Hello,

The X86_SMAP option is no longer present in 5.19.X kernels. It is now enforced.
( commit )

Since it has been removed, the script mark the entry as failed.

[+] Special report mode: show_fail
[+] Kconfig file to check: /opt/KERNEL/linux-5.19.5/.config
[+] Detected architecture: X86_64
[+] Detected kernel version: 5.19
=========================================================================================================================
              option name               | type  |desired val | decision |      reason      | check result
=========================================================================================================================
CONFIG_X86_SMAP                         |kconfig|     y      |defconfig | self_protection  | FAIL: not found

The GCC_PLUGIN_RANDSTRUCT and GCC_PLUGIN_RANDSTRUCT_PERFORMANCE have changed now that CLANG has the feature. ( commit ). They are now nammed RANDSTRUCT_FULL and RANDSTRUCT_PERFORMANCE respectively.

At the moment they don't fail but the new entries should be added in the script I think.

 grep RANDSTRUCT ./.config
# CONFIG_RANDSTRUCT_NONE is not set
CONFIG_RANDSTRUCT_FULL=y
# CONFIG_RANDSTRUCT_PERFORMANCE is not set
CONFIG_RANDSTRUCT=y
CONFIG_GCC_PLUGIN_RANDSTRUCT=y

Hey,

Im trying do my best with security options based on your script. I have a litte problems with few options.

When im adding these options:

# Enable GCC Plugins
CONFIG_GCC_PLUGINS=y

# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y

# Force all structures to be initialized before they are passed to other functions.
CONFIG_GCC_PLUGIN_STRUCTLEAK=y
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y

# Randomize the layout of system structures. This may have dramatic performance impact, so
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
CONFIG_GCC_PLUGIN_RANDSTRUCT=y

And make a "make -j 8 deb-pkg" on ubuntu or "make -j8 bzImage ...." on centos, these options are removing immediately from ".config" in kernel-4.19.6 . I have no idea what's going on. Could you tell me what am i doing wrong ?

Some people use CONFIG_INIT_ON_ALLOC_DEFAULT_ON/CONFIG_INIT_ON_FREE_DEFAULT_ON or linux-hardened's CONFIG_PAGE_SANITIZE (for LTS kernels) instead of CONFIG_PAGE_POISONING. People using these alternatives will get pointless errors that may confuse them.

It would be better if the errors were only shown when not using these.

PAGE_POISONING_NO_SANITY and PAGE_POISONING_ZERO depend on PAGE_POISONING. Checking distro config which doesn't enable PAGE_POISONING (like Fedora) will show OK: not found for the first two even as it's far from ok in this case.

Currently script checks only for MODULE_SIG_SHA512. Some distros (like Fedora) may use SHA256 which I think should be fine as well even if KSPP chose different example.

Hey guys,

When i setup server Centos 7 with kspp settings (config below) and i install www hosting panels like Cpanel, CWP panel or ISPmanager and then reboot server, many services are freezed. My network is disabled i cant run with command systemct start network, i cant reboot server and etc... when i push these commend nothing happen, just waiting and waiting.

My KSPP config:

[+] config check is finished: 'OK' - 62 / 'FAIL' - 41
[root@proton kconfig-hardened-check]# ls
config_files kconfig-hardened-check.py LICENSE README.md
[root@proton kconfig-hardened-check]# ./kconfig-hardened-check.py -c /boot/config-5.0.4 > kspp_setting
[root@proton kconfig-hardened-check]# cat kspp_setting
[+] Trying to detect architecture in "/boot/config-5.0.4"...
[+] Detected architecture: X86_64
[+] Checking "/boot/config-5.0.4" against hardening preferences...
option name | desired val | decision | reason || check result

CONFIG_BUG | y |defconfig | self_protection || OK
CONFIG_STRICT_KERNEL_RWX | y |defconfig | self_protection || OK
CONFIG_STACKPROTECTOR_STRONG | y |defconfig | self_protection || OK
CONFIG_SLUB_DEBUG | y |defconfig | self_protection || OK
CONFIG_STRICT_MODULE_RWX | y |defconfig | self_protection || OK
CONFIG_PAGE_TABLE_ISOLATION | y |defconfig | self_protection || OK
CONFIG_RANDOMIZE_MEMORY | y |defconfig | self_protection || OK
CONFIG_RANDOMIZE_BASE | y |defconfig | self_protection || OK
CONFIG_RETPOLINE | y |defconfig | self_protection || OK
CONFIG_X86_SMAP | y |defconfig | self_protection || OK
CONFIG_X86_INTEL_UMIP | y |defconfig | self_protection || OK
CONFIG_SYN_COOKIES | y |defconfig | self_protection || OK
CONFIG_VMAP_STACK | y |defconfig | self_protection || OK
CONFIG_THREAD_INFO_IN_TASK | y |defconfig | self_protection || OK
CONFIG_BUG_ON_DATA_CORRUPTION | y | kspp | self_protection || OK
CONFIG_DEBUG_WX | y | kspp | self_protection || OK
CONFIG_SCHED_STACK_END_CHECK | y | kspp | self_protection || OK
CONFIG_SLAB_FREELIST_HARDENED | y | kspp | self_protection || OK
CONFIG_SLAB_FREELIST_RANDOM | y | kspp | self_protection || OK
CONFIG_FORTIFY_SOURCE | y | kspp | self_protection || OK
CONFIG_GCC_PLUGINS | y | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_STRUCTLEAK | y | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL | y | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_LATENT_ENTROPY | y | kspp | self_protection || OK
CONFIG_DEBUG_LIST | y | kspp | self_protection || OK
CONFIG_DEBUG_SG | y | kspp | self_protection || OK
CONFIG_DEBUG_CREDENTIALS | y | kspp | self_protection || OK
CONFIG_DEBUG_NOTIFIERS | y | kspp | self_protection || OK
CONFIG_PAGE_POISONING | y | kspp | self_protection || OK
CONFIG_HARDENED_USERCOPY | y | kspp | self_protection || OK
CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp | self_protection || OK
CONFIG_MODULE_SIG | y | kspp | self_protection || OK
CONFIG_MODULE_SIG_ALL | y | kspp | self_protection || OK
CONFIG_MODULE_SIG_SHA512 | y | kspp | self_protection || FAIL: "is not set"
CONFIG_MODULE_SIG_FORCE | y | kspp | self_protection || FAIL: "is not set"
CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | kspp | self_protection || OK
CONFIG_REFCOUNT_FULL | y | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_STACKLEAK | y | my | self_protection || OK
CONFIG_LOCK_DOWN_KERNEL | y | my | self_protection || FAIL: not found
CONFIG_SLUB_DEBUG_ON | y | my | self_protection || OK
CONFIG_SECURITY_DMESG_RESTRICT | y | my | self_protection || OK
CONFIG_STATIC_USERMODEHELPER | y | my | self_protection || FAIL: "is not set"
CONFIG_SECURITY_LOADPIN | y | my | self_protection || FAIL: "is not set"
CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection || OK
CONFIG_SLAB_MERGE_DEFAULT | is not set | my | self_protection || FAIL: "y"
CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection || OK
CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection || OK
CONFIG_SECURITY | y |defconfig | security_policy || OK
CONFIG_SECURITY_YAMA | y | kspp | security_policy || OK
CONFIG_SECURITY_SELINUX_DISABLE | is not set | kspp | security_policy || OK
CONFIG_SECCOMP | y |defconfig | cut_attack_surface || OK
CONFIG_SECCOMP_FILTER | y |defconfig | cut_attack_surface || OK
CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface || OK
CONFIG_MODULES | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_DEVMEM | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_IO_STRICT_DEVMEM | y | kspp | cut_attack_surface || FAIL: "is not set"
CONFIG_ACPI_CUSTOM_METHOD | is not set | kspp | cut_attack_surface || FAIL: "m"
CONFIG_COMPAT_BRK | is not set | kspp | cut_attack_surface || OK
CONFIG_DEVKMEM | is not set | kspp | cut_attack_surface || OK
CONFIG_COMPAT_VDSO | is not set | kspp | cut_attack_surface || OK
CONFIG_BINFMT_MISC | is not set | kspp | cut_attack_surface || FAIL: "m"
CONFIG_INET_DIAG | is not set | kspp | cut_attack_surface || FAIL: "m"
CONFIG_KEXEC | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_PROC_KCORE | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_LEGACY_PTYS | is not set | kspp | cut_attack_surface || OK
CONFIG_HIBERNATION | is not set | kspp | cut_attack_surface || OK
CONFIG_LEGACY_VSYSCALL_NONE | y | kspp | cut_attack_surface || FAIL: "is not set"
CONFIG_IA32_EMULATION | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_X86_X32 | is not set | kspp | cut_attack_surface || OK
CONFIG_MODIFY_LDT_SYSCALL | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_X86_PTDUMP | is not set |grsecurity| cut_attack_surface || OK
CONFIG_ZSMALLOC_STAT | is not set |grsecurity| cut_attack_surface || OK
CONFIG_PAGE_OWNER | is not set |grsecurity| cut_attack_surface || OK
CONFIG_DEBUG_KMEMLEAK | is not set |grsecurity| cut_attack_surface || OK
CONFIG_BINFMT_AOUT | is not set |grsecurity| cut_attack_surface || OK: not found
CONFIG_KPROBES | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_UPROBES | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_GENERIC_TRACER | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_PROC_VMCORE | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_PROC_PAGE_MONITOR | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_USELIB | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_CHECKPOINT_RESTORE | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_USERFAULTFD | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_HWPOISON_INJECT | is not set |grsecurity| cut_attack_surface || FAIL: "m"
CONFIG_MEM_SOFT_DIRTY | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_DEVPORT | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_DEBUG_FS | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_NOTIFIER_ERROR_INJECTION | is not set |grsecurity| cut_attack_surface || OK
CONFIG_ACPI_TABLE_UPGRADE | is not set | lockdown | cut_attack_surface || FAIL: "y"
CONFIG_ACPI_APEI_EINJ | is not set | lockdown | cut_attack_surface || FAIL: "m"
CONFIG_PROFILING | is not set | lockdown | cut_attack_surface || FAIL: "y"
CONFIG_BPF_SYSCALL | is not set | lockdown | cut_attack_surface || FAIL: "y"
CONFIG_MMIOTRACE_TEST | is not set | lockdown | cut_attack_surface || OK: not found
CONFIG_MMIOTRACE | is not set | my | cut_attack_surface || OK
CONFIG_KEXEC_FILE | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_LIVEPATCH | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_USER_NS | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_IP_DCCP | is not set | my | cut_attack_surface || FAIL: "m"
CONFIG_IP_SCTP | is not set | my | cut_attack_surface || FAIL: "m"
CONFIG_FTRACE | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_BPF_JIT | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_ARCH_MMAP_RND_BITS | 32 | my |userspace_protection|| FAIL: "28"

[+] config check is finished: 'OK' - 62 / 'FAIL' - 41

Someone can help me with this, i would be graceful ?
Could be impact because of this ?
CONFIG_GCC_PLUGINS | y | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_STRUCTLEAK | y | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL | y | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_LATENT_ENTROPY | y | kspp | self_protection || OK

System info:

Parrot OS 5.0, python 3
kconfig-hardened-check version 5.14
I've tried all options in help menu and I didn't find anything similar to my idea

Idea

1. Create an option to list all config. Maybe it supports search as well.
2. Let user select module without absolute path. For example, when I do Debian packaging for this tool, the configs are at /usr/lib/python3/dist-packages/kconfig_hardened_check/config_files/ and users don't know where to search configs / modules.
   Solution:
3. Add a __init__.py file into config_files. By this, folder configs is a module of the whole project.
4. You can do from kconfig-hardnerned-check.<any path> import config_files. Absolute path of the module will be config_files.__path__[0]
5. All modules are listed by walk_dir(config_files.__path__[0]). By this, you can have an option in argv to list all configs
6. When user provide -c flag, like -c distros/debian.config, absolute path is merged with config_files.__path__[0] so there's no need to know absolute path.

Hello Alexander,

After kernel compilation im getting issue "unknow filesystem type ext4", "Failed to mount /sysroot"
I was wondering which KSSP feature could be responsible for it ? I was trying many times and always getting the same issue as i mentioned. Sceenshot
https://www.centos.org/forums/download/file.php?id=2571
It looks like my initramfs doesn't have the kernel module for ext4 but why.

Im using Centos 7 with gcc 7.2

Currently, UBSAN-related choices are as follows:

https://github.com/a13xp0p0v/kconfig-hardened-check/blob/4dc94be8a5e0c3a0889679f7079aa93c7f44464d/kconfig_hardened_check/__init__.py#L421-L423

It is unclear to me why the last two are chosen. UBSAN_MISC=y seems like a good thing, as it enables more checks. UBSAN_TRAP=y seems like a bad thing, as it enables denial of service attacks. Furthermore, if I understand things correctly, UBSAN_SANITIZE_ALL=y would be needed to practically activate UBSAN.

Is my understanding correct, or a misunderstanding (which is perfectly possible). In the latter case, I would be grateful for a pointer to an appropriate resource.

Hello @Mic92, could you help with this Nix problem?

I tested the installation of kconfig-hardened-check in a Docker container with Ubuntu 20.04.4 LTS.

It failed with the following error:

a13x@dc92d9d74557:~/src/1/kconfig-hardened-check/contrib$ ./get-nix-kconfig.py 
these 50 paths will be fetched (94.58 MiB download, 374.80 MiB unpacked):
  /nix/store/058drky7qcyd04rzqcmxh86xmifw96dx-glibc-2.34-115-bin
  /nix/store/1442kn5q9ah0bhhqm99f8nr76diczqgm-gnused-4.8
  /nix/store/19xbyxc31snlk60cil7cx6l4xw126ids-gcc-11.2.0
  /nix/store/4r26nvzfa1qfjaqgr2bpw2fz8c6qnk3s-gnutar-1.34
  /nix/store/58pwclg9yr437h0pfgrnbd0jis8fqasd-gcc-wrapper-11.2.0
  /nix/store/5h6q8cmqjd8iqpd99566hrg2a56pwdkc-acl-2.3.1
  /nix/store/6rbwy3mf0w8z119bwqs7dcrc2vyql9sf-expand-response-params
  /nix/store/7b2vmi7cq7lzw8g6kaihzg2kyilj4slm-bash-interactive-5.1-p16-dev
  /nix/store/87xq1difvspida4391y23vylkjdcgllf-linux-headers-5.16
  /nix/store/9l06npv9sp8avdraahzi4kqhcp607d8p-tzdata-2022a
  /nix/store/9pxskbhf92x9cxvg87nbzw2q1kmkrym6-bash-interactive-5.1-p16-info
  /nix/store/9wq21cbqsxpdx4dk0q6gab00fcir04d1-gzip-1.12
  /nix/store/a0k6rfn47h9f69p15pg415x6pfpxhsl5-gdbm-1.23
  /nix/store/a5xpjds3mlln26469h72v1jmd00jq6lv-xz-5.2.5
  /nix/store/ayrsyv7npr0lcbann4k9lxr19x813f0z-glibc-2.34-115
  /nix/store/b36ilvc5hhfpcp7kv1kvrkgcxxpmxfsd-zlib-1.2.12
  /nix/store/bavmqg7c4366hbiccpsdawbilh68dajy-xz-5.2.5-bin
  /nix/store/bndvc0y3v4djij152wiqbyn13zs2xivy-pcre-8.45
  /nix/store/bqkx3pi50phcglv0l551jhp96bq8njl0-gnugrep-3.7
  /nix/store/c7062r0rh84w3v77pqwdcggrsdlvy1df-findutils-4.9.0
  /nix/store/clkdigybx5w29rjxnwnsk76q49gb12k7-ncurses-6.3
  /nix/store/d60gkg5dkw4y5kc055n4m0xyvcjz65im-bash-interactive-5.1-p16
  /nix/store/dgic5ks4yixhh0havidjwd02rskmqlgp-binutils-wrapper-2.38
  /nix/store/dxj6b99zh4fh5z65rqirmcfvffxx5ig0-readline-8.1p2
  /nix/store/f2fnhhjanmxganm3xa5inwgvi6wj2ran-bash-interactive-5.1-p16-doc
  /nix/store/fcd0m68c331j7nkdxvnnpb8ggwsaiqac-bash-5.1-p16
  /nix/store/gm6q7jmajjmnwd29wgbq2jm3x37vsw3h-libffi-3.4.2
  /nix/store/hgl0ydlkgs6y6hx9h7k209shw3v7z77j-coreutils-9.0
  /nix/store/hym1n0ygqp9wcm7pxn4sfrql3fg7xa09-python3-3.9.12
  /nix/store/ik4qlj53grwmg7avzrfrn34bjf6a30ch-libunistring-1.0
  /nix/store/jm3nxvmxcm5nvalbv28acvygismcykvj-gnumake-4.3
  /nix/store/k3wp5kdxwa4ysb6nh5y9yll5n30cja5m-patch-2.7.6
  /nix/store/m2vh2ny7bqpwij1gpmvl5gxj7y4dgr4f-binutils-2.38
  /nix/store/n239ln3v669s5fkir2fd8niqawyg6qrv-attr-2.5.1
  /nix/store/pmyiksh5sgqzakbr84qsfxqy8fgirmic-stdenv-linux
  /nix/store/psijdi9190zgbp053y6dj3ax4y2l70gk-gcc-11.2.0-lib
  /nix/store/pvn23vycg674bj6nypjcfyhqbr85rqxa-glibc-2.34-115-dev
  /nix/store/qd3g8rk5hx5zkb70idjh6fa12sh6bipg-mailcap-2.1.53
  /nix/store/qvs678k05yrv566dmqdnxfbzi4s6ir1n-sqlite-3.38.2
  /nix/store/rf3j3p8cvn0dr5wdl65ns9f8wnlca8h6-readline-6.3p08
  /nix/store/sj2plsn7wz94dkwvg1wlb11pjch6r70v-diffutils-3.8
  /nix/store/v8vpzh3slc5hm4d9id5bim4dsb4d2ndh-openssl-1.1.1n
  /nix/store/v990x4cib4dssspn4778rlz46jmm3a9k-expat-2.4.7
  /nix/store/vz05jxs509mgp5i5jbrgvgvg4a2p3a3m-ed-1.18
  /nix/store/w3zngkrag7vnm7v1q8vnqb71q6a1w8gn-libidn2-2.3.2
  /nix/store/wcj03nlvxsjrc1cmpl2nhpn80l5wvf8j-gawk-5.1.1
  /nix/store/x6jr3j9hxs8ld8cy69gy9aykrm3iz8rv-patchelf-0.14.5
  /nix/store/yjndwl7872iqhw7m97gv7kwgwd5d66s5-bzip2-1.0.6.0.2-bin
  /nix/store/zf03nlnk9h724gz7qzzbrzyqif8gbwhq-bzip2-1.0.6.0.2
  /nix/store/zghsxxqb2gyz460q4r7jfdc2lpg3rgjw-bash-interactive-5.1-p16-man
copying path '/nix/store/f2fnhhjanmxganm3xa5inwgvi6wj2ran-bash-interactive-5.1-p16-doc' from 'https://cache.nixos.org'...
copying path '/nix/store/9pxskbhf92x9cxvg87nbzw2q1kmkrym6-bash-interactive-5.1-p16-info' from 'https://cache.nixos.org'...
copying path '/nix/store/zghsxxqb2gyz460q4r7jfdc2lpg3rgjw-bash-interactive-5.1-p16-man' from 'https://cache.nixos.org'...
copying path '/nix/store/ik4qlj53grwmg7avzrfrn34bjf6a30ch-libunistring-1.0' from 'https://cache.nixos.org'...
copying path '/nix/store/87xq1difvspida4391y23vylkjdcgllf-linux-headers-5.16' from 'https://cache.nixos.org'...
