Comments (6)
Now kconfig-hardened-check supports checking kernel cmdline parameters.
Cool!
usage: kconfig-hardened-check [-h] [--version] [-p {X86_64,X86_32,ARM64,ARM}]
[-c CONFIG]
[-l CMDLINE]
[-m {verbose,json,show_ok,show_fail}]
A tool for checking the security hardening options of the Linux kernel
optional arguments:
-h, --help show this help message and exit
--version show program's version number and exit
-p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
print security hardening preferences for the selected architecture
-c CONFIG, --config CONFIG
check the kernel kconfig file against these preferences
-l CMDLINE, --cmdline CMDLINE
check the kernel cmdline file against these preferences
-m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}
choose the report mode
from kernel-hardening-checker.
Hi @morfikov, thanks for your ideas.
-
I think we can group AMD_IOMMU recommendations with the corresponding ones for Intel using
OR
.
That would allow to avoid incorrect FAIL reports. -
Parsing the kernel command line is a nice feature, it's on my TODO list. Moreover, we can get it from
/proc/cmdline
without additional privileges, which is nice.
I'm going to work on kconfig-hardened-check
in the coming days.
If you want to participate, come on, your pull requests will be welcome!
from kernel-hardening-checker.
I always seen this project scope as simple kernel config checker not running system audit tool and I believe in old unix mantra Do One Thing and Do It Well so I'm skeptical about this additions. Taking /proc/cmdline
into account would mean same config would yield different result across systems. Having OR between amd and intel features make it less useful for distros which would want them all.
I think end users are capable of ignoring amd warnings when they have intel cpu and the opposite and also be aware o what they added to their cmdline.
from kernel-hardening-checker.
Hi @Bernhard40
Having OR between amd and intel features make it less useful for distros which would want them all.
Hm, you are right. I would agree on that point.
Taking /proc/cmdline into account would mean same config would yield different result across systems
I would propose a compromise: add a separate flag for checking /proc/cmdline
(disabled by default).
Is it OK for you?
In fact, I see checking cmdline parameters as a very big improvement.
There are several important cases when checking kernel config is not enough for a correct conclusion about the kernel security.
Examples: mitigations
, page_poison
, init_on_alloc/init_on_free
and some others.
from kernel-hardening-checker.
I would propose a compromise: add a separate flag for checking /proc/cmdline (disabled by default).
Is it OK for you?
I don't mind if you are ready to maintain it.
In fact, I see checking cmdline parameters as a very big improvement.
There are several important cases when checking kernel config is not enough for a correct conclusion about the kernel security.
Yes but for now checking kernel config is the only thing this project ever promised (see readme). Conclusions about kernel security needs expanding the project scope which may be a rabbit hole as if you add cmdlne support then sysctl support should be next etc.
from kernel-hardening-checker.
@Bernhard40, I'll do my best.
from kernel-hardening-checker.
Related Issues (20)
- Evaluate performance penalty of the recommended kernel options HOT 2
- Create a tool that changes kconfig options according to the recommendations HOT 3
- Create a tool reporting mainline kernel versions that support a recommended option HOT 1
- Create documentation describing Linux kernel security options HOT 6
- COPR repo with built kernel with suggested recommendations HOT 6
- Config change in 5.19.X HOT 3
- ERORR? HOT 3
- Integrity Measurement Architecture HOT 1
- iommu=force HOT 1
- Create unit-tests for the engine checking the correctness HOT 1
- Color indicators for "check result" column HOT 15
- Consider removing/not recommending CONFIG_ZERO_CALL_USED_REGS HOT 1
- Enhancement add kmalloc hardening HOT 2
- Add RDK Linux Hardening specification flags HOT 2
- Add a check for IA32_EMULATION HOT 5
- False positive on CONFIG_REFCOUNT_FULL in recent 5.4.x kernels HOT 3
- new make hardening.config available HOT 2
- Check for module force loading? HOT 1
- new tag? HOT 2
- Get rid of CONFIG_DEBUG_CREDENTIALS HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kernel-hardening-checker.