Skip to content

K
kernel-hardening-checker
Commit ef29eb0e by Alexander Popov
Options

Describe the cmdline checking support in README

parent 22bb83e2
Showing with 8 additions and 3 deletions
README.md
...@@ -5,13 +5,13 @@ ...@@ -5,13 +5,13 @@
## Motivation ## Motivation
There are plenty of security hardening options in the Linux kernel. A lot of them are There are plenty of security hardening options for the Linux kernel. A lot of them are
not enabled by the major distros. We have to enable these options ourselves to not enabled by the major distros. We have to enable these options ourselves to
make our systems more secure. make our systems more secure.
But nobody likes checking configs manually. So let the computers do their job! But nobody likes checking configs manually. So let the computers do their job!
__kconfig-hardened-check.py__ helps me to check the Linux kernel Kconfig option list __kconfig-hardened-check.py__ helps me to check the Linux kernel options
against my security hardening preferences, which are based on the against my security hardening preferences, which are based on the
- [KSPP recommended settings][1], - [KSPP recommended settings][1],
...@@ -20,6 +20,8 @@ against my security hardening preferences, which are based on the ...@@ -20,6 +20,8 @@ against my security hardening preferences, which are based on the
- [SECURITY_LOCKDOWN_LSM][5] patchset, - [SECURITY_LOCKDOWN_LSM][5] patchset,
- Direct feedback from Linux kernel maintainers (see [#38][6], [#53][15], [#54][16], [#62][17]). - Direct feedback from Linux kernel maintainers (see [#38][6], [#53][15], [#54][16], [#62][17]).
This tool supports checking __Kconfig__ options and __kernel cmdline__ parameters.
I also created [__Linux Kernel Defence Map__][4] that is a graphical representation of the I also created [__Linux Kernel Defence Map__][4] that is a graphical representation of the
relationships between security hardening features and the corresponding vulnerability classes relationships between security hardening features and the corresponding vulnerability classes
or exploitation techniques. or exploitation techniques.
...@@ -49,6 +51,7 @@ Some Linux distributions also provide `kconfig-hardened-check` as a package. ...@@ -49,6 +51,7 @@ Some Linux distributions also provide `kconfig-hardened-check` as a package.
``` ```
usage: kconfig-hardened-check [-h] [--version] [-p {X86_64,X86_32,ARM64,ARM}] usage: kconfig-hardened-check [-h] [--version] [-p {X86_64,X86_32,ARM64,ARM}]
[-c CONFIG] [-c CONFIG]
[-l CMDLINE]
[-m {verbose,json,show_ok,show_fail}] [-m {verbose,json,show_ok,show_fail}]
A tool for checking the security hardening options of the Linux kernel A tool for checking the security hardening options of the Linux kernel
...@@ -59,7 +62,9 @@ optional arguments: ...@@ -59,7 +62,9 @@ optional arguments:
-p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM} -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
print security hardening preferences for the selected architecture print security hardening preferences for the selected architecture
-c CONFIG, --config CONFIG -c CONFIG, --config CONFIG
check the kernel config file against these preferences check the kernel kconfig file against these preferences
-l CMDLINE, --cmdline CMDLINE
check the kernel cmdline file against these preferences
-m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail} -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}
choose the report mode choose the report mode
``` ```
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment