### Kernel Hardening Checker Output Example Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md This example demonstrates the output format of the kernel-hardening-checker when run with the 'show_ok' mode. It displays the configuration file being checked, the detected architecture and kernel version, and a detailed table of hardening options with their desired values, decisions, reasons, and check results. ```bash $ ./bin/kconfig-hardened-check -c kconfig_hardened_check/config_files/distros/ubuntu-focal.config -m show_ok [+] Special report mode: show_ok [+] Config file to check: kconfig_hardened_check/config_files/distros/ubuntu-focal.config [+] Detected architecture: X86_64 [+] Detected kernel version: 5.4 ========================================================================================================================= option name | desired val | decision | reason | check result ========================================================================================================================= CONFIG_BUG | y |defconfig | self_protection | OK CONFIG_SLUB_DEBUG | y |defconfig | self_protection | OK CONFIG_STACKPROTECTOR_STRONG | y |defconfig | self_protection | OK CONFIG_STRICT_KERNEL_RWX | y |defconfig | self_protection | OK CONFIG_STRICT_MODULE_RWX | y |defconfig | self_protection | OK CONFIG_IOMMU_SUPPORT | y |defconfig | self_protection | OK CONFIG_MICROCODE | y |defconfig | self_protection | OK CONFIG_RETPOLINE | y |defconfig | self_protection | OK CONFIG_X86_SMAP | y |defconfig | self_protection | OK CONFIG_SYN_COOKIES | y |defconfig | self_protection | OK CONFIG_X86_UMIP | y |defconfig | self_protection | OK: CONFIG_X86_INTEL_UMIP "y" CONFIG_PAGE_TABLE_ISOLATION | y |defconfig | self_protection | OK CONFIG_RANDOMIZE_MEMORY | y |defconfig | self_protection | OK CONFIG_INTEL_IOMMU | y |defconfig | self_protection | OK CONFIG_AMD_IOMMU | y |defconfig | self_protection | OK CONFIG_VMAP_STACK | y |defconfig | self_protection | OK CONFIG_RANDOMIZE_BASE | y |defconfig | self_protection | OK CONFIG_THREAD_INFO_IN_TASK | y |defconfig | self_protection | OK CONFIG_DEBUG_WX | y | kspp | self_protection | OK CONFIG_SCHED_STACK_END_CHECK | y | kspp | self_protection | OK CONFIG_SLAB_FREELIST_HARDENED | y | kspp | self_protection | OK CONFIG_SLAB_FREELIST_RANDOM | y | kspp | self_protection | OK CONFIG_SHUFFLE_PAGE_ALLOCATOR | y | kspp | self_protection | OK CONFIG_FORTIFY_SOURCE | y | kspp | self_protection | OK CONFIG_INIT_ON_ALLOC_DEFAULT_ON | y | kspp | self_protection | OK CONFIG_HARDENED_USERCOPY | y | kspp | self_protection | OK CONFIG_MODULE_SIG | y | kspp | self_protection | OK CONFIG_MODULE_SIG_ALL | y | kspp | self_protection | OK CONFIG_MODULE_SIG_SHA512 | y | kspp | self_protection | OK CONFIG_INIT_ON_FREE_DEFAULT_ON | y | kspp | self_protection | OK: CONFIG_PAGE_POISONING "y" CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | kspp | self_protection | OK CONFIG_INTEL_IOMMU_SVM | y | clipos | self_protection | OK ``` -------------------------------- ### Kernel configuration check output examples Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md These examples demonstrate the output of a kernel configuration checker, showing the results of checking various CONFIG options like CONFIG_DEBUG_NOTIFIERS, CONFIG_CFI_CLANG, and CONFIG_CFI_PERMISSIVE. The output indicates whether configurations are 'OK' or 'FAIL' based on their set values. ```text ------------------------------------------------------------------------------------------------------------------------- <<< OR >>> | FAIL: "is not set" CONFIG_DEBUG_NOTIFIERS |kconfig| y | kspp | self_protection | FAIL: "is not set" <<< AND >>> | FAIL: CONFIG_CFI_PERMISSIVE is not "is not set" CONFIG_CFI_CLANG |kconfig| y | kspp | self_protection | OK CONFIG_CFI_PERMISSIVE |kconfig| is not set | kspp | self_protection | FAIL: "y" ------------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------------------- <<< OR >>> | OK: CONFIG_CFI_CLANG is "y" CONFIG_DEBUG_NOTIFIERS |kconfig| y | kspp | self_protection | FAIL: "is not set" <<< AND >>> | OK CONFIG_CFI_CLANG |kconfig| y | kspp | self_protection | OK CONFIG_CFI_PERMISSIVE |kconfig| is not set | kspp | self_protection | OK ------------------------------------------------------------------------------------------------------------------------- ``` -------------------------------- ### Reproducing