Skip to content

K
kernel-hardening-checker
Commit 01cd4043 by Alexander Popov
Options

Add 'show_ok' and 'show_fail' print modes 

Refers the issue #45
parent c1fc80ca
Showing with 25 additions and 7 deletions
.github/workflows/main.yml
...@@ -76,6 +76,8 @@ jobs: ...@@ -76,6 +76,8 @@ jobs:
coverage run -a --branch bin/kconfig-hardened-check -c $C coverage run -a --branch bin/kconfig-hardened-check -c $C
coverage run -a --branch bin/kconfig-hardened-check -c $C -m verbose coverage run -a --branch bin/kconfig-hardened-check -c $C -m verbose
coverage run -a --branch bin/kconfig-hardened-check -c $C -m json coverage run -a --branch bin/kconfig-hardened-check -c $C -m json
coverage run -a --branch bin/kconfig-hardened-check -c $C -m show_ok
coverage run -a --branch bin/kconfig-hardened-check -c $C -m show_fail
done done
coverage xml -i -o coverage.xml coverage xml -i -o coverage.xml
......
README.md
...@@ -44,7 +44,8 @@ or simply run `./bin/kconfig-hardened-check` from the cloned repository. ...@@ -44,7 +44,8 @@ or simply run `./bin/kconfig-hardened-check` from the cloned repository.
## Usage ## Usage
``` ```
usage: kconfig-hardened-check [-h] [--version] [-p {X86_64,X86_32,ARM64,ARM}] usage: kconfig-hardened-check [-h] [--version] [-p {X86_64,X86_32,ARM64,ARM}]
[-c CONFIG] [-m {verbose,json}] [-c CONFIG]
[-m {verbose,json,show_ok,show_fail}]
Checks the hardening options in the Linux kernel config Checks the hardening options in the Linux kernel config
...@@ -54,8 +55,8 @@ optional arguments: ...@@ -54,8 +55,8 @@ optional arguments:
-p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM} -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
print hardening preferences for selected architecture print hardening preferences for selected architecture
-c CONFIG, --config CONFIG -c CONFIG, --config CONFIG
check the config_file against these preferences check the kernel config file against these preferences
-m {verbose,json}, --mode {verbose,json} -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}
choose the report mode choose the report mode
``` ```
......
kconfig_hardened_check/__init__.py
...@@ -539,6 +539,13 @@ def print_checklist(mode, checklist, with_results): ...@@ -539,6 +539,13 @@ def print_checklist(mode, checklist, with_results):
# table contents # table contents
for opt in checklist: for opt in checklist:
if with_results:
if mode == 'show_ok':
if not opt.result.startswith('OK'):
continue
if mode == 'show_fail':
if not opt.result.startswith('FAIL'):
continue
opt.table_print(mode, with_results) opt.table_print(mode, with_results)
print() print()
if mode == 'verbose': if mode == 'verbose':
...@@ -547,10 +554,16 @@ def print_checklist(mode, checklist, with_results): ...@@ -547,10 +554,16 @@ def print_checklist(mode, checklist, with_results):
# final score # final score
if with_results: if with_results:
error_count = len(list(filter(lambda opt: opt.result.startswith('FAIL'), checklist))) fail_count = len(list(filter(lambda opt: opt.result.startswith('FAIL'), checklist)))
fail_suppressed = ''
ok_count = len(list(filter(lambda opt: opt.result.startswith('OK'), checklist))) ok_count = len(list(filter(lambda opt: opt.result.startswith('OK'), checklist)))
ok_suppressed = ''
if mode == 'show_ok':
fail_suppressed = ' (suppressed in output)'
if mode == 'show_fail':
ok_suppressed = ' (suppressed in output)'
if mode != 'json': if mode != 'json':
print('[+] Config check is finished: \'OK\' - {} / \'FAIL\' - {}'.format(ok_count, error_count)) print('[+] Config check is finished: \'OK\' - {}{} / \'FAIL\' - {}{}'.format(ok_count, ok_suppressed, fail_count, fail_suppressed))
def perform_checks(checklist, parsed_options, kernel_version): def perform_checks(checklist, parsed_options, kernel_version):
...@@ -602,7 +615,7 @@ def main(): ...@@ -602,7 +615,7 @@ def main():
# - reporting about unknown kernel options in the config # - reporting about unknown kernel options in the config
# - verbose printing of ComplexOptCheck items # - verbose printing of ComplexOptCheck items
# * json mode for printing the results in JSON format # * json mode for printing the results in JSON format
report_modes = ['verbose', 'json'] report_modes = ['verbose', 'json', 'show_ok', 'show_fail']
supported_archs = ['X86_64', 'X86_32', 'ARM64', 'ARM'] supported_archs = ['X86_64', 'X86_32', 'ARM64', 'ARM']
parser = ArgumentParser(prog='kconfig-hardened-check', parser = ArgumentParser(prog='kconfig-hardened-check',
description='Checks the hardening options in the Linux kernel config') description='Checks the hardening options in the Linux kernel config')
...@@ -610,7 +623,7 @@ def main(): ...@@ -610,7 +623,7 @@ def main():
parser.add_argument('-p', '--print', choices=supported_archs, parser.add_argument('-p', '--print', choices=supported_archs,
help='print hardening preferences for selected architecture') help='print hardening preferences for selected architecture')
parser.add_argument('-c', '--config', parser.add_argument('-c', '--config',
help='check the config_file against these preferences') help='check the kernel config file against these preferences')
parser.add_argument('-m', '--mode', choices=report_modes, parser.add_argument('-m', '--mode', choices=report_modes,
help='choose the report mode') help='choose the report mode')
args = parser.parse_args() args = parser.parse_args()
...@@ -651,6 +664,8 @@ def main(): ...@@ -651,6 +664,8 @@ def main():
sys.exit(0) sys.exit(0)
if args.print: if args.print:
if mode in ('show_ok', 'show_fail'):
sys.exit('[!] ERROR: please use "{}" mode for checking the kernel config'.format(mode))
arch = args.print arch = args.print
construct_checklist(config_checklist, arch) construct_checklist(config_checklist, arch)
if mode != 'json': if mode != 'json':
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment