Skip to content

K
kernel-hardening-checker
Commit f58e98ef by Alexander Popov
Options

More decisions on kernel options

parent 60818a26
Showing with 14 additions and 1 deletions
README.md
......@@ -41,6 +41,7 @@ Usage: ./kconfig-hardened-check.py [-p | -c <config_file>]
CONFIG_DEBUG_WX | y | ubuntu18 | self_protection || OK
CONFIG_RANDOMIZE_BASE | y | ubuntu18 | self_protection || OK
CONFIG_RANDOMIZE_MEMORY | y | ubuntu18 | self_protection || OK
CONFIG_CC_STACKPROTECTOR | y | ubuntu18 | self_protection || OK
CONFIG_CC_STACKPROTECTOR_STRONG | y | ubuntu18 | self_protection || OK
CONFIG_VMAP_STACK | y | ubuntu18 | self_protection || OK
CONFIG_THREAD_INFO_IN_TASK | y | ubuntu18 | self_protection || OK
......@@ -77,6 +78,8 @@ Usage: ./kconfig-hardened-check.py [-p | -c <config_file>]
CONFIG_SLUB_DEBUG_ON | y | my | self_protection || FAIL: "is not set"
CONFIG_SECURITY_DMESG_RESTRICT | y | my | self_protection || FAIL: "is not set"
CONFIG_STATIC_USERMODEHELPER | y | my | self_protection || FAIL: "is not set"
CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection || FAIL: not found
CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection || FAIL: not found
CONFIG_SECURITY | y | ubuntu18 | security_policy || OK
CONFIG_SECURITY_YAMA | y | ubuntu18 | security_policy || OK
CONFIG_SECURITY_SELINUX_DISABLE | is not set | ubuntu18 | security_policy || OK
......@@ -93,6 +96,7 @@ Usage: ./kconfig-hardened-check.py [-p | -c <config_file>]
CONFIG_IA32_EMULATION | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_X86_X32 | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_MODIFY_LDT_SYSCALL | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_HIBERNATION | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_KEXEC_FILE | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_LIVEPATCH | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_USER_NS | is not set | my | cut_attack_surface || FAIL: "y"
......@@ -104,9 +108,10 @@ Usage: ./kconfig-hardened-check.py [-p | -c <config_file>]
CONFIG_UPROBES | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_BPF_JIT | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_BPF_SYSCALL | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_ARCH_MMAP_RND_BITS | 32 | my |userspace_protection|| FAIL: "28"
CONFIG_LKDTM | m | my | feature_test || FAIL: "is not set"
[-] config check is NOT PASSED: 40 errors
[-] config check is NOT PASSED: 44 errors
```
__Go and fix them all!__
......
kconfig-hardened-check.py
......@@ -36,6 +36,7 @@ def construct_opt_list():
opt_list.append([Opt('DEBUG_WX', 'y', 'ubuntu18', 'self_protection'), ''])
opt_list.append([Opt('RANDOMIZE_BASE', 'y', 'ubuntu18', 'self_protection'), ''])
opt_list.append([Opt('RANDOMIZE_MEMORY', 'y', 'ubuntu18', 'self_protection'), ''])
opt_list.append([Opt('CC_STACKPROTECTOR', 'y', 'ubuntu18', 'self_protection'), ''])
opt_list.append([Opt('CC_STACKPROTECTOR_STRONG','y', 'ubuntu18', 'self_protection'), ''])
opt_list.append([Opt('VMAP_STACK', 'y', 'ubuntu18', 'self_protection'), ''])
opt_list.append([Opt('THREAD_INFO_IN_TASK', 'y', 'ubuntu18', 'self_protection'), ''])
......@@ -69,10 +70,13 @@ def construct_opt_list():
opt_list.append([Opt('DEBUG_NOTIFIERS', 'y', 'kspp', 'self_protection'), ''])
opt_list.append([Opt('MODULE_SIG_FORCE', 'y', 'kspp', 'self_protection'), ''])
opt_list.append([Opt('HARDENED_USERCOPY_FALLBACK', 'is not set', 'kspp', 'self_protection'), ''])
opt_list.append([Opt('GCC_PLUGIN_STACKLEAK', 'y', 'my', 'self_protection'), ''])
opt_list.append([Opt('SLUB_DEBUG_ON', 'y', 'my', 'self_protection'), ''])
opt_list.append([Opt('SECURITY_DMESG_RESTRICT', 'y', 'my', 'self_protection'), ''])
opt_list.append([Opt('STATIC_USERMODEHELPER', 'y', 'my', 'self_protection'), '']) # breaks systemd?
opt_list.append([Opt('PAGE_POISONING_NO_SANITY', 'is not set', 'my', 'self_protection'), ''])
opt_list.append([Opt('PAGE_POISONING_ZERO', 'is not set', 'my', 'self_protection'), ''])
opt_list.append([Opt('SECURITY', 'y', 'ubuntu18', 'security_policy'), ''])
opt_list.append([Opt('SECURITY_YAMA', 'y', 'ubuntu18', 'security_policy'), ''])
......@@ -92,6 +96,8 @@ def construct_opt_list():
opt_list.append([Opt('IA32_EMULATION', 'is not set', 'kspp', 'cut_attack_surface'), ''])
opt_list.append([Opt('X86_X32', 'is not set', 'kspp', 'cut_attack_surface'), ''])
opt_list.append([Opt('MODIFY_LDT_SYSCALL', 'is not set', 'kspp', 'cut_attack_surface'), ''])
opt_list.append([Opt('HIBERNATION', 'is not set', 'kspp', 'cut_attack_surface'), ''])
opt_list.append([Opt('KEXEC_FILE', 'is not set', 'my', 'cut_attack_surface'), ''])
opt_list.append([Opt('LIVEPATCH', 'is not set', 'my', 'cut_attack_surface'), ''])
opt_list.append([Opt('USER_NS', 'is not set', 'my', 'cut_attack_surface'), '']) # user.max_user_namespaces=0
......@@ -104,6 +110,8 @@ def construct_opt_list():
opt_list.append([Opt('BPF_JIT', 'is not set', 'my', 'cut_attack_surface'), ''])
opt_list.append([Opt('BPF_SYSCALL', 'is not set', 'my', 'cut_attack_surface'), ''])
opt_list.append([Opt('ARCH_MMAP_RND_BITS', '32', 'my', 'userspace_protection'), ''])
opt_list.append([Opt('LKDTM', 'm', 'my', 'feature_test'), ''])
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment