### Install Dependencies and Configure Kernel Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md Installs necessary packages for kernel building and then configures the kernel based on loaded modules. Use this to generate a base kernel configuration. ```bash apt install -y linux-source fakeroot libelf-dev libssl-dev tar xaf /usr/src/linux-source-4.19.tar.xz cd linux-source-4.19/ yes "" | make localmodconfig scripts/config --disable MODULE_SIG ``` -------------------------------- ### Kernel Configuration Check Example Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md This example shows a typical output format for kernel configuration checks, indicating whether a specific CONFIG option is set correctly or if it's missing. ```text CONFIG_CC_IS_CLANG |kconfig| y | - | - | FAIL: is not found ------------------------------------------------------------------------------------------------------------------------- <<< AND >>> | FAIL: CONFIG_CC_IS_CLANG is not "y" CONFIG_CFI_PERMISSIVE |kconfig| is not set | kspp | self_protection | None CONFIG_CFI_CLANG |kconfig| y | kspp | self_protection | None CONFIG_CC_IS_CLANG |kconfig| y | - | - | FAIL: is not found ------------------------------------------------------------------------------------------------------------------------- ``` -------------------------------- ### Kernel Configuration Check Example Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md This example demonstrates how to check kernel configuration options like KASLR and DEFAULT_MMAP_MIN_ADDR. It highlights the need to assess applicability to specific architectures like RISC-V. ```text * [KASLR is supported](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f57805555834494e8cad729d01d86ba326d64959) (`CONFIG_RELOCATABLE`, `RANDOMIZE_BASE`), but not enabled by default. * `DEFAULT_MMAP_MIN_ADDR` is `4096` in defconfig, but could likely be bumped up to `32768` per [KConfig documentation](https://elixir.bootlin.com/linux/v6.12.6/source/mm/Kconfig#L754). Do you have a suggestion for the `decision` value to use for these? `kspp` or `a13xp0p0v` ? ``` -------------------------------- ### Example of sysctl command output Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md This example shows the output of the `cat` command on a specific sysctl parameter before and after applying a sysctl configuration file. It illustrates the effect of the configuration. ```bash rsandhu@graphite ~ $ cat /proc/sys/net/ipv4/conf/wlan0/accept_source_route 1 ``` ```bash rsandhu@graphite ~ $ cat /proc/sys/net/ipv4/conf/wlan0/accept_source_route 0 ``` -------------------------------- ### Kernel Command Line Example Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md Illustrates how kernel command line parameters like 'slub_debug' and 'vsyscall' can affect system behavior and potentially override kernel configuration checks. ```text slub_debug=FZP vsyscall=none ``` -------------------------------- ### Example Output for arm64_defconfig_6.6.config Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md This output demonstrates the kernel hardening checker's analysis of an arm64 configuration file, highlighting a specific check for CONFIG_ARCH_MMAP_RND_BITS and its result. ```text [+] Kconfig file to check: kernel_hardening_checker/config_files/defconfigs/arm64_defconfig_6.6.config [+] Detected microarchitecture: ARM64 [+] Detected kernel version: 6.6 [+] Detected compiler: GCC 130001 ... CONFIG_ARCH_MMAP_RND_BITS |kconfig| 33 | my | harden_userspace | FAIL: "18" ``` -------------------------------- ### Kernel Hardening Checker 'show_ok' Output Example Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md Demonstrates the output when the 'show_ok' mode is used, displaying a detailed report of kernel configuration options, their desired values, and whether they meet hardening standards. ```text $ ./bin/kconfig-hardened-check -c kconfig_hardened_check/config_files/distros/ubuntu-focal.config -m show_ok [+] Special report mode: show_ok [+] Config file to check: kconfig_hardened_check/config_files/distros/ubuntu-focal.config [+] Detected architecture: X86_64 [+] Detected kernel version: 5.4 ========================================================================================================================= option name | desired val | decision | reason | check result ========================================================================================================================= CONFIG_BUG | y |defconfig | self_protection | OK CONFIG_SLUB_DEBUG | y |defconfig | self_protection | OK CONFIG_STACKPROTECTOR_STRONG | y |defconfig | self_protection | OK CONFIG_STRICT_KERNEL_RWX | y |defconfig | self_protection | OK CONFIG_STRICT_MODULE_RWX | y |defconfig | self_protection | OK CONFIG_IOMMU_SUPPORT | y |defconfig | self_protection | OK CONFIG_MICROCODE | y |defconfig | self_protection | OK CONFIG_RETPOLINE | y |defconfig | self_protection | OK CONFIG_X86_SMAP | y |defconfig | self_protection | OK CONFIG_SYN_COOKIES | y |defconfig | self_protection | OK CONFIG_X86_UMIP | y |defconfig | self_protection | OK: CONFIG_X86_INTEL_UMIP "y" CONFIG_PAGE_TABLE_ISOLATION | y |defconfig | self_protection | OK CONFIG_RANDOMIZE_MEMORY | y |defconfig | self_protection | OK CONFIG_INTEL_IOMMU | y |defconfig | self_protection | OK CONFIG_AMD_IOMMU | y |defconfig | self_protection | OK CONFIG_VMAP_STACK | y |defconfig | self_protection | OK CONFIG_RANDOMIZE_BASE | y |defconfig | self_protection | OK CONFIG_THREAD_INFO_IN_TASK | y |defconfig | self_protection | OK CONFIG_DEBUG_WX | y | kspp | self_protection | OK CONFIG_SCHED_STACK_END_CHECK | y | kspp | self_protection | OK CONFIG_SLAB_FREELIST_HARDENED | y | kspp | self_protection | OK CONFIG_SLAB_FREELIST_RANDOM | y | kspp | self_protection | OK CONFIG_SHUFFLE_PAGE_ALLOCATOR | y | kspp | self_protection | OK CONFIG_FORTIFY_SOURCE | y | kspp | self_protection | OK CONFIG_INIT_ON_ALLOC_DEFAULT_ON | y | kspp | self_protection | OK CONFIG_HARDENED_USERCOPY | y | kspp | self_protection | OK CONFIG_MODULE_SIG | y | kspp | self_protection | OK CONFIG_MODULE_SIG_ALL | y | kspp | self_protection | OK CONFIG_MODULE_SIG_SHA512 | y | kspp | self_protection | OK CONFIG_INIT_ON_FREE_DEFAULT_ON | y | kspp | self_protection | OK: CONFIG_PAGE_POISONING "y" CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | kspp | self_protection | OK CONFIG_INTEL_IOMMU_SVM | y | clipos | self_protection | OK ``` -------------------------------- ### JSON Output Format Example Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md This example shows the expected format for JSON output when the --json option is used. The output is an array of arrays, where each inner array contains configuration details. ```text [['CONFIG_BUG', 'y', 'defconfig', 'self_protection', 'OK'], ['CONFIG_STRICT_KERNEL_RWX', 'y', 'defconfig', 'self_protection', 'OK'], ... ``` -------------------------------- ### RISC-V Architecture Detection Example Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md This example demonstrates how architecture detection functions might work for RISC-V systems. It highlights the use of 'RISCV' for kconfig-based detection and 'riscv32'/'riscv64' for sysctl-based detection, suggesting a potential need for a uname-based fallback. ```text #!/bin/sh # https://wiki.debian.org/RISC-V # https://wiki.qemu.org/Documentation/Platforms/RISCV ``` -------------------------------- ### Kernel Hardening Checker Output Example Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md This output shows the results of running the kernel-hardening-checker tool on a Broadcom configuration, highlighting detected issues and warnings. ```text [+] Kconfig file to check: bad_config [+] Detected microarchitecture: X86_64 [+] Detected kernel version: (3, 4, 11) [-] Can't detect the compiler: no CONFIG_GCC_VERSION or CONFIG_CLANG_VERSION [!] WARNING: found strange Kconfig option CONFIG_BCM_CHIP_NUMBER with empty value [!] WARNING: found strange Kconfig option CONFIG_BCM_SCHED_RT_PERIOD with empty value [!] WARNING: found strange Kconfig option CONFIG_BCM_SCHED_RT_RUNTIME with empty value [!] WARNING: found strange Kconfig option CONFIG_BCM_DEFAULT_CONSOLE_LOGLEVEL with empty value [!] WARNING: found strange Kconfig option CONFIG_BCM_RDP_IMPL with empty value [-] Can't check CONFIG_ARCH_MMAP_RND_BITS without CONFIG_ARCH_MMAP_RND_BITS_MAX ========================================================================================================================= option_name | type |desired_val | decision | reason | check_result ========================================================================================================================= CONFIG_BUG |kconfig| y |defconfig | self_protection | OK CONFIG_SLUB_DEBUG |kconfig| y |defconfig | self_protection | OK CONFIG_THREAD_INFO_IN_TASK |kconfig| y |defconfig | self_protection | FAIL: is not found ``` -------------------------------- ### Install kernel-hardening-checker using pip Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/README.md Install the package directly from the GitHub repository using pip. It is recommended to use a virtual environment to avoid conflicts with externally managed packages. ```bash python3 -m pip install git+https://github.com/a13xp0p0v/kernel-hardening-checker ``` -------------------------------- ### Kernel Configuration for RANDSTRUCT Options Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md This example shows the configuration status for RANDSTRUCT options in a kernel, indicating that CONFIG_RANDSTRUCT_FULL and CONFIG_GCC_PLUGIN_RANDSTRUCT are enabled. ```bash grep RANDSTRUCT ./.config # CONFIG_RANDSTRUCT_NONE is not set CONFIG_RANDSTRUCT_FULL=y # CONFIG_RANDSTRUCT_PERFORMANCE is not set CONFIG_RANDSTRUCT=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y ``` -------------------------------- ### Kernel Configuration Check Example Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md Illustrates the output of a kernel hardening check for PAGE_POISONING related configurations. Shows how different settings (enabled/disabled) affect the FAIL/OK status. ```text CONFIG_PAGE_POISONING | y | kspp | self_protection || FAIL: "is not set" CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection || OK: not found CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection || OK: not found ``` ```text CONFIG_PAGE_POISONING | y | kspp | self_protection || OK CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection || FAIL: "y" CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection || FAIL: "y" ``` -------------------------------- ### Check sysctl.conf with Kernel Hardening Checker Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md This example demonstrates how to use the kernel-hardening-checker script with a sysctl.conf file. Pay attention to the warnings regarding incomplete or incorrect results when using this method. ```bash $ ./bin/kernel-hardening-checker -s sysctl.conf [+] Sysctl output file to check: sysctl.conf [!] WARNING: ancient sysctl options are not found in sysctl.conf, please use the output of `sudo sysctl -a` [!] WARNING: sysctl options available for root are not found in sysctl.conf, please use the output of `sudo sysctl -a` ========================================================================================================================= option_name | type |desired_val | decision | reason | check_result ========================================================================================================================= net.core.bpf_jit_harden |sysctl | 2 | kspp | self_protection | FAIL: is not found kernel.oops_limit |sysctl | 100 |a13xp0p0v | self_protection | FAIL: is not found kernel.warn_limit |sysctl | 100 |a13xp0p0v | self_protection | FAIL: is not found kernel.dmesg_restrict |sysctl | 1 | kspp |cut_attack_surface| FAIL: is not found kernel.perf_event_paranoid |sysctl | 3 | kspp |cut_attack_surface| FAIL: is not found user.max_user_namespaces |sysctl | 0 | kspp |cut_attack_surface| FAIL: is not found dev.tty.ldisc_autoload |sysctl | 0 | kspp |cut_attack_surface| FAIL: is not found kernel.kptr_restrict |sysctl | 2 | kspp |cut_attack_surface| FAIL: is not found dev.tty.legacy_tiocsti |sysctl | 0 | kspp |cut_attack_surface| FAIL: is not found kernel.kexec_load_disabled |sysctl | 1 | kspp |cut_attack_surface| FAIL: is not found kernel.unprivileged_bpf_disabled |sysctl | 1 | kspp |cut_attack_surface| OK vm.unprivileged_userfaultfd |sysctl | 0 | kspp |cut_attack_surface| FAIL: is not found kernel.modules_disabled |sysctl | 1 | kspp |cut_attack_surface| FAIL: is not found kernel.io_uring_disabled |sysctl | 2 | grsec |cut_attack_surface| FAIL: is not found kernel.sysrq |sysctl | 0 |a13xp0p0v |cut_attack_surface| FAIL: is not found fs.protected_symlinks |sysctl | 1 | kspp | harden_userspace | FAIL: is not found fs.protected_hardlinks |sysctl | 1 | kspp | harden_userspace | FAIL: is not found fs.protected_fifos |sysctl | 2 | kspp | harden_userspace | FAIL: is not found fs.protected_regular |sysctl | 2 | kspp | harden_userspace | FAIL: is not found fs.suid_dumpable |sysctl | 0 | kspp | harden_userspace | FAIL: is not found kernel.randomize_va_space |sysctl | 2 | kspp | harden_userspace | FAIL: is not found kernel.yama.ptrace_scope |sysctl | 3 | kspp | harden_userspace | FAIL: is not found [+] Config check is finished: 'OK' - 1 / 'FAIL' - 21 ``` -------------------------------- ### Accessing Kernel Configuration via /proc/config.gz Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md This snippet provides a command-line example for accessing the kernel configuration from `/proc/config.gz` and checking it with the `kconfig-hardened-check` tool. It demonstrates how to decompress the file and use it as input. ```shell # zcat /proc/config.gz > my.config # ./bin/kconfig-hardened-check -c my.config ``` -------------------------------- ### Example of Kconfig Options with Empty Values Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md These are examples of Kconfig options found in a specific vendor's configuration that have empty values assigned. This behavior deviates from standard Kconfig generation and requires the parser to be more flexible. ```bash CONFIG_BCM_CHIP_NUMBER= ``` ```bash CONFIG_BCM_SCHED_RT_PERIOD= ``` ```bash CONFIG_BCM_SCHED_RT_RUNTIME= ``` ```bash CONFIG_BCM_DEFAULT_CONSOLE_LOGLEVEL= ``` ```bash CONFIG_BCM_RDP_IMPL= ``` -------------------------------- ### Kernel Hardening Checker Output for v5.4.208 Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md Example output from the kernel-hardening-checker tool for Linux kernel v5.4.208, showing an 'OK' for CONFIG_REFCOUNT_FULL as the version meets the requirement. ```text [+] Special report mode: verbose [+] Kconfig file to check: /home/a13x/develop_local/linux-stable/linux-stable/config208 [+] Detected microarchitecture: X86_64 [+] Detected kernel version: (5, 4, 208) ... ------------------------------------------------------------------------------------------------------------------------- <<< OR >>> | OK: version >= (5, 4, 208) CONFIG_REFCOUNT_FULL |kconfig| y |defconfig | self_protection | FAIL: is not found kernel version >= (5, 4, 208) | OK: version >= (5, 4, 208) ------------------------------------------------------------------------------------------------------------------------- ``` -------------------------------- ### Kernel Hardening Checker Usage Example Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md This section provides links to external scripts and a disclaimer about applying settings. It suggests how users might interact with the checker and its outputs on Debian-based systems. ```text I had a look at the things it is reporting and this came out: What are your thoughts about it? DISCLAIMER, only apply settings you understand and have tested. First I check the outputs of all three categories: sysctl kernel settings, cmdline options, and kernel configuration: https://github.com/alexmyczko/autoexec.bat/blob/master/config.sys/debian-kernel-hardening-checker Then this helper script helps with the kernel .config: https://github.com/alexmyczko/autoexec.bat/blob/master/config.sys/install-1up-kernel How are others using this? ^ I have only tested this with Debian. It is likely to work with Ubuntu too. No idea about non-deb based systems... ``` -------------------------------- ### Kernel Hardening Checker Output for v5.4.207 Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md Example output from the kernel-hardening-checker tool for Linux kernel v5.4.207, showing a 'FAIL' for CONFIG_REFCOUNT_FULL due to version mismatch. ```text [+] Special report mode: verbose [+] Kconfig file to check: /home/a13x/develop_local/linux-stable/linux-stable/config207 [+] Detected microarchitecture: X86_64 [+] Detected kernel version: (5, 4, 207) ... ------------------------------------------------------------------------------------------------------------------------- <<< OR >>> | FAIL: "is not set" CONFIG_REFCOUNT_FULL |kconfig| y |defconfig | self_protection | FAIL: "is not set" kernel version >= (5, 4, 208) | FAIL: version < (5, 4, 208) ------------------------------------------------------------------------------------------------------------------------- ``` -------------------------------- ### kernel-hardening-checker CLI Usage Examples Source: https://context7.com/a13xp0p0v/kernel-hardening-checker/llms.txt Demonstrates various command-line options for checking kernel configurations, including autodetecting settings, checking specific file types, and controlling output formats. Use these flags to tailor the audit to your specific needs. ```bash # Show version kernel-hardening-checker --version # kernel-hardening-checker 0.6.17.1 ``` ```bash # ── Autodetect and check the running kernel (reads /proc/config.gz or # /boot/config-, /proc/cmdline, and runs sysctl -a automatically) ── kernel-hardening-checker -a ``` ```bash # ── Check a Kconfig file only ── kernel-hardening-checker -c /boot/config-$(uname -r) ``` ```bash # ── Check Kconfig + cmdline + sysctl together ── kernel-hardening-checker \ -c /boot/config-6.6.30 \ -l /proc/cmdline \ -s /tmp/sysctl_dump.txt ``` ```bash # ── Supply version separately when the Kconfig file lacks the version header ── kernel-hardening-checker -c /path/to/custom.config -v /proc/version ``` ```bash # ── Check sysctl output only (no Kconfig required) ── sudo sysctl -a > /tmp/sysctl.txt kernel-hardening-checker -s /tmp/sysctl.txt ``` ```bash # ── Print all hardening recommendations for an architecture (no input files) ── kernel-hardening-checker -p X86_64 kernel-hardening-checker -p ARM64 ``` ```bash # ── Generate a Kconfig fragment ready for merge_config.sh ── kernel-hardening-checker -g X86_64 > /tmp/hardening_fragment.config cd ~/linux-src/ ./scripts/kconfig/merge_config.sh .config /tmp/hardening_fragment.config ``` ```bash # ── Output mode examples ── kernel-hardening-checker -a -m verbose # show AND/OR internals + unknown options kernel-hardening-checker -a -m json # machine-readable JSON array kernel-hardening-checker -a -m show_fail # only failing checks kernel-hardening-checker -a -m show_ok # only passing checks ``` ```bash # ── JSON output: pipe to jq to extract only failing kconfig options ── kernel-hardening-checker -c /boot/config-$(uname -r) -m json | \ jq '[.[] | select(.check_result_bool == false and .type == "kconfig")]' # [ # { "option_name": "CONFIG_BUG_ON_DATA_CORRUPTION", "type": "kconfig", # "reason": "self_protection", "decision": "kspp", # "desired_val": "y", "check_result": "FAIL: \"is not set\"", # "check_result_bool": false }, # ... # ] ``` -------------------------------- ### Run Kernel Hardening Checker Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md Example of running the kernel hardening checker with a sysctl output file. Shows the output table indicating OK, FAIL, or other results for various security options. ```bash $ ./kernel-hardening-checker -s /tmp/file1 [+] Sysctl output file to check: /tmp/file1 ========================================================================================================================= option_name | type |desired_val | decision | reason | check_result ========================================================================================================================= vm.unprivileged_userfaultfd |sysctl | 0 | kspp |cut_attack_surface| OK kernel.modules_disabled |sysctl | 1 | kspp |cut_attack_surface| FAIL: "0" kernel.io_uring_disabled |sysctl | 2 | grsec |cut_attack_surface| FAIL: "0" ``` -------------------------------- ### Project Configuration with pyproject.toml Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md A pyproject.toml file example for configuring a Python project, including build system requirements, package finding, dynamic versioning, project metadata, and entry points. This configuration is suggested for managing project settings and dependencies. ```toml [build-system] requires = ["setuptools == 80.9.0"] build-backend = "setuptools.build_meta" [tool.setuptools.packages.find] where = [". ``` ```toml " [tool.setuptools.dynamic] version = {attr = "kernel_hardening_checker.