copying path '/nix/store/w3zngkrag7vnm7v1q8vnqb71q6a1w8gn-libidn2-2.3.2' from 'https://cache.nixos.org'...
copying path '/nix/store/qd3g8rk5hx5zkb70idjh6fa12sh6bipg-mailcap-2.1.53' from 'https://cache.nixos.org'...
copying path '/nix/store/ayrsyv7npr0lcbann4k9lxr19x813f0z-glibc-2.34-115' from 'https://cache.nixos.org'...
copying path '/nix/store/9l06npv9sp8avdraahzi4kqhcp607d8p-tzdata-2022a' from 'https://cache.nixos.org'...
copying path '/nix/store/n239ln3v669s5fkir2fd8niqawyg6qrv-attr-2.5.1' from 'https://cache.nixos.org'...
copying path '/nix/store/fcd0m68c331j7nkdxvnnpb8ggwsaiqac-bash-5.1-p16' from 'https://cache.nixos.org'...
copying path '/nix/store/5h6q8cmqjd8iqpd99566hrg2a56pwdkc-acl-2.3.1' from 'https://cache.nixos.org'...
copying path '/nix/store/zf03nlnk9h724gz7qzzbrzyqif8gbwhq-bzip2-1.0.6.0.2' from 'https://cache.nixos.org'...
copying path '/nix/store/hgl0ydlkgs6y6hx9h7k209shw3v7z77j-coreutils-9.0' from 'https://cache.nixos.org'...
copying path '/nix/store/yjndwl7872iqhw7m97gv7kwgwd5d66s5-bzip2-1.0.6.0.2-bin' from 'https://cache.nixos.org'...
copying path '/nix/store/sj2plsn7wz94dkwvg1wlb11pjch6r70v-diffutils-3.8' from 'https://cache.nixos.org'...
copying path '/nix/store/vz05jxs509mgp5i5jbrgvgvg4a2p3a3m-ed-1.18' from 'https://cache.nixos.org'...
copying path '/nix/store/6rbwy3mf0w8z119bwqs7dcrc2vyql9sf-expand-response-params' from 'https://cache.nixos.org'...
copying path '/nix/store/v990x4cib4dssspn4778rlz46jmm3a9k-expat-2.4.7' from 'https://cache.nixos.org'...
copying path '/nix/store/c7062r0rh84w3v77pqwdcggrsdlvy1df-findutils-4.9.0' from 'https://cache.nixos.org'...
copying path '/nix/store/wcj03nlvxsjrc1cmpl2nhpn80l5wvf8j-gawk-5.1.1' from 'https://cache.nixos.org'...
copying path '/nix/store/psijdi9190zgbp053y6dj3ax4y2l70gk-gcc-11.2.0-lib' from 'https://cache.nixos.org'...
copying path '/nix/store/a0k6rfn47h9f69p15pg415x6pfpxhsl5-gdbm-1.23' from 'https://cache.nixos.org'...
copying path '/nix/store/058drky7qcyd04rzqcmxh86xmifw96dx-glibc-2.34-115-bin' from 'https://cache.nixos.org'...
copying path '/nix/store/jm3nxvmxcm5nvalbv28acvygismcykvj-gnumake-4.3' from 'https://cache.nixos.org'...
copying path '/nix/store/pvn23vycg674bj6nypjcfyhqbr85rqxa-glibc-2.34-115-dev' from 'https://cache.nixos.org'...
copying path '/nix/store/1442kn5q9ah0bhhqm99f8nr76diczqgm-gnused-4.8' from 'https://cache.nixos.org'...
copying path '/nix/store/4r26nvzfa1qfjaqgr2bpw2fz8c6qnk3s-gnutar-1.34' from 'https://cache.nixos.org'...
copying path '/nix/store/9wq21cbqsxpdx4dk0q6gab00fcir04d1-gzip-1.12' from 'https://cache.nixos.org'...
copying path '/nix/store/gm6q7jmajjmnwd29wgbq2jm3x37vsw3h-libffi-3.4.2' from 'https://cache.nixos.org'...
copying path '/nix/store/clkdigybx5w29rjxnwnsk76q49gb12k7-ncurses-6.3' from 'https://cache.nixos.org'...
copying path '/nix/store/v8vpzh3slc5hm4d9id5bim4dsb4d2ndh-openssl-1.1.1n' from 'https://cache.nixos.org'...
copying path '/nix/store/k3wp5kdxwa4ysb6nh5y9yll5n30cja5m-patch-2.7.6' from 'https://cache.nixos.org'...
copying path '/nix/store/x6jr3j9hxs8ld8cy69gy9aykrm3iz8rv-patchelf-0.14.5' from 'https://cache.nixos.org'...
copying path '/nix/store/bndvc0y3v4djij152wiqbyn13zs2xivy-pcre-8.45' from 'https://cache.nixos.org'...
copying path '/nix/store/rf3j3p8cvn0dr5wdl65ns9f8wnlca8h6-readline-6.3p08' from 'https://cache.nixos.org'...
copying path '/nix/store/bqkx3pi50phcglv0l551jhp96bq8njl0-gnugrep-3.7' from 'https://cache.nixos.org'...
copying path '/nix/store/dxj6b99zh4fh5z65rqirmcfvffxx5ig0-readline-8.1p2' from 'https://cache.nixos.org'...
copying path '/nix/store/a5xpjds3mlln26469h72v1jmd00jq6lv-xz-5.2.5' from 'https://cache.nixos.org'...
copying path '/nix/store/d60gkg5dkw4y5kc055n4m0xyvcjz65im-bash-interactive-5.1-p16' from 'https://cache.nixos.org'...
copying path '/nix/store/bavmqg7c4366hbiccpsdawbilh68dajy-xz-5.2.5-bin' from 'https://cache.nixos.org'...
copying path '/nix/store/7b2vmi7cq7lzw8g6kaihzg2kyilj4slm-bash-interactive-5.1-p16-dev' from 'https://cache.nixos.org'...
copying path '/nix/store/b36ilvc5hhfpcp7kv1kvrkgcxxpmxfsd-zlib-1.2.12' from 'https://cache.nixos.org'...
copying path '/nix/store/m2vh2ny7bqpwij1gpmvl5gxj7y4dgr4f-binutils-2.38' from 'https://cache.nixos.org'...
copying path '/nix/store/19xbyxc31snlk60cil7cx6l4xw126ids-gcc-11.2.0' from 'https://cache.nixos.org'...
copying path '/nix/store/dgic5ks4yixhh0havidjwd02rskmqlgp-binutils-wrapper-2.38' from 'https://cache.nixos.org'...
copying path '/nix/store/qvs678k05yrv566dmqdnxfbzi4s6ir1n-sqlite-3.38.2' from 'https://cache.nixos.org'...
copying path '/nix/store/58pwclg9yr437h0pfgrnbd0jis8fqasd-gcc-wrapper-11.2.0' from 'https://cache.nixos.org'...
copying path '/nix/store/hym1n0ygqp9wcm7pxn4sfrql3fg7xa09-python3-3.9.12' from 'https://cache.nixos.org'...