Setuptools Deprecation Warnings in Python Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md This code snippet demonstrates how to set up a Python virtual environment and install setuptools to reproduce warnings related to the deprecation of the easy_install module. It highlights the steps needed to trigger these warnings before the setuptools 80.x deadline. ```bash python -m venv .env . .env/bin/activate pip3 install --upgrade setuptools python3 setup.py build ``` -------------------------------- ### Kernel Hardening Checker with Kconfig and Sysctl Checks Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md Illustrates running the kernel-hardening-checker with verbose output, including checks for both kconfig and sysctl configurations. This example highlights the 'OR' and 'AND' logic used for combined checks, particularly for io_uring and localversion. ```bash $ ./bin/kernel-hardening-checker -c kconfig -s /tmp/s -m verbose ... ------------------------------------------------------------------------------------------------------------------------- <<< OR >>> | FAIL: "0" kernel.io_uring_disabled |sysctl | 2 | grsec |cut_attack_surface| FAIL: "0" <<< AND >>> | FAIL: "y" CONFIG_IO_URING |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_LOCALVERSION |kconfig| is present | - | - | OK: is present ------------------------------------------------------------------------------------------------------------------------- ``` -------------------------------- ### Kernel Hardening Checker Verbose Output Example Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/README.md Demonstrates the verbose output mode of the kernel-hardening-checker tool. This mode provides additional details, including configuration options without corresponding checks and the internal logic of complex checks. ```text ------------------------------------------------------------------------------------------- <<< OR >>> CONFIG_STRICT_DEVMEM |kconfig|cut_attack_surface|defconfig | y CONFIG_DEVMEM |kconfig|cut_attack_surface| kspp | is not set ------------------------------------------------------------------------------------------- ``` -------------------------------- ### Example Output for CONFIG_ARCH_MMAP_RND_BITS on arm64 Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md This example shows the output of the kernel-hardening-checker tool for an arm64 architecture, specifically checking the `CONFIG_ARCH_MMAP_RND_BITS` configuration. It highlights that the expected value is 33 for a hardened configuration, and a failure occurs if the actual value is less than expected (e.g., '18'). ```text [+] Kconfig file to check: kernel_hardening_checker/config_files/defconfigs/arm64_defconfig_6.6.config [+] Detected microarchitecture: ARM64 [+] Detected kernel version: 6.6 [+] Detected compiler: GCC 130001 ... CONFIG_ARCH_MMAP_RND_BITS |kconfig| 33 | my | harden_userspace | FAIL: "18" ``` -------------------------------- ### pyproject.toml Configuration for Kernel Hardening Checker Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md This TOML configuration file is an example for the kernel-hardening-checker project, utilizing setuptools for building. It specifies build system requirements, package finding, dynamic versioning, project metadata, entry points, and URLs. This replaces the older setup.py method. ```toml [build-system] requires = ["setuptools == 80.9.0"] build-backend = "setuptools.build_meta" [tool.setuptools.packages.find] where = ["."] [tool.setuptools.dynamic] version = {attr = "kernel_hardening_checker.__version__"} [project] name = "kernel-hardening-checker" dynamic = ["version"] description = "A tool for checking the security hardening options of the Linux kernel" readme = "README.md" license = { file = "LICENSE.txt" } authors = [ {name = "Alexander Popov", email = "alex.popov@linux.com"}, ] maintainers = [ {name = "Alexander Popov", email = "alex.popov@linux.com"}, ] classifiers = [ "Development Status :: 5 - Production/Stable", "License :: OSI Approved :: GNU General Public License v3 (GPLv3)", "Topic :: Security", "Operating System :: POSIX :: Linux", "Environment :: Console", "Programming Language :: Python :: 3", ] [project.scripts] kernel-hardening-checker = "kernel_hardening_checker:main" [project.urls] Homepage = "https://github.com/a13xp0p0v/kernel-hardening-checker" Source = "https://github.com/a13xp0p0v/kernel-hardening-checker" Download = "https://github.com/a13xp0p0v/kernel-hardening-checker#files" "Bug Tracker" = "https://github.com/a13xp0p0v/kernel-hardening-checker/issues" ``` -------------------------------- ### Example Kconfig Lines with Empty Values Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md These are examples of Kconfig lines that were found to cause issues with the original parsing logic in the kernel-hardening-checker. These lines have a configuration option followed by an equals sign but no value assigned, which deviates from the expected format. ```text CONFIG_BCM_CHIP_NUMBER= CONFIG_BCM_SCHED_RT_PERIOD= CONFIG_BCM_SCHED_RT_RUNTIME= CONFIG_BCM_DEFAULT_CONSOLE_LOGLEVEL= CONFIG_BCM_RDP_IMPL= ``` -------------------------------- ### Python Module Import Example Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md This Python snippet illustrates how to import a module dynamically using its path. It shows how to access the module's path and use it to find configuration files. This approach helps in managing configurations without hardcoding absolute paths. ```python from kconfig_hardened_check import config_files # Accessing the absolute path of the config_files module config_files_path = config_files.__path__[0] # Now you can use config_files_path with functions like walk_dir ``` -------------------------------- ### Extracting Kernel Configuration (extract-ikconfig) Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md This example shows the usage of the `extract-ikconfig` command, which is part of the kernel-hardening-checker tool. It is used to extract the configuration from a kernel image. The error message indicates that the `vmlinux` file could not be found, suggesting an issue with the kernel image path or its availability. ```bash extract-ikconfig # Example error: extract-vmlinux: Cannot find vmlinux. Usage: extract-ikconfig ``` -------------------------------- ### Kernel Hardening Checker Script Execution Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md This example demonstrates the execution of the kernel-hardening-checker script on a Debian system. It shows the script's output, including kernel version detection, kconfig file identification, command-line parameter parsing, and microarchitecture detection. This is useful for users wanting to run the checker on their own systems. ```bash deb@debian:~/kernel-hardening-checker$ which sysctl deb@debian:~/kernel-hardening-checker$ cat /etc/issue Debian GNU/Linux 11 \n \l deb@debian:~/kernel-hardening-checker$ which sysctl deb@debian:~/kernel-hardening-checker$ ./bin/kernel-hardening-checker -a [+] Going to autodetect and check the security hardening options of the running kernel [+] Detected version of the running kernel: (5, 10, 0) [+] Detected kconfig file of the running kernel: /boot/config-5.10.0-32-amd64 [+] Detected cmdline parameters of the running kernel: /proc/cmdline [+] Saved sysctls to a temporary file /tmp/sysctl-ktlabxv2 [+] Detected microarchitecture: X86_64 [+] Detected compiler: GCC 100201 ... ``` -------------------------------- ### Command-Line Interface: Default Table Output Source: https://context7.com/a13xp0p0v/kernel-hardening-checker.git/llms.txt Example of running the kernel-hardening-checker tool from the command line to display results in the default table format. The '-a' flag is used to perform all checks. ```bash # Default table output ./bin/kernel-hardening-checker -a # Output: ``` -------------------------------- ### Kernel Makefile Version Example (Python) Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md This snippet demonstrates how kernel version numbers (VERSION, PATCHLEVEL, SUBLEVEL) are defined in a typical Linux kernel Makefile. It's used to explain kernel versioning logic. ```python VERSION = 5 PATCHLEVEL = 6 SUBLEVEL = 0 ``` -------------------------------- ### Writing to /proc//mem with `dd` and `xxd` Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md This example demonstrates how to write data to a process's memory via `/proc//mem` using standard Linux command-line tools. It uses `xxd` to convert hex data to binary and `dd` to write it to a specific offset in the `/proc//mem` file, simulating an attack or test scenario. ```bash $ echo '0x2a000000' | xxd -p -r | dd of=/proc/1508/mem bs=1 seek=$((0x7fff89013e1c)) conv=notrunc 4+0 records in 4+0 records out 4 bytes copied, 0.000316429 s, 12.6 kB/s ``` -------------------------------- ### Format Print Output in Python Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md This Python code snippet demonstrates how to format the output for printing configuration options. It involves using string formatting to align columns for option name, expected value, decision, reason, and result. The example shows how to handle long lines by breaking them across multiple lines for better readability. ```python print(' CONFIG_{:<32}|{:^13}|{:^10}|{:^20}||{:^28}'.format( opt.name, opt.expected, opt.decision, opt.reason, opt.result)) ``` -------------------------------- ### Parse Kernel Version Numbers (Shell) Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md This example shows a shell command that diffs two configuration files to highlight changes in kernel version numbers. It's used to verify how the kernel-hardening-checker tool correctly parses and reports kernel versions, specifically focusing on the micro, minor, and patch numbers. ```shell diff config207 config208 ``` -------------------------------- ### Python: Example Crash Log from Kernel Hardening Checker Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md This is an example crash log generated by the kernel-hardening-checker tool. It shows an AssertionError due to an empty architecture, which occurred during sysctl checks. ```python >>>>> check sysctl separately <<<<< + coverage run -a --branch bin/kernel-hardening-checker -s ./kernel_hardening_checker/config_files/distros/example_sysctls.txt [+] Sysctl output file to check: ./kernel_hardening_checker/config_files/distros/distros/example_sysctls.txt [!] WARNING: failed to detect microarchitecture in sysctl, arch-dependent checks will be dropped Traceback (most recent call last): File "/home/vyashnikov/tools/kernel-hardening-checker/bin/kernel-hardening-checker", line 22, in kernel_hardening_checker.main() File "/home/vyashnikov/tools/kernel-hardening-checker/kernel_hardening_checker/__init__.py", line 397, in main add_sysctl_checks(config_checklist, arch) File "/home/vyashnikov/tools/kernel-hardening-checker/kernel_hardening_checker/checks.py", line 730, in add_sysctl_checks assert(arch), 'empty arch' AssertionError: empty arch ``` -------------------------------- ### Python Configuration Checklist Iteration Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md A Python code snippet illustrating how to iterate through a configuration checklist. This specific example appears to be checking for the presence of 'CONFIG_ARCH_MMAP_RND_BITS' and potentially excluding it from further processing if its value needs refinement. ```python for opt in config_checklist: opt.name == 'CONFIG_ARCH_MMAP_RND_BITS': # don't add CONFIG_ARCH_MMAP_RND_BITS because its value needs refinement ``` -------------------------------- ### Automated Performance Testing Workflow for Kernel Hardening Options Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md This outlines an automated workflow for evaluating the performance impact of kernel hardening options. It involves building the kernel with a defconfig, testing performance with chosen benchmarks, and iteratively applying hardening options to measure their effects. The process aims to automate the manual routine of performance testing. ```text 1. Take defconfig as a basic kernel configuration. 2. Build the Linux kernel. 3. Start test system with this kernel (a hardware machine may give more consistent results than a virtual machine). If the system doesn't boot, go to step 6. 4. Run the chosen performance tests (hackbench, kernel compilation, network throughput evaluation, etc). 5. Save the test results. 6. Set another kernel option from the kconfig-hardened-check json output and go to step 2 (see #67). If all recommendations are already tested, then proceed to step 7. 