__version__"} [project] name = "kernel-hardening-checker" dynamic = ["version"] description = "A tool for checking the security hardening options of the Linux kernel" readme = "README.md" license = { file = "LICENSE.txt" } authors = [ {name = "Alexander Popov", email = "alex.popov@linux.com"}, ] maintainers = [ {name = "Alexander Popov", email = "alex.popov@linux.com"}, ] classifiers = [ "Development Status :: 5 - Production/Stable", "License :: OSI Approved :: GNU General Public License v3 (GPLv3)", "Topic :: Security", "Operating System :: POSIX :: Linux", "Environment :: Console", "Programming Language :: Python :: 3", ] [project.scripts] kernel-hardening-checker = "kernel_hardening_checker:main" [project.urls] Homepage = "https://github.com/a13xp0p0v/kernel-hardening-checker" Source = "https://github.com/a13xp0p0v/kernel-hardening-checker" Download = "https://github.com/a13xp0p0v/kernel-hardening-checker#files" "Bug Tracker" = "https://github.com/a13xp0p0v/kernel-hardening-checker/issues" ``` -------------------------------- ### Set up Python Virtual Environment and Build Project Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md Commands to create a Python virtual environment, activate it, upgrade setuptools, and build the project. This sequence is used to reproduce warnings about the deprecation of the easy_install module. ```bash python -m venv .env . .env/bin/activate pip3 install --upgrade setuptools python3 setup.py build ``` -------------------------------- ### CONFIG_INIT_STACK_ALL_ZERO vs CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md Illustrates the check for CONFIG_INIT_STACK_ALL_ZERO as an alternative to CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL, showing a successful configuration. ```text ------------------------------------------------------------------------------------------------------------------------- <<< OR >>> | OK CONFIG_INIT_STACK_ALL_ZERO |kconfig| y |defconfig | self_protection | OK CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL |kconfig| y | kspp | self_protection | None ------------------------------------------------------------------------------------------------------------------------- ``` -------------------------------- ### System Initialization Configuration (inittab) Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md This is a standard /etc/inittab file used for system initialization. It defines runlevels, system startup scripts, and getty services for virtual terminals. ```shell # /etc/inittab: init(8) configuration. # $Id: inittab,v 1.91 2002/01/25 13:35:21 miquels Exp $ # The default runlevel. id:3:initdefault: # Boot-time system configuration/initialization script. # This is run first except when booting in emergency (-b) mode. si::sysinit:/etc/init.d/rcS # What to do in single-user mode. ~~:S:wait:/sbin/sulogin # /etc/init.d executes the S and K scripts upon change # of runlevel. # # Runlevel 0 is halt. # Runlevel 1 is single-user. # Runlevels 2-5 are multi-user. # Runlevel 6 is reboot. l0:0:wait:/etc/init.d/rc 0 l1:1:wait:/etc/init.d/rc 1 l2:2:wait:/etc/init.d/rc 2 l3:3:wait:/etc/init.d/rc 3 l4:4:wait:/etc/init.d/rc 4 l5:5:wait:/etc/init.d/rc 5 l6:6:wait:/etc/init.d/rc 6 # Normally not reached, but fallthrough in case of emergency. z6:6:respawn:/sbin/sulogin mxc1:12345:respawn:/usr/sbin/ttyrun ttymxc1 /sbin/getty 115200 ttymxc1 vt102 # /sbin/getty invocations for the runlevels. # # The "id" field MUST be the same as the last # characters of the device (after "tty"). # # Format: # ::: # 1:12345:respawn:/sbin/getty 38400 tty1 ``` -------------------------------- ### Print Hardening Recommendations Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/README.md Use the -p or --print option followed by an architecture (e.g., X86_64, ARM64) to display security hardening recommendations for that specific architecture. ```bash $ ./bin/kernel-hardening-checker -p X86_64 ``` -------------------------------- ### Run kernel-hardening-checker from cloned repository Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/README.md