copying path '/nix/store/pmyiksh5sgqzakbr84qsfxqy8fgirmic-stdenv-linux' from 'https://cache.nixos.org'...
Traceback (most recent call last):
  File "/home/a13x/src/1/kconfig-hardened-check/contrib/./get-nix-kconfig.py", line 30, in <module>
    main()
  File "/home/a13x/src/1/kconfig-hardened-check/contrib/./get-nix-kconfig.py", line 16, in main
    data = json.loads(proc.stdout)
  File "/nix/store/hym1n0ygqp9wcm7pxn4sfrql3fg7xa09-python3-3.9.12/lib/python3.9/json/__init__.py", line 346, in loads
    return _default_decoder.decode(s)
  File "/nix/store/hym1n0ygqp9wcm7pxn4sfrql3fg7xa09-python3-3.9.12/lib/python3.9/json/decoder.py", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/nix/store/hym1n0ygqp9wcm7pxn4sfrql3fg7xa09-python3-3.9.12/lib/python3.9/json/decoder.py", line 355, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

Hoping for your help with Nix, @Mic92!

It should use the JSON output of kconfig-hardened-check.

Hi. This repository has been incredibly useful to me as of late. I’m trying to do the following: create a COPR repository for example such that it takes the kernel configuration from Fedora’s latest kernel build for say 36 and then applies the recommended options here, handles setting everything on/off etc for everything that depends on that option and everything setting that option depends on while blacklisting certain recommendations such that it doesn’t break certain apps etc. Post doing this it would grab the source code for that kernel versions and build it with those configs and then one would just install the kernel normally.

How would one go about implementing this? Thank you!

It would be nice to have kconfig-hardened-check adapted for RISC-V kernel configs.

Hi,

I would like to integrate your project into a Python script which would check the security settings automatically and provide a report.

Would it be possible to have an easily parsable JSON output ?
Otherwise processing with your data will be very difficult, if you are not human.

Thanks !

Would the maintainers be open to adding colors to the output of the "check result" column? For example, the output would be red for FAIL, and green for OK?

Hello,

Thank you for this awesome project!

It seems that "LOCK_DOWN_KERNEL" / "LOCK_DOWN MANDATORY" enable other flags.

• No unsigned modules and no modules for which can't validate the signature.
• No use of ioperm(), iopl() and no writing to /dev/port.
• No writing to /dev/mem or /dev/kmem.
• No hibernation.
• Restrict PCI BAR access.
• Restrict MSR access.
• No kexec_load().
• Certain ACPI restrictions.
• Restrict debugfs interface to ASUS WMI.

http://lkml.iu.edu/hypermail/linux/kernel/1704.0/02933.html

Is it possible to reflect this in the script?

I have a minimal kernel without modules for a server. I get a warning about CONFIG_MODULE_SIG_FORCE, which should not apply for a kernel without module support.

For several other module-related options the script behaves correctly (saying 'CONFIG_MODULES: OK ("is not set")' indicating this does not apply), but for CONFIG_MODULE_SIG_FORCE it does not do so.

Output is:

  CONFIG_MODULE_SIG_FORCE                |      y      |   kspp   |  self_protection   ||      FAIL: not found       

CONFIG_ZERO_CALL_USED_REGS is useless at best, with a significant performance impact.

This is a security theatre knob, and the performance budget would be better spent elsewhere.

Hi Alexander,

I monitoring an interesting project (CLIP OS ) in my country and some options should be compared with your project.