7. Analyze the results of the performance testing. ``` -------------------------------- ### Kernel Hardening Checker without Kconfig Check Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md Shows the output of the kernel-hardening-checker when run without the kconfig check option, focusing solely on sysctl values and their implications. This example demonstrates how the checker reports missing configurations like CONFIG_LOCALVERSION. ```bash $ ./bin/kernel-hardening-checker -s /tmp/s -m verbose ... ------------------------------------------------------------------------------------------------------------------------- <<< OR >>> | FAIL: "0" kernel.io_uring_disabled |sysctl | 2 | grsec |cut_attack_surface| FAIL: "0" <<< AND >>> | FAIL: CONFIG_LOCALVERSION is not present CONFIG_IO_URING |kconfig| is not set | grsec |cut_attack_surface| None CONFIG_LOCALVERSION |kconfig| is present | - | - | FAIL: is not present ------------------------------------------------------------------------------------------------------------------------- ``` -------------------------------- ### Print Security Recommendations (Bash) Source: https://context7.com/a13xp0p0v/kernel-hardening-checker.git/llms.txt Displays all security hardening recommendations for a specific architecture without checking any configuration files. Supports JSON and verbose output formats. ```bash # Print recommendations for X86_64 ./bin/kernel-hardening-checker -p X86_64 # Print recommendations for ARM64 ./bin/kernel-hardening-checker -p ARM64 # Print recommendations in JSON format ./bin/kernel-hardening-checker -p X86_64 -m json # Print recommendations with verbose details ./bin/kernel-hardening-checker -p ARM64 -m verbose ``` -------------------------------- ### Automate Oracle Distro kconfig Fetching Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md This bash script automates the process of fetching unique distribution names from Oracle's kconfig repository. It uses `wget` to download a summary JSON file and `jq` to parse it, then counts the number of distributions. It also demonstrates how to read these unique names into a bash array. ```bash $ wget -qO- https://raw.githubusercontent.com/oracle/kconfigs/gh-pages/docs/summary.json | jq '.distros[].unique_name' | wc -l 98 ``` ```bash oracle_git_url="https://raw.githubusercontent.com/oracle/kconfigs/gh-pages/" readarray -t kconfigs_from_oracle < <( # wget output could alternatively be piped to jq -r '.distros[].unique_name' wget -qO- "${oracle_git_url}docs/summary.json" | grep -o '"unique_name": "[^"]*"' | awk -F'"' '{print $4}' ) ``` -------------------------------- ### Kernel Configuration Option Update (Shell) Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md This snippet provides an example of how a kernel configuration option, `CONFIG_ARCH_MMAP_RND_BITS`, might be updated or replaced. It suggests using `CONFIG_ARCH_MMAP_RND_BITS_MIN` and `CONFIG_ARCH_MMAP_RND_BITS_MAX` as replacements, indicating a change in how memory mapping randomization is configured in newer kernel versions. ```bash # Original configuration option (example) # CONFIG_ARCH_MMAP_RND_BITS=28 # Proposed replacement for newer kernels (e.g., 4.5–4.17, 4.18-rc+HEAD) CONFIG_ARCH_MMAP_RND_BITS_MIN=28 CONFIG_ARCH_MMAP_RND_BITS_MAX=32 ``` -------------------------------- ### Kernel Hardening Checker Command-Line Help Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/README.md Displays the help message for the kernel-hardening-checker tool, listing all available command-line arguments and their descriptions. This is useful for understanding the tool's capabilities and how to configure its checks. ```bash $ ./bin/kernel-hardening-checker -h usage: kernel-hardening-checker [-h] [--version] [-m {verbose,json,show_ok,show_fail}] [-a] [-c CONFIG] [-v KERNEL_VERSION] [-l CMDLINE] [-s SYSCTL] [-p {X86_64,X86_32,ARM64,ARM,RISCV}] [-g {X86_64,X86_32,ARM64,ARM,RISCV}] A tool for checking the security hardening options of the Linux kernel options: -h, --help show this help message and exit --version show program's version number and exit -m, --mode {verbose,json,show_ok,show_fail} select a special output mode instead of the default one -a, --autodetect autodetect and check the security hardening options of the running kernel -c, --config CONFIG check the security hardening options in a Kconfig file (also supports *.gz files) -v, --kernel-version KERNEL_VERSION extract the kernel version from a version file (such as /proc/version) instead of using a Kconfig file -l, --cmdline CMDLINE check the security hardening options in a kernel command line file (such as /proc/cmdline) -s, --sysctl SYSCTL check the security hardening options in a sysctl output file (the result of "sudo sysctl -a > file") -p, --print {X86_64,X86_32,ARM64,ARM,RISCV} print security hardening recommendations for the selected architecture -g, --generate {X86_64,X86_32,ARM64,ARM,RISCV} generate a Kconfig fragment containing the security hardening options for the selected architecture ``` -------------------------------- ### KSPP Recommended Settings Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md This link points to the Kernel Self Protection Project (KSPP) recommended settings page. KSPP aims to improve the security of the Linux kernel by providing guidance on configuration options and best practices. This resource is valuable for understanding kernel hardening strategies. ```url https://kspp.github.io/Recommended_Settings ``` -------------------------------- ### Kernel Hardening Checker Execution (RISC-V) Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md This snippet demonstrates the execution of the kernel-hardening-checker tool on a RISC-V architecture. It shows the command-line arguments used to specify input files for kconfig, command line, and sysctl, and the tool's output, including detected kernel version, microarchitecture, and compiler. ```bash $ ./bin/kernel-hardening-checker -c riscv-kconfig.out -l riscv-cmdline.out -s riscv-sysctl.out [+] Kconfig file to check: riscv-kconfig.out [+] Kernel cmdline file to check: riscv-cmdline.out [+] Sysctl output file to check: riscv-sysctl.out [+] Detected kernel version: (6, 12, 7) [+] Detected microarchitecture: RISCV [+] Detected compiler: GCC 140201 ... ``` -------------------------------- ### Filter JSON Output by Reason and Result Source: https://context7.com/a13xp0p0v/kernel-hardening-checker.git/llms.txt This example demonstrates how to filter the JSON output to find specific options. It uses Python to parse the JSON and select options where the 'reason' is 'self_protection' and the 'check_result_bool' is false (indicating a failure). ```python import json,sys checks=json.load(sys.stdin) [print(c['option_name']) for c in checks if c['reason']=='self_protection' and not c['check_result_bool']] ``` -------------------------------- ### Handle Wildcards in Sysctl Configuration Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md This snippet addresses an issue where the kernel-hardening-checker (KHC) failed to parse sysctl configuration files containing wildcards. The provided example shows a sysctl line with a wildcard and the error message KHC produced. A fix was implemented to correctly handle these wildcards. ```text net.ipv4.conf.*.accept_source_route = 0 ``` ```text [-] ERROR: unexpected line in sysctl file: "net.ipv4.conf.*.accept_source_route = 0" ``` -------------------------------- ### Run Kernel Hardening Checker with Sysctl Output Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md Demonstrates how to run the kernel-hardening-checker script with a sysctl output file. It shows the expected output format, including option names, types, desired values, decisions, reasons, and check results. ```bash $ ./kernel-hardening-checker -s /tmp/file1 [+] Sysctl output file to check: /tmp/file1 ========================================================================================================================= option_name | type |desired_val | decision | reason | check_result ========================================================================================================================= vm.unprivileged_userfaultfd |sysctl | 0 | kspp |cut_attack_surface| OK kernel.modules_disabled |sysctl | 1 | kspp |cut_attack_surface| FAIL: "0" kernel.io_uring_disabled |sysctl | 2 | grsec |cut_attack_surface| FAIL: "0" ``` -------------------------------- ### Default Kernel Configuration Check (Bash) Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md This snippet demonstrates how to check the default kernel configuration for specific options, CONFIG_VT and CONFIG_FB, after running 'make defconfig'. It's useful for understanding the baseline configuration of a kernel build. ```bash rm .config make defconfig egrep "CONFIG_VT=|CONFIG_FB=" .config ``` -------------------------------- ### KSPP Recommendations for Kernel Hardening Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md This snippet details the Kernel Self Protection Project (KSPP) recommendations for disabling specific kernel configuration options to enhance security. It highlights the disabling of `CONFIG_COMPAT` and `CONFIG_X86_X32_ABI` as part of cutting the attack surface. ```text CONFIG_IA32_EMULATION |kconfig| is not set | kspp |cut_attack_surface CONFIG_X86_X32 |kconfig| is not set | kspp |cut_attack_surface # KSPP recommendations now contain disabling `CONFIG_COMPAT` and `CONFIG_X86_X32_ABI`. ``` -------------------------------- ### Kernel Hardening Checker Command-Line Interface Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md This snippet displays the usage instructions for the `kconfig-hardened-check` command-line tool. It outlines the available options for specifying architecture, configuration files, command-line arguments, and output modes. This tool helps in assessing the security hardening of a Linux kernel. ```bash usage: kconfig-hardened-check [-h] [--version] [-p {X86_64,X86_32,ARM64,ARM}] [-c CONFIG] [-l CMDLINE] [-m {verbose,json,show_ok,show_fail}] A tool for checking the security hardening options of the Linux kernel optional arguments: -h, --help show this help message and exit --version show program's version number and exit -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM} print security hardening preferences for the selected architecture -c CONFIG, --config CONFIG check the kernel kconfig file against these preferences -l CMDLINE, --cmdline CMDLINE check the kernel cmdline file against these preferences -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail} choose the report mode ``` -------------------------------- ### Kernel Configuration Checks for RISC-V Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md Demonstrates how kernel configuration checks are adapted for RISC-V. It includes examples of checks that are universally applicable and those that are excluded using `if arch` directives for unsupported features. Some checks, like those for `grsec` and specific `cut_attack_surface` options, are left untouched due to their nature or expected pass rate on RISC-V. ```python l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD', 'is not set')] # recommended by Denis Efremov in /pull/54 l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD_RAWCMD', 'is not set')] # recommended by Denis Efremov in /pull/62 ``` -------------------------------- ### Disable Kernel Debug Symbols (CONFIG_VMLINUX_MAP) Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md This section discusses the CONFIG_VMLINUX_MAP kernel configuration option, which generates a system.map file containing debugging symbols. Disabling this option reduces the information leakage about the kernel, as the system.map file can be exploited by attackers. The provided context mentions that some operating systems automatically delete this file upon kernel installation. ```markdown CONFIG_VMLINUX_MAP generates a system.map file, which contains debugging symbols, and other information that may leak information about the kernel. It is automatically generated with the kernel, and it is delivered in Debian packages for the kernel when built with the dpkg-deb mode of the kernel build system. Kicksecure OS has an automatic script to delete this file when a kernel is installed. ``` -------------------------------- ### Disable Kernel Debugging (CONFIG_DEBUG_KERNEL) Source: https://github.com/a13xp0p0v/kernel-hardening-checker.git/blob/master/issues.md This section addresses the CONFIG_DEBUG_KERNEL configuration option, which generates a large debug file alongside the kernel. While not installed by default, it is created during the build process. Disabling this option reduces potential damage similar to the system.map file, speeds up kernel build times, and decreases disk usage on the build system. A compromise is suggested to ship debug info separately. ```markdown The CONFIG_DEBUG_KERNEL option generates a similar, large debug file that can be installed along the kernel. It is not installed by default, although it is automatically created on the build system. It will cause similar damage to the a system.map file. Disabling this optional also speeds up kernel build time extensively, and reduces disk usage on the build system. ```