Execute the tool directly from the cloned repository without performing a formal installation. This is useful for testing or development purposes. ```bash ./bin/kernel-hardening-checker ``` -------------------------------- ### Build Full Recommendation Checklist Source: https://context7.com/a13xp0p0v/kernel-hardening-checker/llms.txt Populates a list with security recommendations by calling add_kconfig_checks, add_cmdline_checks, and add_sysctl_checks. Ensure the architecture is correctly specified. ```python from kernel_hardening_checker.checks import ( add_kconfig_checks, add_cmdline_checks, add_sysctl_checks, ) arch = 'X86_64' checklist = [] add_kconfig_checks(checklist, arch) kconfig_count = len(checklist) add_cmdline_checks(checklist, arch) cmdline_count = len(checklist) - kconfig_count add_sysctl_checks(checklist, arch) sysctl_count = len(checklist) - kconfig_count - cmdline_count print(f"Kconfig checks : {kconfig_count}") print(f"Cmdline checks : {cmdline_count}") print(f"Sysctl checks : {sysctl_count}") print(f"Total : {len(checklist)}") # Kconfig checks : 148 # Cmdline checks : 61 # Sysctl checks : 33 # Total : 242 ``` -------------------------------- ### Kernel Configuration Check Failures Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md Example of kernel configuration options that may result in FAIL status. These can be CPU-specific or influenced by kernel command line parameters. ```text CONFIG_AMD_IOMMU | y |defconfig | self_protection | FAIL: "is not set" CONFIG_AMD_IOMMU_V2 | y | my | self_protection | FAIL: not found ``` ```text CONFIG_SLUB_DEBUG_ON | y | my | self_protection | FAIL: "is not set" CONFIG_X86_VSYSCALL_EMULATION | is not set | clipos | cut_attack_surface | FAIL: "y" ``` -------------------------------- ### Kernel Hardening Checker with Kconfig Check Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md Demonstrates running the kernel hardening checker with the 'kconfig' option enabled, showing detailed results for sysctl and kconfig checks, including IO_URING compatibility. ```bash $ ./bin/kernel-hardening-checker -c kconfig -s /tmp/s -m verbose ... ------------------------------------------------------------------------------------------------------------------------- <<< OR >>> | FAIL: "0" kernel.io_uring_disabled |sysctl | 2 | grsec |cut_attack_surface| FAIL: "0" <<< AND >>> | FAIL: "y" CONFIG_IO_URING |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_LOCALVERSION |kconfig| is present | - | - | OK: is present ------------------------------------------------------------------------------------------------------------------------- ``` -------------------------------- ### Kernel Hardening Check Output Example Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md This output shows a 'FAIL: not found' result for CONFIG_X86_SMAP, indicating it's no longer present in the 5.19.X kernel and is now enforced. ```text [+] Special report mode: show_fail [+] Kconfig file to check: /opt/KERNEL/linux-5.19.5/.config [+] Detected architecture: X86_64 [+] Detected kernel version: 5.19 ========================================================================================================================= option name | type |desired val | decision | reason | check result ========================================================================================================================= CONFIG_X86_SMAP |kconfig| y |defconfig | self_protection | FAIL: not found ``` -------------------------------- ### Check Default Kernel Config Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md Demonstrates how to check the default configuration for CONFIG_VT and CONFIG_FB after running 'make defconfig'. This is useful for understanding the baseline settings. ```bash rm .config make defconfig egrep "CONFIG_VT=|CONFIG_FB=" .config ``` -------------------------------- ### JSON Output Mode Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/README.md Use the -m json option to get the results in JSON format, which is useful for integrating the tool's output with other software or scripts. ```bash $ ./bin/kernel-hardening-checker -m json ``` -------------------------------- ### Kernel Makefile Version