Here are some options that are missing or different from kconfig-hardened-check :

CONFIG_AUDIT=y
CONFIG_IKCONFIG=n
CONFIG_KALLSYMS=n
CONFIG_SLAB_HARDENED=y
CONFIG_SLAB_CANARY=y
CONFIG_SLAB_SANITIZE=y
CONFIG_SLAB_SANITIZE_VERIFY=y
CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=n
CONFIG_LOCAL_INIT=n
CONFIG_X86_VSYSCALL_EMULATION=n
CONFIG_MICROCODE=y
CONFIG_X86_MSR=y
CONFIG_KSM=n
CONFIG_MTRR=y
CONFIG_X86_PAT=y
CONFIG_ARCH_RANDOM=y
CONFIG_X86_INTEL_MPX=n
CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=n
CONFIG_CRASH_DUMP=n
CONFIG_COREDUMP=n
CONFIG_TCG_TPM=n
CONFIG_RANDOM_TRUST_CPU=n
CONFIG_IOMMU_SUPPORT=y
CONFIG_INTEL_IOMMU=y
CONFIG_INTEL_IOMMU_SVM=y
CONFIG_INTEL_IOMMU_DEFAULT_ON=y
CONFIG_MAGIC_SYSRQ=n
CONFIG_DEBUG_KERNEL=y
CONFIG_DEBUG_VIRTUAL=y
CONFIG_SLUB_DEBUG_ON=n
CONFIG_PANIC_ON_OOPS=y
CONFIG_PANIC_TIMEOUT=-1
CONFIG_INTEL_TXT=n
CONFIG_FORTIFY_SOURCE_STRICT_STRING=n
CONFIG_STATIC_USERMODEHELPER_PATH=""
CONFIG_SECURITY_SELINUX_BOOTPARAM=n
CONFIG_INTEGRITY=n
CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
CONFIG_PAGE_SANITIZE_VERIFY=y
CONFIG_SECURITY_TIOCSTI_RESTRICT=y
CONFIG_LOCK_DOWN_MANDATORY=y
CONFIG_STACKLEAK_TRACK_MIN_SIZE=100
CONFIG_STACKLEAK_METRICS=n
CONFIG_STACKLEAK_RUNTIME_DISABLE=n

Details of the options are available here:
https://docs.clip-os.org/clipos/kernel.html#configuration

Best regards,

CONFIG_AMD_IOMMU = y
CONFIG_AMD_IOMMU_V2 = m

appears to correctly setup the AMD v2 IOMMU on supported hardware (tested on NixOS) and is the config option used by Fedora/RHEL.

If you agree with this assessment, any pointers on how to add an OR to the existing AND conditional for CONFIG_AMD_IOMMU?

Shouldn't NAMESPACES be replaced by USER_NS? AFAIK only user namespaces have security concerns, others are fine. Disabling them all will negatively affect many applications which use various namespaces for sandboxing.

Since linux 4.16 there is CC_STACKPROTECTOR_AUTO kconfig which effectively replaces CC_STACKPROTECTOR_STRONG and make it false negative in script.

Script doesn't check for DEVMEM which when set to n make STRICT_DEVMEM and IO_STRICT_DEVMEM false negative.

I did not go through them all, but these in particular stuck out to me:

CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE     | is not set  |  clipos  |  self_protection   |   FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT not "y"
CONFIG_STACKLEAK_METRICS                     | is not set  |  clipos  |  self_protection   |   FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y"
CONFIG_STACKLEAK_RUNTIME_DISABLE             | is not set  |  clipos  |  self_protection   |   FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y"

If I'm reading this properly, the recommended setting for these is not set
However, the specific tests show as FAIL because they are not "y"

Perhaps I'm just interpreting the report incorrectly, but at first glance it would appear that the check for the desired result is wrong.

Hey everyone,

Im trying to configure Kernel-5.5 config and i don't see CONFIG_REFCOUNT_FULL option and the same with VMAP_STACK.
I use Kernel-5.3 for now and there is an option available. Soo should i think that this option is no longer available ?

Thanks !

CONFIG_REFCOUNT_FULL conflict with PAX_REFCOUNT
PAGE_TABLE_ISOLATION conflict with PAX_MEMORY_UDEREF
VMAP_STACK conflict with GRKERNSEC_KSTACKOVERFLOW
SECURITY_YAMA conflict with GRKERNSEC
RANDOMIZE_BASE also can not enable.

According to this, the slub_debug is a hardening cmd line parameter. But when you use this option, you will see the following in the syslog on newer kernels:

kernel: **********************************************************
kernel: **   NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE   **
kernel: **                                                      **
kernel: ** This system shows unhashed kernel memory addresses   **
kernel: ** via the console, logs, and other interfaces. This    **
kernel: ** might reduce the security of your system.            **
kernel: **                                                      **
kernel: ** If you see this message and you are not debugging    **
kernel: ** the kernel, report this immediately to your system   **
kernel: ** administrator!                                       **
kernel: **                                                      **
kernel: **   NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE   **
kernel: **********************************************************

More here and here.

So, should users use slub_debug=FZP or slub_debug=ZP?

Currently only uncompressed config-* files in /boot/ are supported, but the current kernel config can also be accessed via /proc/config.gz . There's no way to use this file. Please support this path as well.

It seems it helps indirectly from DMA attacks (from what I understand). It is recommended by ANSSI.

From this PDF (in french) at the chapter "5.2.1 Configuration de la mémoire"

Or from this older version of the same PDF but in english : chapter "4.3 IOMMU Service (input/output virtualization)"

That would prevent the bug in cb779a7. See the fix d006bfa.

The RDK Linux Hardening specification lists many flags that are not checked in this tool. The first five I looked for were not there: CONFIG_DEBUG_KERNEL CONFIG_MARKERS CONFIG_DEBUG_MEMLEAK and CONFIG_ELF_CORE

Perhaps these can be added as part of a new 'RDK security policy' check for the 'decision' column

It seems there is a problem with the current stable kernel (5.15.14 at the date of this issue).

The kernel option TRIM_UNUSED_KSYMS is defined in my config as:

Symbol: TRIM_UNUSED_KSYMS [=n]
Type  : bool
Defined at init/Kconfig:2301
Prompt: Trim unused exported kernel symbols
Depends on: MODULES [=n] && !COMPILE_TEST [=n]
Visible if: MODULES [=n] && !COMPILE_TEST [=n] && EXPERT [=y]
Location: 
(1) -> Enable loadable module support (MODULES [=n])

Or the script (with the setup above) outputs me:
CONFIG_TRIM_UNUSED_KSYMS | y | my | cut_attack_surface | FAIL: not found

But as the hardening requires to have MODULES = n (is not set) it is impossible to set TRIM_UNUSED_KSYMS through menuconfig.

