Comments (15)
If you only want to see the failures, you can use the -m show_fail
option
from kernel-hardening-checker.
Thanks @frakman1 !
I would propose creating a function colorize_result()
and call several times to avoid copying the code.
from kernel-hardening-checker.
Done.
#86
from kernel-hardening-checker.
If so, I can make the change and create a PR
from kernel-hardening-checker.
Yes, it would be nice.
Looking forward to your PR.
from kernel-hardening-checker.
Has anyone done this yet?
I made a hacky attempt of this last year before the sysctl
support was added. I added different colors for the two sections too:
![image](https://private-user-images.githubusercontent.com/5826484/265083345-e880006a-5f1d-4580-b3e2-dcc0b104b089.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTU3NTk3NTgsIm5iZiI6MTcxNTc1OTQ1OCwicGF0aCI6Ii81ODI2NDg0LzI2NTA4MzM0NS1lODgwMDA2YS01ZjFkLTQ1ODAtYjNlMi1kY2MwYjEwNGIwODkucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI0MDUxNSUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNDA1MTVUMDc1MDU4WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9NzJjZDExMGNlMmJmMGI4NTVmYWRmYTIzNzgxYmZlMDBlOWM0NjE4OGExMjJhMGU2N2I0MDc0M2JlNmE3NTAwYyZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.uAWbQSB1D8nhp4w2efL9vVaP3Lfc9YRbz_8M8ts6UXk)
I just tried to overlay it onto the latest code but it's too different now. My changes were in kconfig_hardened_check/__init__.py
but everything has moved since then. Unfortunately, not an easy merge.
from kernel-hardening-checker.
@frakman1 thanks, it looks nice.
Could you give a link to your commit? I'll help to rebase it.
from kernel-hardening-checker.
Thank you @a13xp0p0v.
I just checked and my changes were based on this commit:
* 899752c - (Sun Oct 2 21:45:13 2022 +0300) Also check 'nospectre_v2' with 'spectre_v2' - <Alexander Popov> (HEAD -> master, origin/master, origin/HEAD)
Unfortunately, I never commited it and just stashed it before doing a git pull
Original File (rename to .py):
init.txt
Colored File (rename to .py):
init.color.txt
I created a patch file using:
git diff --no-index --patch --output=color.diff __init__.py __init__.color.py
patch file (optionally rename to .diff):
color.txt
from kernel-hardening-checker.
Thanks, I see the approach.
Let's print OK results in green and FAIL results in red.
We need to modify the table_print()
method of classes in engine.py.
I would recommend something like that:
- defining ANSI escape sequences at the beginning of the file:
GREEN_COLOR = '\x1b[32m'
RED_COLOR = '\x1b[31m'
COLOR_END = '\x1b[0m'
- modify printing methods this way:
if with_results:
if self.result.startswith('OK'):
color = GREEN_COLOR
elif self.result.startswith('FAIL:'):
color = RED_COLOR
else:
assert(False), f'unexpected result "{self.result}"'
colored_result = f'{color}{self.result}{COLOR_END}'
print(f'| {colored_result}', end='')
What do you think?
Would you like to prepare a pull request?
Thanks!
from kernel-hardening-checker.
I would only going to color OK
and FAIL
not full line.
Besides, I don't know if there aren't more important things a | grep FAIL
can do.
Maybe it is better to keep the code small, the information is still there whether in color or not.
Anyway hope it looks fancy.
from kernel-hardening-checker.
What do you think? Would you like to prepare a pull request?
I like it. Thank you for the guidance. I just attempted it and it seems I have to repeat that logic in three places before I could get all the prints.
sample output:
![image](https://private-user-images.githubusercontent.com/5826484/265525308-d098d14f-2e1a-4569-af22-54ef2bc0eecb.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTU3NTk3NTgsIm5iZiI6MTcxNTc1OTQ1OCwicGF0aCI6Ii81ODI2NDg0LzI2NTUyNTMwOC1kMDk4ZDE0Zi0yZTFhLTQ1NjktYWYyMi01NGVmMmJjMGVlY2IucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI0MDUxNSUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNDA1MTVUMDc1MDU4WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9ZGNkYzIzOWRmMjdjZjg4YTliNGI5NjNiOWZhMGFhZTJjZGY4ZTA5NjFmMDdjMmQwMGMzZjJiZWUwMzZhYmRiMiZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.iZRyxq0Fn291QCCKo-FHqG_OPnavK4fpr1LHeP__Au4)
Diffs located in my fork here
@a13xp0p0v Let me know if that looks good. If so, I will issue a pull request.
from kernel-hardening-checker.
I've updated the code with your recommendations. See changes here
from kernel-hardening-checker.
I've left some comments. The main point: it's better to leave printing inside of the table_print()
method. The colorize_result()
function should only return the colored string.
from kernel-hardening-checker.
Changes applied here
from kernel-hardening-checker.
Good!
Please remove the unneeded whitespaces and send the pull request.
Looking forward to it.
from kernel-hardening-checker.
Related Issues (20)
- CONFIG_COMPAT_VDSO has a completely different meaning for arm64 and recommending disabling it doesn't make sense there HOT 3
- CONFIG_ARCH_MMAP_RND_BITS check is wrong for arm64 HOT 3
- drop check for dependency-only CONFIG_GCC_PLUGINS due to Clang HOT 3
- add disabling CONFIG_AIO (legacy POSIX AIO) as a recommendation HOT 1
- add check for CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x0 too HOT 4
- add check for UNWIND_PATCH_PAC_INTO_SCS, which reduces security compared to using both PAC + SCS HOT 4
- Minimal kernel version ? HOT 1
- New CONFIG_MODULE_SIG_SHA3_512 option in kernel 6.7 HOT 1
- Better json output HOT 4
- Add io_uring_disabled sysctl to disable/limit io_uring creation
- Reducing Kernel Symbols on File System by Disabling CONFIG_VMLINUX_MAP and CONFIG_DEBUG_KERNEL HOT 2
- Kernel Debug Metadata Access with CONFIG_DYNAMIC_DEBUG HOT 3
- Add ia32_emulation kernel cmdline parameter to disable 32-bit emulation support on 64-bit x86 CPUs HOT 1
- Suggestions for kernel-hardening-checker HOT 3
- Add kconfig option for Intel CET shadow stack
- Add check for CONFIG_MITIGATION_RFDS HOT 1
- Linux 6.9 Renames Many CPU Mitigation CONFIGs to CONFIG_MITIGATION_... HOT 1
- The separation between desktop and server. HOT 3
- skip CONFIG_SCHED_STACK_END_CHECK requirement when CONFIG_VMAP_STACK is set HOT 2
- skip CONFIG_DEBUG_NOTIFIERS requirement when CONFIG_CFI_CLANG is set with CONFIG_CFI_PERMISSIVE disabled HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kernel-hardening-checker.