kernel-hardening-checker:一款针对Linux内核的安全加固工具
关于kernel-hardening-checker
kernel-hardening-checker是一款针对Linux内核的安全加固工具,广大研究人员可以使用该工具检查并实现 Linux 内核安全强化选项。
Linux 内核有很多安全强化选项。其中很多选项在主流发行版中都没有启用。我们必须自己启用这些选项,才能让我们的系统更安全。但很多人并不喜欢手动检查这些选项,kernel-hardening-checker便应运而生。
功能介绍
当前版本的kernel-hardening-checker支持检查下列内容:
1、Kconfig 选项(编译时)
2、内核命令行参数(启动时)
3、Sysctl 参数(运行时)
支持的微架构
1、X86_64
2、X86_32
3、ARM64
4、ARM
工具安装
由于该工具基于Python 3开发,因此我们首先需要在本地设备上安装并配置好最新版本的Python 3环境。
源码获取
广大研究人员可以直接使用下列命令将该项目源码克隆至本地:
git clone https://github.com/a13xp0p0v/kernel-hardening-checker.git
然后切换到项目目录中,使用pip命令和项目提供的requirements.txt安装该工具所需的其他依赖组件:
cd kernel-hardening-checker python setup.py
pip安装
pip install git+https://github.com/a13xp0p0v/kernel-hardening-checker
工具使用
usage: kernel-hardening-checker [-h] [--version] [-m {verbose,json,show_ok,show_fail}] [-c CONFIG] [-l CMDLINE] [-s SYSCTL] [-v KERNEL_VERSION] [-p {X86_64,X86_32,ARM64,ARM}] [-g {X86_64,X86_32,ARM64,ARM}] A tool for checking the security hardening options of the Linux kernel options: -h, --help 显示此帮助消息并退出 --version 显示程序的版本号并退出 -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail} 选择报告模式 -c CONFIG, --config CONFIG 检查内核Kconfig文件中的安全强化选项 -l CMDLINE, --cmdline CMDLINE 检查内核cmdline文件中的安全强化选项 -s SYSCTL, --sysctl SYSCTL 检查sysctl输出文件中的安全强化选项 -v KERNEL_VERSION, --kernel-version KERNEL_VERSION 从内核版本文件中提取版本 -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM} 打印所选微架构的安全强化建议 -g {X86_64,X86_32,ARM64,ARM}, --generate {X86_64,X86_32,ARM64,ARM}
对于选定的微体系结构使用安全强化选项生成Kconfig代码段
Ubuntu 22.04内核配置的示例输出
$ ./bin/kernel-hardening-checker -c kernel_hardening_checker/config_files/distros/ubuntu-22.04.config -l /proc/cmdline -s kernel_hardening_checker/config_files/distros/example_sysctls.txt [+] Kconfig file to check: kernel_hardening_checker/config_files/distros/ubuntu-22.04.config [+] Kernel cmdline file to check: /proc/cmdline [+] Sysctl output file to check: kernel_hardening_checker/config_files/distros/example_sysctls.txt [+] Detected microarchitecture: X86_64 [+] Detected kernel version: (5, 15, 0) [+] Detected compiler: GCC 110200 ========================================================================================================================= option_name | type |desired_val | decision | reason | check_result ========================================================================================================================= CONFIG_BUG |kconfig| y |defconfig | self_protection | OK CONFIG_SLUB_DEBUG |kconfig| y |defconfig | self_protection | OK CONFIG_THREAD_INFO_IN_TASK |kconfig| y |defconfig | self_protection | OK CONFIG_IOMMU_SUPPORT |kconfig| y |defconfig | self_protection | OK CONFIG_STACKPROTECTOR |kconfig| y |defconfig | self_protection | OK CONFIG_STACKPROTECTOR_STRONG |kconfig| y |defconfig | self_protection | OK CONFIG_STRICT_KERNEL_RWX |kconfig| y |defconfig | self_protection | OK CONFIG_STRICT_MODULE_RWX |kconfig| y |defconfig | self_protection | OK CONFIG_REFCOUNT_FULL |kconfig| y |defconfig | self_protection | OK: version >= (5, 4, 208) CONFIG_INIT_STACK_ALL_ZERO |kconfig| y |defconfig | self_protection | FAIL: is not found CONFIG_CPU_MITIGATIONS |kconfig| y |defconfig | self_protection | FAIL: is not found CONFIG_RANDOMIZE_BASE |kconfig| y |defconfig | self_protection | OK CONFIG_VMAP_STACK |kconfig| y |defconfig | self_protection | OK CONFIG_DEBUG_WX |kconfig| y |defconfig | self_protection | OK CONFIG_WERROR |kconfig| y |defconfig | self_protection | FAIL: "is not set" CONFIG_X86_MCE |kconfig| y |defconfig | self_protection | OK CONFIG_SYN_COOKIES |kconfig| y |defconfig | self_protection | OK CONFIG_MICROCODE |kconfig| y |defconfig | self_protection | OK