Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
kernel-hardening-checker
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
fact-depend
kernel-hardening-checker
Commits
fb49a542
Commit
fb49a542
authored
Oct 09, 2022
by
Alexander Popov
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Improve the README
parent
861e2ebe
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
11 additions
and
11 deletions
+11
-11
README.md
README.md
+11
-11
No files found.
README.md
View file @
fb49a542
...
@@ -15,15 +15,15 @@ But nobody likes checking configs manually. So let the computers do their job!
...
@@ -15,15 +15,15 @@ But nobody likes checking configs manually. So let the computers do their job!
__kconfig-hardened-check__
helps me to check the Linux kernel options
__kconfig-hardened-check__
helps me to check the Linux kernel options
against my security hardening preferences, which are based on the
against my security hardening preferences, which are based on the
-
[
KSPP recommended settings
][
1
]
,
-
[
KSPP recommended settings
][
1
]
-
[
CLIP OS kernel configuration
][
2
]
,
-
[
CLIP OS kernel configuration
][
2
]
-
Last public
[
grsecurity
][
3
]
patch (options which they disable)
,
-
Last public
[
grsecurity
][
3
]
patch (options which they disable)
-
[
SECURITY_LOCKDOWN_LSM
][
5
]
patchset
,
-
[
SECURITY_LOCKDOWN_LSM
][
5
]
patchset
-
[
Direct feedback from the Linux kernel maintainers
][
23
]
.
-
[
Direct feedback from the Linux kernel maintainers
][
23
]
This tool supports checking __Kconfig__ options and __kernel cmdline__ parameters.
This tool supports checking __Kconfig__ options and __kernel cmdline__ parameters.
I also created
[
__Linux Kernel Defence Map__
][
4
]
that
is a graphical representation of the
I also created
the
[
__Linux Kernel Defence Map__
][
4
]
, which
is a graphical representation of the
relationships between security hardening features and the corresponding vulnerability classes
relationships between security hardening features and the corresponding vulnerability classes
or exploitation techniques.
or exploitation techniques.
...
@@ -34,7 +34,7 @@ or exploitation techniques.
...
@@ -34,7 +34,7 @@ or exploitation techniques.
-
ARM64
-
ARM64
-
ARM
-
ARM
TODO: RISC-V (
the
issue
[
#56
][
22
]
)
TODO: RISC-V (issue
[
#56
][
22
]
)
## Installation
## Installation
...
@@ -318,7 +318,7 @@ but the tool recommends disabling it to cut the attack surface __of the kernel__
...
@@ -318,7 +318,7 @@ but the tool recommends disabling it to cut the attack surface __of the kernel__
The rationale:
The rationale:
-
A
nice
LWN article about the corresponding LKML discussion: https://lwn.net/Articles/673597/
-
A
n
LWN article about the corresponding LKML discussion: https://lwn.net/Articles/673597/
-
A twitter thread about
`CONFIG_USER_NS`
and security: https://twitter.com/robertswiecki/status/1095447678949953541
-
A twitter thread about
`CONFIG_USER_NS`
and security: https://twitter.com/robertswiecki/status/1095447678949953541
...
@@ -337,11 +337,11 @@ __Q:__ KSPP and CLIP OS recommend `CONFIG_PANIC_ON_OOPS=y`. Why doesn't this too
...
@@ -337,11 +337,11 @@ __Q:__ KSPP and CLIP OS recommend `CONFIG_PANIC_ON_OOPS=y`. Why doesn't this too
__A:__
I personally don't support this recommendation because:
__A:__
I personally don't support this recommendation because:
-
It decreases system safety (kernel oops is still not a rare situation)
-
It decreases system safety (kernel oops is still not a rare situation)
-
It allows easier denial-of-service attacks for the whole system
.
-
It allows easier denial-of-service attacks for the whole system
I think having
`CONFIG_BUG`
is enough here.
I think having
`CONFIG_BUG`
is enough here.
If a kernel oops happens in the process context, the offending/attacking process is killed.
If a kernel oops happens in the process context, the offending/attacking process is killed.
In other cases the kernel panics, which is similar to
`CONFIG_PANIC_ON_OOPS=y`
.
In other cases
,
the kernel panics, which is similar to
`CONFIG_PANIC_ON_OOPS=y`
.
<br
/>
<br
/>
...
@@ -354,7 +354,7 @@ A more detailed evaluation is in the TODO list (the issue [#66][21]).
...
@@ -354,7 +354,7 @@ A more detailed evaluation is in the TODO list (the issue [#66][21]).
__Q:__
Can I easily check which kernel versions support some Kconfig option?
__Q:__
Can I easily check which kernel versions support some Kconfig option?
__A:__
Yes
, s
ee the
[
LKDDb
][
18
]
project (Linux Kernel Driver Database) by Giacomo Catenazzi
[
@cateee
][
19
]
.
__A:__
Yes
. S
ee the
[
LKDDb
][
18
]
project (Linux Kernel Driver Database) by Giacomo Catenazzi
[
@cateee
][
19
]
.
You can use it for the
`mainline`
or
`stable`
tree from
[
kernel.org
][
20
]
or for your custom kernel sources.
You can use it for the
`mainline`
or
`stable`
tree from
[
kernel.org
][
20
]
or for your custom kernel sources.
<br
/>
<br
/>
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
