surface| FAIL: "1"
380 kernel.unprivileged_bpf_disabled |sysctl | 1 | kspp |cut_attack_surface| FAIL: "2"
381 kernel.kptr_restrict |sysctl | 2 | kspp |cut_attack_surface| FAIL: "1"
382 dev.tty.legacy_tiocsti |sysctl | 0 | kspp |cut_attack_surface| FAIL: is not found
383 vm.unprivileged_userfaultfd |sysctl | 0 | kspp |cut_attack_surface| OK
384 kernel.modules_disabled |sysctl | 1 | clipos |cut_attack_surface| FAIL: "0"
385 fs.protected_symlinks |sysctl | 1 | kspp | harden_userspace | OK
386 fs.protected_hardlinks |sysctl | 1 | kspp | harden_userspace | OK
387 fs.protected_fifos |sysctl | 2 | kspp | harden_userspace | FAIL: "1"
388 fs.protected_regular |sysctl | 2 | kspp | harden_userspace | OK
389 fs.suid_dumpable |sysctl | 0 | kspp | harden_userspace | FAIL: "2"
390 kernel.randomize_va_space |sysctl | 2 | kspp | harden_userspace | OK
391 kernel.yama.ptrace_scope |sysctl | 3 | kspp | harden_userspace | FAIL: "1"
393 [+] Config check is finished: 'OK' - 121 / 'FAIL' - 140
396 ## Generating a Kconfig fragment with the security hardening options
398 With the `-g` argument, the tool generates a Kconfig fragment with the security hardening options for the selected microarchitecture.
400 This Kconfig fragment can be merged with the existing Linux kernel config:
402 $ ./bin/kernel-hardening-checker -g X86_64 > /tmp/fragment
404 $ ./scripts/kconfig/merge_config.sh .config /tmp/fragment
405 Using .config as base
406 Merging /tmp/fragment
407 Value of CONFIG_BUG_ON_DATA_CORRUPTION is redefined by fragment /tmp/fragment:
408 Previous value: # CONFIG_BUG_ON_DATA_CORRUPTION is not set
409 New value: CONFIG_BUG_ON_DATA_CORRUPTION=y
413 ## Questions and answers
415 __Q:__ How all these kernel parameters influence the Linux kernel security?
417 __A:__ To answer this question, you can use the `kernel-hardening-checker` [sources of recommendations][24]
418 and the [Linux Kernel Defence Map][4] with its references.
422 __Q:__ How disabling `CONFIG_USER_NS` cuts the attack surface? It's needed for containers!
424 __A:__ Yes, the `CONFIG_USER_NS` option provides some isolation between the userspace programs,
425 but the tool recommends disabling it to cut the attack surface __of the kernel__.
429 - An LWN article about the corresponding LKML discussion: https://lwn.net/Articles/673597/
431 - A twitter thread about `CONFIG_USER_NS` and security: https://twitter.com/robertswiecki/status/1095447678949953541
433 - A good overview of the trade-off between having user namespaces enabled, disabled and available only for root: https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
437 __Q:__ KSPP and CLIP OS recommend `CONFIG_PANIC_ON_OOPS=y`. Why doesn't this tool do the same?
439 __A:__ I personally don't support this recommendation because:
440 - It decreases system safety (kernel oops is still not a rare situation)
441 - It allows easier denial-of-service attacks for the whole system
443 I think having `CONFIG_BUG` is enough here.
444 If a kernel oops happens in the process context, the offending/attacking process is killed.
445 In other cases, the kernel panics, which is similar to `CONFIG_PANIC_ON_OOPS=y`.
449 __Q:__ Why enabling `CONFIG_STATIC_USERMODEHELPER` breaks various things in my GNU/Linux system?
450 Do I really need that feature?
452 __A:__ Linux kernel usermode helpers can be used for privilege escalation in kernel exploits
453 ([example 1][9], [example 2][10]). `CONFIG_STATIC_USERMODEHELPER` prevents that method. But it
454 requires the corresponding support in the userspace: see the [example implementation][11] by
455 Tycho Andersen [@tych0][12].
459 __Q:__ What about performance impact of these security hardening options?
461 __A:__ Ike Devolder [@BlackIkeEagle][7] made some performance tests and described the results in [this article][8].
462 A more detailed evaluation is in the TODO list (the issue [#66][21]).
466 __Q:__ Can I easily check which kernel versions support some Kconfig option?
468 __A:__ Yes. See the [LKDDb][18] project (Linux Kernel Driver Database) by Giacomo Catenazzi [@cateee][19].
469 You can use it for the `mainline` or `stable` tree from [kernel.org][20] or for your custom kernel sources.
473 __Q:__ Does my kernel have all those mitigations of Transient Execution Vulnerabilities in my hardware?
475 __A:__ Checking the kernel config is not enough to answer this question.
476 I highly recommend using [spectre-meltdown-checker][13] tool maintained by Stéphane Lesimple [@speed47][14].
480 __Q:__ Why the `CONFIG_GCC_PLUGINS` option is automatically disabled during the kernel compilation?
482 __A:__ It means that your gcc doesn't support plugins. For example, if you have `gcc-7` on Ubuntu,
483 try to install `gcc-7-plugin-dev` package, it should help.
486 [1]: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
487 [2]: https://docs.clip-os.org/clipos/kernel.html#configuration
488 [3]: https://grsecurity.net/
489 [4]: https://github.com/a13xp0p0v/linux-kernel-defence-map
490 [5]: https://lwn.net/Articles/791863/
491 [6]: https://github.com/a13xp0p0v/kernel-hardening-checker/issues/38
492 [7]: https://github.com/BlackIkeEagle
493 [8]: https://blog.herecura.eu/blog/2020-05-30-kconfig-hardening-tests/
494 [9]: https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html
495 [10]: https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html
496 [11]: https://github.com/tych0/huldufolk
497 [12]: https://github.com/tych0
498 [13]: https://github.com/speed47/spectre-meltdown-checker
499 [14]: https://github.com/speed47
500 [15]: https://github.com/a13xp0p0v/kernel-hardening-checker/issues/53
501 [16]: https://github.com/a13xp0p0v/kernel-hardening-checker/pull/54
502 [17]: https://github.com/a13xp0p0v/kernel-hardening-checker/pull/62
503 [18]: https://cateee.net/lkddb/web-lkddb/
504 [19]: https://github.com/cateee/lkddb
505 [20]: https://kernel.org/
506 [21]: https://github.com/a13xp0p0v/kernel-hardening-checker/issues/66
507 [22]: https://github.com/a13xp0p0v/kernel-hardening-checker/issues/56
508 [23]: https://github.com/a13xp0p0v/kernel-hardening-checker/issues?q=label%3Akernel_maintainer_feedback
509 [24]: https://github.com/a13xp0p0v/kernel-hardening-checker#motivation
projects / kconfig-hardened-check.git / blob