CONFIG_MICROCODE_INTEL |kconfig| y |defconfig | self_protection | OK CONFIG_MICROCODE_AMD |kconfig| y |defconfig | self_protection | OK CONFIG_X86_SMAP |kconfig| y |defconfig | self_protection | OK CONFIG_X86_UMIP |kconfig| y |defconfig | self_protection | OK CONFIG_X86_MCE_INTEL |kconfig| y |defconfig | self_protection | OK CONFIG_X86_MCE_AMD |kconfig| y |defconfig | self_protection | OK CONFIG_MITIGATION_RETPOLINE |kconfig| y |defconfig | self_protection | OK: CONFIG_RETPOLINE is "y" CONFIG_MITIGATION_RFDS |kconfig| y |defconfig | self_protection | FAIL: is not found CONFIG_MITIGATION_SPECTRE_BHI |kconfig| y |defconfig | self_protection | FAIL: is not found CONFIG_RANDOMIZE_MEMORY |kconfig| y |defconfig | self_protection | OK CONFIG_X86_KERNEL_IBT |kconfig| y |defconfig | self_protection | FAIL: is not found CONFIG_MITIGATION_PAGE_TABLE_ISOLATION |kconfig| y |defconfig | self_protection | OK: CONFIG_PAGE_TABLE_ISOLATION is "y" CONFIG_MITIGATION_SRSO |kconfig| y |defconfig | self_protection | FAIL: is not found CONFIG_INTEL_IOMMU |kconfig| y |defconfig | self_protection | OK CONFIG_AMD_IOMMU |kconfig| y |defconfig | self_protection | OK CONFIG_LIST_HARDENED |kconfig| y | kspp | self_protection | FAIL: is not found CONFIG_RANDOM_KMALLOC_CACHES |kconfig| y | kspp | self_protection | FAIL: is not found CONFIG_SLAB_MERGE_DEFAULT |kconfig| is not set | kspp | self_protection | FAIL: "y" CONFIG_BUG_ON_DATA_CORRUPTION |kconfig| y | kspp | self_protection | FAIL: "is not set" CONFIG_SLAB_FREELIST_HARDENED |kconfig| y | kspp | self_protection | OK CONFIG_SLAB_FREELIST_RANDOM |kconfig| y | kspp | self_protection | OK CONFIG_SHUFFLE_PAGE_ALLOCATOR |kconfig| y | kspp | self_protection | OK CONFIG_FORTIFY_SOURCE |kconfig| y | kspp | self_protection | OK CONFIG_DEBUG_LIST |kconfig| y | kspp | self_protection | FAIL: "is not set" CONFIG_DEBUG_VIRTUAL |kconfig| y | kspp | self_protection | FAIL: "is not set" CONFIG_DEBUG_SG |kconfig| y | kspp | self_protection | FAIL: "is not set" CONFIG_INIT_ON_ALLOC_DEFAULT_ON |kconfig| y | kspp | self_protection | OK CONFIG_STATIC_USERMODEHELPER |kconfig| y | kspp | self_protection | FAIL: "is not set" CONFIG_SCHED_CORE |kconfig| y | kspp | self_protection | OK CONFIG_SECURITY_LOCKDOWN_LSM |kconfig| y | kspp | self_protection | OK CONFIG_SECURITY_LOCKDOWN_LSM_EARLY |kconfig| y | kspp | self_protection | OK CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|kconfig| y | kspp | self_protection | FAIL: "is not set" CONFIG_DEBUG_CREDENTIALS |kconfig| y | kspp | self_protection | FAIL: "is not set" CONFIG_DEBUG_NOTIFIERS |kconfig| y | kspp | self_protection | FAIL: "is not set" CONFIG_SCHED_STACK_END_CHECK |kconfig| y | kspp | self_protection | OK CONFIG_KFENCE |kconfig| y | kspp | self_protection | OK CONFIG_KFENCE_SAMPLE_INTERVAL |kconfig| 100 | kspp | self_protection | FAIL: "0" CONFIG_RANDSTRUCT_FULL |kconfig| y | kspp | self_protection | FAIL: is not found CONFIG_HARDENED_USERCOPY |kconfig| y | kspp | self_protection | OK CONFIG_HARDENED_USERCOPY_FALLBACK |kconfig| is not set | kspp | self_protection | OK CONFIG_HARDENED_USERCOPY_PAGESPAN |kconfig| is not set | kspp | self_protection | OK CONFIG_GCC_PLUGIN_LATENT_ENTROPY |kconfig| y | kspp | self_protection | FAIL: is not found CONFIG_MODULE_SIG |kconfig| y | kspp | self_protection | OK CONFIG_MODULE_SIG_ALL |kconfig| y | kspp | self_protection | OK CONFIG_MODULE_SIG_SHA512 |kconfig| y | kspp | self_protection | OK CONFIG_MODULE_SIG_FORCE |kconfig| y | kspp | self_protection | FAIL: "is not set" CONFIG_INIT_ON_FREE_DEFAULT_ON |kconfig| y | kspp | self_protection | FAIL: "is not set" CONFIG_EFI_DISABLE_PCI_DMA |kconfig| y | kspp | self_protection | FAIL: "is not set" CONFIG_RESET_ATTACK_MITIGATION |kconfig| y | kspp | self_protection | OK CONFIG_UBSAN_BOUNDS |kconfig| y | kspp | self_protection | OK CONFIG_UBSAN_LOCAL_BOUNDS |kconfig| y | kspp | self_protection | OK: CONFIG_UBSAN_BOUNDS is "y" CONFIG_UBSAN_TRAP |kconfig| y | kspp | self_protection | FAIL: CONFIG_UBSAN_ENUM is not "is not set" CONFIG_UBSAN_SANITIZE_ALL |kconfig| y | kspp | self_protection | OK CONFIG_GCC_PLUGIN_STACKLEAK |kconfig| y | kspp | self_protection | FAIL: is not found CONFIG_STACKLEAK_METRICS |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is not "y" CONFIG_STACKLEAK_RUNTIME_DISABLE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is not "y" CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT |kconfig| y | kspp | self_protection | OK CONFIG_PAGE_TABLE_CHECK |kconfig| y | kspp | self_protection | FAIL: is not found CONFIG_PAGE_TABLE_CHECK_ENFORCED |kconfig| y | kspp | self_protection | FAIL: is not found CONFIG_CFI_CLANG |kconfig| y | kspp | self_protection | FAIL: CONFIG_CC_IS_CLANG is not "y" CONFIG_CFI_PERMISSIVE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_CC_IS_CLANG is not "y" CONFIG_HW_RANDOM_TPM |kconfig| y | kspp | self_protection | OK CONFIG_DEFAULT_MMAP_MIN_ADDR |kconfig| 65536 | kspp | self_protection | OK CONFIG_IOMMU_DEFAULT_DMA_STRICT |kconfig| y | kspp | self_protection | FAIL: "is not set" CONFIG_IOMMU_DEFAULT_PASSTHROUGH |kconfig| is not set | kspp | self_protection | OK CONFIG_INTEL_IOMMU_DEFAULT_ON |kconfig| y | kspp | self_protection | OK CONFIG_MITIGATION_SLS |kconfig| y | kspp | self_protection | FAIL: is not found CONFIG_INTEL_IOMMU_SVM |kconfig| y | kspp | self_protection | OK CONFIG_AMD_IOMMU_V2 |kconfig| y | kspp | self_protection | FAIL: "m" CONFIG_SECURITY |kconfig| y |defconfig | security_policy | OK CONFIG_SECURITY_YAMA |kconfig| y | kspp | security_policy | OK CONFIG_SECURITY_LANDLOCK |kconfig| y | kspp | security_policy | OK CONFIG_SECURITY_SELINUX_DISABLE |kconfig| is not set | kspp | security_policy | OK CONFIG_SECURITY_SELINUX_BOOTPARAM |kconfig| is not set | kspp | security_policy | FAIL: "y" CONFIG_SECURITY_SELINUX_DEVELOP |kconfig| is not set | kspp | security_policy | FAIL: "y" CONFIG_SECURITY_WRITABLE_HOOKS |kconfig| is not set | kspp | security_policy | OK: is not found CONFIG_SECURITY_SELINUX_DEBUG |kconfig| is not set | kspp | security_policy | OK: is not found CONFIG_SECURITY_SELINUX |kconfig| y |a13xp0p0v | security_policy | OK CONFIG_SECCOMP |kconfig| y |defconfig |cut_attack_surface| OK CONFIG_SECCOMP_FILTER |kconfig| y |defconfig |cut_attack_surface| OK CONFIG_BPF_UNPRIV_DEFAULT_OFF |kconfig| y |defconfig |cut_attack_surface| OK CONFIG_STRICT_DEVMEM |kconfig| y |defconfig |cut_attack_surface| OK CONFIG_X86_INTEL_TSX_MODE_OFF |kconfig| y |defconfig |cut_attack_surface| OK CONFIG_SECURITY_DMESG_RESTRICT |kconfig| y | kspp |cut_attack_surface| OK CONFIG_ACPI_CUSTOM_METHOD |kconfig| is not set | kspp |cut_attack_surface| OK CONFIG_COMPAT_BRK |kconfig| is not set | kspp |cut_attack_surface| OK CONFIG_DEVKMEM |kconfig| is not set | kspp |cut_attack_surface| OK: is not found CONFIG_BINFMT_MISC |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m" CONFIG_INET_DIAG |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m" CONFIG_KEXEC |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" CONFIG_PROC_KCORE |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" CONFIG_LEGACY_PTYS |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" CONFIG_HIBERNATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" CONFIG_COMPAT |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" CONFIG_IA32_EMULATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" CONFIG_X86_X32 |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" CONFIG_X86_X32_ABI |kconfig| is not set | kspp |cut_attack_surface| OK: is not found CONFIG_MODIFY_LDT_SYSCALL |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" CONFIG_OABI_COMPAT |kconfig| is not set | kspp |cut_attack_surface| OK: is not found CONFIG_X86_MSR |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m" CONFIG_LEGACY_TIOCSTI |kconfig| is not set | kspp |cut_attack_surface| OK: is not found CONFIG_MODULE_FORCE_LOAD |kconfig| is not set | kspp |cut_attack_surface| OK CONFIG_MODULES |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" CONFIG_DEVMEM |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" CONFIG_IO_STRICT_DEVMEM |kconfig| y | kspp |cut_attack_surface| FAIL: "is not set" CONFIG_LDISC_AUTOLOAD |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" CONFIG_X86_VSYSCALL_EMULATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" CONFIG_COMPAT_VDSO |kconfig| is not set | kspp |cut_attack_surface| OK CONFIG_DRM_LEGACY |kconfig| is not set |maintainer|cut_attack_surface| OK CONFIG_FB |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y" CONFIG_VT |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y" CONFIG_BLK_DEV_FD |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "m" CONFIG_BLK_DEV_FD_RAWCMD |kconfig| is not set |maintainer|cut_attack_surface| OK: is not found CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT |kconfig| is not set |maintainer|cut_attack_surface| OK CONFIG_N_GSM |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "m" CONFIG_ZSMALLOC_STAT |kconfig| is not set | grsec |cut_attack_surface| OK CONFIG_DEBUG_KMEMLEAK |kconfig| is not set | grsec |cut_attack_surface| OK CONFIG_BINFMT_AOUT |kconfig| is not set | grsec |cut_attack_surface| OK: is not found CONFIG_KPROBE_EVENTS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_UPROBE_EVENTS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_GENERIC_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_FUNCTION_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_STACK_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_HIST_TRIGGERS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_BLK_DEV_IO_TRACE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_PROC_VMCORE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_PROC_PAGE_MONITOR |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_USELIB |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_CHECKPOINT_RESTORE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_USERFAULTFD |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_HWPOISON_INJECT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m" CONFIG_MEM_SOFT_DIRTY |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_DEVPORT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_DEBUG_FS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_NOTIFIER_ERROR_INJECTION |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m" CONFIG_FAIL_FUTEX |kconfig| is not set | grsec |cut_attack_surface| OK: is not found CONFIG_PUNIT_ATOM_DEBUG |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m" CONFIG_ACPI_CONFIGFS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m" CONFIG_EDAC_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK CONFIG_DRM_I915_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK CONFIG_DVB_C8SECTPFE |kconfig| is not set | grsec |cut_attack_surface| OK: is not found CONFIG_MTD_SLRAM |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m" CONFIG_MTD_PHRAM |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m" CONFIG_IO_URING |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_KCMP |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_RSEQ |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_LATENCYTOP |kconfig| is not set | grsec |cut_attack_surface| OK CONFIG_KCOV |kconfig| is not set | grsec |cut_attack_surface| OK CONFIG_PROVIDE_OHCI1394_DMA_INIT |kconfig| is not set | grsec |cut_attack_surface| OK CONFIG_SUNRPC_DEBUG |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_X86_16BIT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_BLK_DEV_UBLK |kconfig| is not set | grsec |cut_attack_surface| OK: is not found CONFIG_SMB_SERVER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m" CONFIG_XFS_ONLINE_SCRUB_STATS |kconfig| is not set | grsec |cut_attack_surface| OK: is not found CONFIG_CACHESTAT_SYSCALL |kconfig| is not set | grsec |cut_attack_surface| OK: is not found CONFIG_PREEMPTIRQ_TRACEPOINTS |kconfig| is not set | grsec |cut_attack_surface| OK: is not found CONFIG_ENABLE_DEFAULT_TRACERS |kconfig| is not set | grsec |cut_attack_surface| OK: is not found CONFIG_PROVE_LOCKING |kconfig| is not set | grsec |cut_attack_surface| OK CONFIG_TEST_DEBUG_VIRTUAL |kconfig| is not set | grsec |cut_attack_surface| OK: is not found CONFIG_MPTCP |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_TLS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m" CONFIG_TIPC |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m" CONFIG_IP_SCTP |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m" CONFIG_KGDB |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_PTDUMP_DEBUGFS |kconfig| is not set | grsec |cut_attack_surface| OK CONFIG_X86_PTDUMP |kconfig| is not set | grsec |cut_attack_surface| OK: is not found CONFIG_DEBUG_CLOSURES |kconfig| is not set | grsec |cut_attack_surface| OK: is not found CONFIG_BCACHE_CLOSURES_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK CONFIG_STAGING |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" CONFIG_KSM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" CONFIG_KALLSYMS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" CONFIG_KEXEC_FILE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" CONFIG_CRASH_DUMP |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" CONFIG_USER_NS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" CONFIG_X86_CPUID |kconfig| is not set | clipos |cut_attack_surface| FAIL: "m" CONFIG_X86_IOPL_IOPERM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" CONFIG_ACPI_TABLE_UPGRADE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" CONFIG_EFI_CUSTOM_SSDT_OVERLAYS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" CONFIG_AIO |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" CONFIG_MAGIC_SYSRQ |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" CONFIG_MAGIC_SYSRQ_SERIAL |kconfig| is not set |grapheneos|cut_attack_surface| FAIL: "y" CONFIG_EFI_TEST |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "m" CONFIG_MMIOTRACE_TEST |kconfig| is not set | lockdown |cut_attack_surface| OK CONFIG_KPROBES |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y" CONFIG_BPF_SYSCALL |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y" CONFIG_MMIOTRACE |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "y" CONFIG_LIVEPATCH |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "y" CONFIG_IP_DCCP |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "m" CONFIG_FTRACE |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "y" CONFIG_VIDEO_VIVID |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "m" CONFIG_INPUT_EVBUG |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "m" CONFIG_CORESIGHT |kconfig| is not set |a13xp0p0v |cut_attack_surface| OK: is not found