A kernel config specialized for better security inside virtual machines is in development.

The development preview version can be found here:
https://github.com/Whonix/hardened-kernel/blob/master/usr/share/hardened-kernel/hardened-vm-kernel

This work is being done by @madaidan who also contributed pull requests to linux-hardened.

https://github.com/anthraxx/linux-hardened/pulls?utf8=%E2%9C%93&q=author%3Amadaidan

Discussions about the kernel config happen mostly in Whonix forums.

https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/214

The hardened kernel config was contributed by @madaidan to the @Whonix project but as the maintainer of Whonix I think that it is not the most suitable project to maintain a kernel config. It would be more impactful and would get more eyes on it if it was hosted here.

Therefore I am wondering if there is any chance you would accept a pull request for a hardened (VM) config file? Which folder would be suitable for such a config file?

@madaidan is also working on a hardened bare metal (i.e. non-VM) kernel config:
https://github.com/Whonix/hardened-kernel/blob/master/usr/share/hardened-kernel/hardened-host-kernel

null

i was try to some book(Billimoria, Kaiwan N. Linux Kernel Debugging: Leverage proven tools and advanced techniques to effectively debug Linux kernels and kernel modules (p. 61). Packt Publishing. Kindle Edition. ).

but.

$ bin/kconfig-hardened-check -p X86_64 -c ~/lkd_kernels/kconfig.prod01/.config
[!] ERROR: --config and --print can't be used together

what should i do?

Thanks for this tool.

I'd propose to add a check for CONFIG_RESET_ATTACK_MITIGATION.
This is a feature that on modern systems will set a flag on boot that signals the BIOS to wipe the memory if an unclean shutdown happened. This can protect against some forms of cold boot attacks where you reboot into another system and try to read out the memory from the previous run.

Here's the Kernel submission with some explanation:
https://lwn.net/Articles/730006/

It's also explained in this talk:
https://www.youtube.com/watch?v=RqvPZnLkP70 (around minute 35)

If I try to do:

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index 3fcb5e0..1c31c40 100755
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -251,8 +251,8 @@ def construct_checklist(checklist, arch):
         checklist.append(OptCheck('MICROCODE',                   'y', 'defconfig', 'self_protection')) # is needed for mitigating CPU bugs
         checklist.append(OptCheck('RETPOLINE',                   'y', 'defconfig', 'self_protection'))
         checklist.append(OptCheck('X86_SMAP',                    'y', 'defconfig', 'self_protection'))
-        checklist.append(OR(OptCheck('X86_UMIP',                 'y', 'defconfig', 'self_protection'), \
-                            OptCheck('X86_INTEL_UMIP',           'y', 'defconfig', 'self_protection')))
+        checklist.append(OR(AND(OptCheck('X86_UMIP',                 'y', 'defconfig', 'self_protection'), VerCheck((5, 5))), \
+                            AND(OptCheck('X86_INTEL_UMIP',           'y', 'defconfig', 'self_protection'), VerCheck((4, 14)))))
         checklist.append(OptCheck('SYN_COOKIES',                 'y', 'defconfig', 'self_protection')) # another reason?
     if arch == 'X86_64':
         checklist.append(OptCheck('PAGE_TABLE_ISOLATION',        'y', 'defconfig', 'self_protection'))

I get:

Traceback (most recent call last):
  File "/home/tycho/.local/bin/kconfig-hardened-check", line 10, in <module>
    sys.exit(main())
  File "/home/tycho/.local/lib/python3.7/site-packages/kconfig_hardened_check/__init__.py", line 611, in main
    check_config_file(config_checklist, args.config, arch)
  File "/home/tycho/.local/lib/python3.7/site-packages/kconfig_hardened_check/__init__.py", line 554, in check_config_file
    perform_checks(checklist, parsed_options)
  File "/home/tycho/.local/lib/python3.7/site-packages/kconfig_hardened_check/__init__.py", line 519, in perform_checks
    o.state = parsed_options.get(o.name, None)
AttributeError: can't set attribute

I have an Intel CPU, and when I run kconfig-hardened-check I get the following FAILs:

CONFIG_AMD_IOMMU                             |      y      |defconfig |  self_protection   |   FAIL: "is not set"
CONFIG_AMD_IOMMU_V2                          |      y      |    my    |  self_protection   |   FAIL: not found

It would be nice to have such CPU specific options hidden in the results.

The behavior of some options can be controlled via the kernel cmd line, for instance:

CONFIG_SLUB_DEBUG_ON                         |      y      |    my    |  self_protection   |   FAIL: "is not set"
CONFIG_X86_VSYSCALL_EMULATION                | is not set  |  clipos  | cut_attack_surface |   FAIL: "y"

If a user set slub_debug=FZP and vsyscall=none in the kernel cmd line, I think he would achieve the same behavior. So, kconfig-hardened-check could check such kernel cmd line options before giving a FAIL.

What do you think about such improvements?

As reported by phoronix, it's now possible to disable 32b support on amd64, to reduce attack surface.

I'd like to request command line options to reduce output to OK/FAIL items only, e.g.

-o, --ok      only list items checked as OK
-f, --fail    only list items checked as FAIL

This would make it much easier to work through the list of settings when hardening kernel configurations, especially if one only applies few at a time to test their impact.

This tool is great, many thanks!

Hello a13xp0p0v :))

Im using centos 7 and i have a weird problem after kernel compilation. Below is my config kernel with KSPP options enabled.

I have no idea why after kernel compiling, modules like for example ext4, xfs and iptables are disabled. I can't login to the system because ext4 module is disable. The only way is to compiling permanently not as a module. But iptables still dosen't work. Which options are responsible for these "issues" ?
Thanks for help :)

As the first step, @BlackIkeEagle made some performance tests and described the results in this article.

