Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
kernel-hardening-checker
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
fact-depend
kernel-hardening-checker
Commits
2766d5db
Commit
2766d5db
authored
Nov 29, 2019
by
Alexander Popov
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Update the README
parent
34c1063e
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
18 additions
and
15 deletions
+18
-15
README.md
README.md
+18
-15
No files found.
README.md
View file @
2766d5db
...
...
@@ -51,20 +51,24 @@ optional arguments:
[+] Detected architecture: X86_64
[+] Checking "config_files/distros/ubuntu-bionic-generic.config" against hardening preferences...
option name | desired val | decision | reason || check result
====================================================================================================================
====================================================================================================================
=====
CONFIG_BUG | y |defconfig | self_protection || OK
CONFIG_STRICT_KERNEL_RWX | y |defconfig | self_protection || OK
CONFIG_STACKPROTECTOR_STRONG | y |defconfig | self_protection ||OK: CONFIG_CC_STACKPROTECTOR_STRONG "y"
CONFIG_SLUB_DEBUG | y |defconfig | self_protection || OK
CONFIG_STRICT_MODULE_RWX | y |defconfig | self_protection || OK
CONFIG_PAGE_TABLE_ISOLATION | y |defconfig | self_protection || OK
CONFIG_RANDOMIZE_MEMORY | y |defconfig | self_protection || OK
CONFIG_RANDOMIZE_BASE | y |defconfig | self_protection || OK
CONFIG_MICROCODE | y |defconfig | self_protection || OK
CONFIG_RETPOLINE | y |defconfig | self_protection || OK
CONFIG_X86_SMAP | y |defconfig | self_protection || OK
CONFIG_X86_INTEL_UMIP | y |defconfig | self_protection || OK
CONFIG_X86_UMIP | y |defconfig | self_protection ||OK: CONFIG_X86_INTEL_UMIP "y"
CONFIG_IOMMU_SUPPORT | y |defconfig | self_protection || OK
CONFIG_SYN_COOKIES | y |defconfig | self_protection || OK
CONFIG_PAGE_TABLE_ISOLATION | y |defconfig | self_protection || OK
CONFIG_RANDOMIZE_MEMORY | y |defconfig | self_protection || OK
CONFIG_INTEL_IOMMU | y |defconfig | self_protection || OK
CONFIG_AMD_IOMMU | y |defconfig | self_protection || OK
CONFIG_VMAP_STACK | y |defconfig | self_protection || OK
CONFIG_RANDOMIZE_BASE | y |defconfig | self_protection || OK
CONFIG_THREAD_INFO_IN_TASK | y |defconfig | self_protection || OK
CONFIG_BUG_ON_DATA_CORRUPTION | y | kspp | self_protection || FAIL: "is not set"
CONFIG_DEBUG_WX | y | kspp | self_protection || OK
...
...
@@ -89,31 +93,31 @@ CONFIG_MODULE_SIG_SHA512 | y | kspp | self_protect
CONFIG_MODULE_SIG_FORCE | y | kspp | self_protection || FAIL: "is not set"
CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | kspp | self_protection || OK
CONFIG_REFCOUNT_FULL | y | kspp | self_protection || FAIL: "is not set"
CONFIG_LOCK_DOWN_KERNEL | y | clipos | self_protection || OK
CONFIG_INIT_STACK_ALL | y | clipos | self_protection || FAIL: not found
CONFIG_INIT_ON_ALLOC_DEFAULT_ON | y | clipos | self_protection || FAIL: not found
CONFIG_INIT_ON_FREE_DEFAULT_ON | y | clipos | self_protection || FAIL: not found
CONFIG_SECURITY_DMESG_RESTRICT | y | clipos | self_protection || FAIL: "is not set"
CONFIG_DEBUG_VIRTUAL | y | clipos | self_protection || FAIL: "is not set"
CONFIG_STATIC_USERMODEHELPER | y | clipos | self_protection || FAIL: "is not set"
CONFIG_SLAB_MERGE_DEFAULT | is not set | clipos | self_protection || FAIL: "y"
CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE| is not set | clipos | self_protection ||FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT is needed
CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
| is not set | clipos | self_protection ||FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT is needed
CONFIG_GCC_PLUGIN_STACKLEAK | y | clipos | self_protection || FAIL: not found
CONFIG_STACKLEAK_METRICS | is not set | clipos | self_protection ||FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed
CONFIG_STACKLEAK_RUNTIME_DISABLE | is not set | clipos | self_protection ||FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed
CONFIG_RANDOM_TRUST_CPU | is not set | clipos | self_protection || OK: not found
CONFIG_MICROCODE | y | clipos | self_protection || OK
CONFIG_IOMMU_SUPPORT | y | clipos | self_protection || OK
CONFIG_INTEL_IOMMU | y | clipos | self_protection || OK
CONFIG_INTEL_IOMMU_SVM | y | clipos | self_protection || OK
CONFIG_INTEL_IOMMU_DEFAULT_ON | y | clipos | self_protection || FAIL: "is not set"
CONFIG_INIT_STACK_ALL | y | my | self_protection || FAIL: not found
CONFIG_SLUB_DEBUG_ON | y | my | self_protection || FAIL: "is not set"
CONFIG_SECURITY_LOADPIN | y | my | self_protection || FAIL: "is not set"
CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection || OK
CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection ||FAIL: CONFIG_PAGE_POISONING is needed
CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection ||FAIL: CONFIG_PAGE_POISONING is needed
CONFIG_AMD_IOMMU | y | my | self_protection || OK
CONFIG_AMD_IOMMU_V2 | y | my | self_protection || FAIL: "m"
CONFIG_SECURITY | y |defconfig | security_policy || OK
CONFIG_SECURITY_YAMA | y | kspp | security_policy || OK
CONFIG_SECURITY_LOADPIN | y | my | security_policy || FAIL: "is not set"
CONFIG_SECURITY_LOCKDOWN_LSM | y | my | security_policy || FAIL: not found
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY | y | my | security_policy || FAIL: not found
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY| y | my | security_policy || FAIL: not found
CONFIG_SECCOMP | y |defconfig | cut_attack_surface || OK
CONFIG_SECCOMP_FILTER | y |defconfig | cut_attack_surface || OK
CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface || OK
...
...
@@ -158,7 +162,6 @@ CONFIG_PROFILING | is not set | lockdown | cut_attack_su
CONFIG_BPF_SYSCALL | is not set | lockdown | cut_attack_surface || FAIL: "y"
CONFIG_MMIOTRACE_TEST | is not set | lockdown | cut_attack_surface || OK
CONFIG_KSM | is not set | clipos | cut_attack_surface || FAIL: "y"
CONFIG_IKCONFIG | is not set | clipos | cut_attack_surface || OK
CONFIG_KALLSYMS | is not set | clipos | cut_attack_surface || FAIL: "y"
CONFIG_X86_VSYSCALL_EMULATION | is not set | clipos | cut_attack_surface || FAIL: "y"
CONFIG_MAGIC_SYSRQ | is not set | clipos | cut_attack_surface || FAIL: "y"
...
...
@@ -173,7 +176,7 @@ CONFIG_FTRACE | is not set | my | cut_attack_su
CONFIG_BPF_JIT | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_protection|| FAIL: "28"
[+] config check is finished: 'OK' -
50 / 'FAIL' - 70
[+] config check is finished: 'OK' -
48 / 'FAIL' - 75
```
## kconfig-hardened-check versioning
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
