Comments (6)
Hello @tych0!
I'm glad that you had a look at this project!
How are you doing? :)
Yes, currently the combination of ComplexOptCheck
objects is not supported (there have been no cases that needed it).
The original logic behind X86_UMIP
check:
- if
X86_UMIP
orX86_INTEL_UMIP
is set toy
, thenOK
; - otherwise
FAIL
.
What is the purpose of combining UMIP
check with version check?
I designed VerCheck
for cases like that:
- if
REFCOUNT_FULL
is set toy
, thenOK
; - if kernel version >=
5.5
, thenOK
(sinceREFCOUNT_FULL
is enabled by default and dropped since v5.5); - otherwise
FAIL
.
N.B. There is an implicit drawback with checking kernel versions.
Some kernel features are backported to previous stable kernels.
That's why checking the version can give false positive or false negative result.
Detailed example: #32
Thanks!
from kernel-hardening-checker.
from kernel-hardening-checker.
What is the purpose of combining
UMIP
check with version check?
It's only present in 4.15 or greater; I'm running a 4.14 kernel and kconfig-hardened-check is complaining at me :)
Yes, that's good. The tool inspires you to switch onto a newer kernel :)
"Not present" is also risky though, if people don't have some of the
dependencies of a feature enabled.
You know, I haven't seen any example of such unmet dependencies. I suppose that kernel feature dependencies are resolved by Kconfig.
A version whitelist seems the best.
I would like to avoid version checking as much as possible.
Relying on kernel version brings so many troubles!
For example:
- sometimes new features are backported to previous stable kernels,
- sometimes Linux distributions cherry-pick features into their kernels,
- some Linux distributions have custom kernel versioning scheme -- look at Ubuntu or Red Hat.
Finally, the most important aspect.
I like that kernels of different versions are checked against the same list of recommendations.
Hence they can be compared using OK/FAIL
numbers that are printed by the tool in the end:
[+] config check is finished: 'OK' - 55 / 'FAIL' - 77
from kernel-hardening-checker.
@tych0 your issue reminded me the idea to create some formatted annotations, that can be used for muting checks for a particular kernel. That was discussed in #9.
Thank you.
from kernel-hardening-checker.
Sorry, I read this and forgot to respond :)
Yes, that's good. The tool inspires you to switch onto a newer kernel :)
Yes, but switching is not so easy sometimes, because of institutional challenges. If we want to add this to our CI to check our kernel configs or something, it would be nice to exclude stuff that doesn't exist in our kernel. I can do this manually, but it would be nicer to have this knowledge baked into the script.
You know, I haven't seen any example of such unmet dependencies. I suppose that kernel feature dependencies are resolved by Kconfig.
Consider GCC_PLUGIN_STACKLEAK; we'll report "Not present" if the user hasn't set CONFIG_GCC_PLUGINS=n, but it really should be an error.
from kernel-hardening-checker.
Anwyay, I'll check out the updates, thanks :)
from kernel-hardening-checker.
Related Issues (20)
- CONFIG_COMPAT_VDSO has a completely different meaning for arm64 and recommending disabling it doesn't make sense there HOT 3
- CONFIG_ARCH_MMAP_RND_BITS check is wrong for arm64 HOT 3
- drop check for dependency-only CONFIG_GCC_PLUGINS due to Clang HOT 3
- add disabling CONFIG_AIO (legacy POSIX AIO) as a recommendation HOT 1
- add check for CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x0 too HOT 4
- add check for UNWIND_PATCH_PAC_INTO_SCS, which reduces security compared to using both PAC + SCS HOT 4
- Minimal kernel version ? HOT 1
- New CONFIG_MODULE_SIG_SHA3_512 option in kernel 6.7 HOT 1
- Better json output HOT 4
- Add io_uring_disabled sysctl to disable/limit io_uring creation
- Reducing Kernel Symbols on File System by Disabling CONFIG_VMLINUX_MAP and CONFIG_DEBUG_KERNEL HOT 2
- Kernel Debug Metadata Access with CONFIG_DYNAMIC_DEBUG HOT 3
- Add ia32_emulation kernel cmdline parameter to disable 32-bit emulation support on 64-bit x86 CPUs HOT 1
- Suggestions for kernel-hardening-checker HOT 3
- Add kconfig option for Intel CET shadow stack
- Add check for CONFIG_MITIGATION_RFDS HOT 1
- Linux 6.9 Renames Many CPU Mitigation CONFIGs to CONFIG_MITIGATION_... HOT 1
- The separation between desktop and server. HOT 3
- skip CONFIG_SCHED_STACK_END_CHECK requirement when CONFIG_VMAP_STACK is set HOT 2
- skip CONFIG_DEBUG_NOTIFIERS requirement when CONFIG_CFI_CLANG is set with CONFIG_CFI_PERMISSIVE disabled HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kernel-hardening-checker.