CONFIG_XFS_SUPPORT_V4 |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "y" CONFIG_BLK_DEV_WRITE_MOUNTED |kconfig| is not set |a13xp0p0v |cut_attack_surface| OK: is not found CONFIG_FAULT_INJECTION |kconfig| is not set |a13xp0p0v |cut_attack_surface| OK CONFIG_ARM_PTDUMP_DEBUGFS |kconfig| is not set |a13xp0p0v |cut_attack_surface| OK: is not found CONFIG_ARM_PTDUMP |kconfig| is not set |a13xp0p0v |cut_attack_surface| OK: is not found CONFIG_LKDTM |kconfig| is not set |a13xp0p0v |cut_attack_surface| OK CONFIG_TRIM_UNUSED_KSYMS |kconfig| y |a13xp0p0v |cut_attack_surface| FAIL: "is not set" CONFIG_COREDUMP |kconfig| is not set | clipos | harden_userspace | FAIL: "y" CONFIG_ARCH_MMAP_RND_BITS |kconfig| 32 |a13xp0p0v | harden_userspace | FAIL: "28" CONFIG_X86_USER_SHADOW_STACK |kconfig| y | kspp | harden_userspace | FAIL: is not found nosmep |cmdline| is not set |defconfig | self_protection | OK: is not found nosmap |cmdline| is not set |defconfig | self_protection | OK: is not found nokaslr |cmdline| is not set |defconfig | self_protection | OK: is not found nopti |cmdline| is not set |defconfig | self_protection | OK: is not found nospectre_v1 |cmdline| is not set |defconfig | self_protection | OK: is not found nospectre_v2 |cmdline| is not set |defconfig | self_protection | OK: is not found nospectre_bhb |cmdline| is not set |defconfig | self_protection | OK: is not found nospec_store_bypass_disable |cmdline| is not set |defconfig | self_protection | OK: is not found dis_ucode_ldr |cmdline| is not set |defconfig | self_protection | OK: is not found arm64.nobti |cmdline| is not set |defconfig | self_protection | OK: is not found arm64.nopauth |cmdline| is not set |defconfig | self_protection | OK: is not found arm64.nomte |cmdline| is not set |defconfig | self_protection | OK: is not found spectre_v2 |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found spectre_v2_user |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found spectre_bhi |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found spec_store_bypass_disable |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found l1tf |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found mds |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found tsx_async_abort |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found srbds |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found mmio_stale_data |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found retbleed |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found spec_rstack_overflow |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found gather_data_sampling |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found reg_file_data_sampling |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found rodata |cmdline| on |defconfig | self_protection | OK: rodata is not found slab_merge |cmdline| is not set | kspp | self_protection | OK: is not found slub_merge |cmdline| is not set | kspp | self_protection | OK: is not found page_alloc.shuffle |cmdline| 1 | kspp | self_protection | FAIL: is not found cfi |cmdline| kcfi | kspp | self_protection | FAIL: is not found slab_nomerge |cmdline| is present | kspp | self_protection | FAIL: is not present init_on_alloc |cmdline| 1 | kspp | self_protection | OK: CONFIG_INIT_ON_ALLOC_DEFAULT_ON is "y" init_on_free |cmdline| 1 | kspp | self_protection | FAIL: is not found hardened_usercopy |cmdline| 1 | kspp | self_protection | OK: CONFIG_HARDENED_USERCOPY is "y" slab_common.usercopy_fallback |cmdline| is not set | kspp | self_protection | OK: is not found kfence.sample_interval |cmdline| 100 | kspp | self_protection | FAIL: is not found iommu.strict |cmdline| 1 | kspp | self_protection | FAIL: is not found iommu.passthrough |cmdline| 0 | kspp | self_protection | OK: CONFIG_IOMMU_DEFAULT_PASSTHROUGH is "is not set" randomize_kstack_offset |cmdline| 1 | kspp | self_protection | OK: CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT is "y" mitigations |cmdline| auto,nosmt | kspp | self_protection | FAIL: is not found pti |cmdline| on | kspp | self_protection | FAIL: is not found iommu |cmdline| force | clipos | self_protection | FAIL: is not found tsx |cmdline| off |defconfig |cut_attack_surface| OK: CONFIG_X86_INTEL_TSX_MODE_OFF is "y" nosmt |cmdline| is present | kspp |cut_attack_surface| FAIL: is not present vsyscall |cmdline| none | kspp |cut_attack_surface| FAIL: is not found vdso32 |cmdline| 0 | kspp |cut_attack_surface| OK: CONFIG_COMPAT_VDSO is "is not set" debugfs |cmdline| off | grsec |cut_attack_surface| FAIL: is not found sysrq_always_enabled |cmdline| is not set |grapheneos|cut_attack_surface| OK: is not found bdev_allow_write_mounted |cmdline| 0 |a13xp0p0v |cut_attack_surface| OK: CONFIG_BLK_DEV_WRITE_MOUNTED is not found ia32_emulation |cmdline| 0 |a13xp0p0v |cut_attack_surface| FAIL: is not found norandmaps |cmdline| is not set |defconfig | harden_userspace | OK: is not found net.core.bpf_jit_harden |sysctl | 2 | kspp | self_protection | FAIL: "0" kernel.oops_limit |sysctl | 100 |a13xp0p0v | self_protection | FAIL: is not found kernel.warn_limit |sysctl | 100 |a13xp0p0v | self_protection | FAIL: is not found kernel.dmesg_restrict |sysctl | 1 | kspp |cut_attack_surface| OK kernel.perf_event_paranoid |sysctl | 3 | kspp |cut_attack_surface| FAIL: "4" user.max_user_namespaces |sysctl | 0 | kspp |cut_attack_surface| FAIL: "31231" dev.tty.ldisc_autoload |sysctl | 0 | kspp |cut_attack_surface| FAIL: "1" kernel.kptr_restrict |sysctl | 2 | kspp |cut_attack_surface| FAIL: "1" dev.tty.legacy_tiocsti |sysctl | 0 | kspp |cut_attack_surface| FAIL: is not found kernel.kexec_load_disabled |sysctl | 1 | kspp |cut_attack_surface| FAIL: "0" kernel.unprivileged_bpf_disabled |sysctl | 1 | kspp |cut_attack_surface| FAIL: "2" vm.unprivileged_userfaultfd |sysctl | 0 | kspp |cut_attack_surface| OK kernel.modules_disabled |sysctl | 1 | kspp |cut_attack_surface| FAIL: "0" kernel.io_uring_disabled |sysctl | 2 | grsec |cut_attack_surface| FAIL: is not found kernel.sysrq |sysctl | 0 |a13xp0p0v |cut_attack_surface| FAIL: "176" fs.protected_symlinks |sysctl | 1 | kspp | harden_userspace | OK fs.protected_hardlinks |sysctl | 1 | kspp | harden_userspace | OK fs.protected_fifos |sysctl | 2 | kspp | harden_userspace | FAIL: "1" fs.protected_regular |sysctl | 2 | kspp | harden_userspace | OK fs.suid_dumpable |sysctl | 0 | kspp | harden_userspace | FAIL: "2" kernel.randomize_va_space |sysctl | 2 | kspp | harden_userspace | OK kernel.yama.ptrace_scope |sysctl | 3 | kspp | harden_userspace | FAIL: "1" [+] Config check is finished: 'OK' - 135 / 'FAIL' - 158
生成带有安全强化选项的 Kconfig 代码段
通过该-g参数,该工具会生成一个 Kconfig 代码段,其中包含针对所选微架构的安全强化选项。
此 Kconfig 代码段可以与现有的 Linux 内核配置合并:
$ ./bin/kernel-hardening-checker -g X86_64 > /tmp/fragment $ cd ~/linux-src/ $ ./scripts/kconfig/merge_config.sh .config /tmp/fragment Using .config as base Merging /tmp/fragment Value of CONFIG_BUG_ON_DATA_CORRUPTION is redefined by fragment /tmp/fragment: Previous value: # CONFIG_BUG_ON_DATA_CORRUPTION is not set New value: CONFIG_BUG_ON_DATA_CORRUPTION=y ...
许可证协议
本项目的开发与发布遵循GPL-3.0开源许可协议。
项目地址
kernel-hardening-checker:【GitHub传送门】
参考资料
https://kspp.github.io/Recommended_Settings
https://docs.clip-os.org/clipos/kernel.html#configuration
本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
文章目录