Example Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md This snippet shows the typical structure for defining kernel version numbers in the main kernel Makefile. It includes VERSION, PATCHLEVEL, and SUBLEVEL. ```makefile VERSION = 5 PATCHLEVEL = 6 SUBLEVEL = 0 ``` -------------------------------- ### Kernel Hardening Checker Output with Clang Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md Example output from the kernel-hardening-checker when run with a kernel configuration built using Clang. This shows the initial detection of the environment and configuration. ```bash [+] Special report mode: verbose [+] Kconfig file to check: my/arm64_full_hardened_6.6_clang.config [+] Detected microarchitecture: ARM64 [+] Detected kernel version: (6, 6, 7) [+] Detected compiler: CLANG 150006 ``` -------------------------------- ### Kernel Hardening Checker Assertion Example Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md Illustrates an assertion used to ensure that the `--autodetect` mode is not used in conjunction with other specific arguments, enforcing its standalone nature. ```python assert(args.config is None and args.cmdline is None and args.sysctl is None and args.print is None and args.generate is None), \ 'unexpected args' ``` -------------------------------- ### Python Assertion Error Example Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md This is a traceback demonstrating an AssertionError due to an empty architecture string during sysctl checks. It highlights a potential issue with the assertion in the add_sysctl_checks function. ```python Traceback (most recent call last): File "/home/vyashnikov/tools/kernel-hardening-checker/bin/kernel-hardening-checker", line 22, in kernel_hardening_checker.main() File "/home/vyashnikov/tools/kernel-hardening-checker/kernel_hardening_checker/__init__.py", line 397, in main add_sysctl_checks(config_checklist, arch) File "/home/vyashnikov/tools/kernel-hardening-checker/kernel_hardening_checker/checks.py", line 730, in add_sysctl_checks assert(arch), 'empty arch' AssertionError: empty arch ``` -------------------------------- ### Python Type Annotation Example Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md Demonstrates the use of Python's type hinting for a list that can contain elements of any type. This is useful for static analysis with tools like mypy. ```python List[Any] ``` -------------------------------- ### Kernel Configuration for IMA Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md This configuration enables the Integrity Measurement Architecture (IMA) and related security features. Ensure proper setup for IMA and EVM to enhance system integrity. ```kconfig CONFIG_IMA=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_LSM_RULES=y CONFIG_IMA_NG_TEMPLATE=y # CONFIG_IMA_SIG_TEMPLATE is not set CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set # CONFIG_IMA_DEFAULT_HASH_SHA256 is not set CONFIG_IMA_DEFAULT_HASH_SHA512=y CONFIG_IMA_DEFAULT_HASH="sha512" CONFIG_IMA_WRITE_POLICY=y CONFIG_IMA_READ_POLICY=y CONFIG_IMA_APPRAISE=y CONFIG_IMA_ARCH_POLICY=y CONFIG_IMA_APPRAISE_BUILD_POLICY=y CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS=y CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS=y CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y CONFIG_IMA_APPRAISE_BOOTPARAM=y CONFIG_IMA_APPRAISE_MODSIG=y CONFIG_IMA_TRUSTED_KEYRING=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_BLACKLIST_KEYRING=y CONFIG_IMA_LOAD_X509=y CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der" CONFIG_IMA_APPRAISE_SIGNED_INIT is not set (This option breaks memory, do not select) CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y CONFIG_IMA_DISABLE_HTABLE=y CONFIG_EVM=y CONFIG_EVM_ATTR_FSUUID=y CONFIG_EVM_EXTRA_SMACK_XATTRS=y CONFIG_EVM_ADD_XATTRS=y CONFIG_EVM_LOAD_X509=y CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der" ``` -------------------------------- ### Configuring Nixpkgs to Allow Unsupported Systems Source: https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/issues.md Add this to your configuration.nix to permanently allow packages unsupported for your system. ```nix { nixpkgs.config.allowUnsupportedSystem = true; } ```