The Integrity Measurement Architecture is a subsystem that is responsible
for calculating file hashes. this allows greater security . This option would be ideal
to be integrated,

Kernel Config -

CONFIG_IMA=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_LSM_RULES=y
CONFIG_IMA_NG_TEMPLATE=y
# CONFIG_IMA_SIG_TEMPLATE is not set
CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
CONFIG_IMA_DEFAULT_HASH_SHA512=y
CONFIG_IMA_DEFAULT_HASH="sha512"
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA_READ_POLICY=y
CONFIG_IMA_APPRAISE=y
CONFIG_IMA_ARCH_POLICY=y
CONFIG_IMA_APPRAISE_BUILD_POLICY=y
CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS=y
CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y
CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS=y
CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y
CONFIG_IMA_APPRAISE_BOOTPARAM=y
CONFIG_IMA_APPRAISE_MODSIG=y
CONFIG_IMA_TRUSTED_KEYRING=y
CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
CONFIG_IMA_BLACKLIST_KEYRING=y
CONFIG_IMA_LOAD_X509=y
CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
CONFIG_IMA_APPRAISE_SIGNED_INIT is not set (This option breaks memory, do not select)
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
CONFIG_IMA_DISABLE_HTABLE=y
CONFIG_EVM=y
CONFIG_EVM_ATTR_FSUUID=y
CONFIG_EVM_EXTRA_SMACK_XATTRS=y
CONFIG_EVM_ADD_XATTRS=y
CONFIG_EVM_LOAD_X509=y
CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"

My system integrates this security
https://sourceforge.net/projects/anti-ransomware/

Thank you very much

https://www.phoronix.com/news/Linux-Randomize-Kmalloc-Cache

Thanks and
Best regards

Hello,

Im just curious what is the status of implementing KSPP to default kernel of linux GNU distribution ? Why linux distributions dont impelment for example most of kspp solutions for example steackleak or gcc hardeneing ? I use most of kspp feature based on your script Alexander and kernel works like a charm. Someone can explain to me ?

Maybe I'm wrong, but at least with Kernel 5.0 USER_NS is activated by default, so "is not set" or "y" should be equivalent. At the moment, it fails because it is "y" on my configuration.

I know that activating USER_NS can cut the attack surface if it is not needed on a system. But on my system which are running containers, I want to have USER_NS activated. True this is not pure hardening of the Kernel, but if we take into account the whole kernel including the possibilities to use it to make containers, then USER_NS should be part of the whole hardening.

The OptCheck class inheritance now allows to implement this feature.

I have found this tool quite helpful for quickly auditing embedded kernel configs. However, I've been finding that on embedded systems, I often have unique, application-specific security requirements:

• Embedded SoC vendors often have drivers that haven't made it into mainline that need to be checked (e.g. special HW RNG drivers, TZ drivers, PMIC drivers)
• The application may want to even further prioritize the correct operation of the system over performance or reliability (i.e. be willing to sacrifice battery life, CPU bandwidth, or resistance to DoS attacks to increase hardness)
• Since the required kernel functionality is fully defined (e.g. we know we'll never need FAT filesystem support, don't want UART or kernel console driver, don't want USB gadget drivers, etc.), specify that unused drivers must be removed, lest they be leveraged by an attacker

I propose moving the config tests currently hard-coded in __init__ into a set of yaml configs that can be included by a top-level config, like this:

# Includes are optional. Recursively walk through them, each test/error will be tagged with the source yaml
# Last included definition for a CONFIG_ is used
includes:
  - kspp.yaml
  - clipos.yaml
  - my.yaml
  - soc_a.yaml
# Tests
tests: !!seq [
  # Description of test
  RANDOMIZE_BASE: {
    # Test passes if CONFIG=value
    require: value,
    # Test passes if config not found, or "is not set"
    # require: is not set,
    # Optional: only test if other config is set to something
    if_config: MODULES,
    # Optional: only test specific kernel versions
    if_kernel_ver_gt_eq: 5.9,
    if_kernel_ver_lt: 5.8,
    # Optional: only test specific architectures
    if_arch: [X86_64, ARM64, X86_32],
  },
  # Example: require CONFIG_BUG=y
  BUG: {
    require: y,
  },
]

This would enable the config requirements to be layered, similar to the way kernel defconfigs can be layered (i.e. arch | Android | SoC vendor | device). I have some free time next week to implement this if you're open to it.

I read over the CLIP OS notes regarding this option, and they also mention that they are not currently using it in the second paragraph.

It seems to be that this option isn't actually helpful unless you've already got a usermode helper program?

Just questioning the wisdom of this option as I imagine some people will just enable everything they see here, and may wind up with this pointing at a non-existent binary.

Similar to #30, CONFIG_REFCOUNT_FULL was removed from 5.4.x kernels starting with v5.4.208, because full refcount became always-on, in this commit:

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.4.y&id=d0d583484d2ed9f5903edbbfa7e2a68f78b950b0

Currently we complain when it is not found, like:
CONFIG_REFCOUNT_FULL |kconfig| y |defconfig | self_protection | FAIL: is not found

I don't know an easier way to find which kernel first included that commit other than:

$ egrep url .git/config 
        url = https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
$ git tag --contains d0d583484d2ed9f5903edbbfa7e2a68f78b950b0 | head -n2
v5.4.208
v5.4.209

I think the fix is to return OK for 5.4.x where x >= 208.

Except... that's done via VersionCheck in engine.py which, if I'm reading it right, takes only major and minor versions, no third parameter:

class VersionCheck:
    def __init__(self, ver_expected):
        assert(ver_expected and isinstance(ver_expected, tuple) and len(ver_expected) == 2), \
               f'invalid version "{ver_expected}" for VersionCheck'

So that function would have to be made a bit more flexible.

I don't know if other CONFIG_* knobs disappeared / became defaults in the middle of a given major.minor kernel version, but it would not surprise me.

Discussion with dmitry yukov on twitter:

CONFIG_DRM_LEGACY: Really old drivers from the 90s, with unfixable by design security holes. Unfortunately userspace for one modern driver (drm/nouveau) has used until just a few years ago by accident (we didn't delete all the old legacy driver setup code), so can't remove it all completely yet from kernel sources.

CONFIG_FB: Old display subsystem from the 90s, essentially unmaintained for over 10 years, would need serious effort to get up to speed with modern security best practices. This even includes the minimal fbdev emulation support built on top of drm gpu drivers, since the issues are in core fbdev code.

CONFIG_VT: Maybe the most disputed of all, but a lot of the console drivers this exposes to userspace are also from the 90s, and without CONFIG_FB this isn't really useful even for a desktop. A hardened distro definitely wants to make sure this is not set at all.