freeBuf
主站

分类

漏洞 工具 极客 Web安全 系统安全 网络安全 无线安全 设备/客户端安全 数据安全 安全管理 企业安全 工控安全

特色

头条 人物志 活动 视频 观点 招聘 报告 资讯 区块链安全 标准与合规 容器安全 公开课

官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序

FreeBuf+小程序

kernel-hardening-checker:一款针对Linux内核的安全加固工具
2024-11-13 22:20:32
所属地 广西

关于kernel-hardening-checker

kernel-hardening-checker是一款针对Linux内核的安全加固工具,广大研究人员可以使用该工具检查并实现 Linux 内核安全强化选项。

Linux 内核有很多安全强化选项。其中很多选项在主流发行版中都没有启用。我们必须自己启用这些选项,才能让我们的系统更安全。但很多人并不喜欢手动检查这些选项,kernel-hardening-checker便应运而生。

功能介绍

当前版本的kernel-hardening-checker支持检查下列内容:

1、Kconfig 选项(编译时)

2、内核命令行参数(启动时)

3、Sysctl 参数(运行时)

支持的微架构

1、X86_64

2、X86_32

3、ARM64

4、ARM

工具安装

由于该工具基于Python 3开发,因此我们首先需要在本地设备上安装并配置好最新版本的Python 3环境。

源码获取

广大研究人员可以直接使用下列命令将该项目源码克隆至本地:

git clone https://github.com/a13xp0p0v/kernel-hardening-checker.git

然后切换到项目目录中,使用pip命令和项目提供的requirements.txt安装该工具所需的其他依赖组件:

cd kernel-hardening-checker

python setup.py

pip安装

pip install git+https://github.com/a13xp0p0v/kernel-hardening-checker

工具使用

usage: kernel-hardening-checker [-h] [--version] [-m {verbose,json,show_ok,show_fail}]

                                [-c CONFIG] [-l CMDLINE] [-s SYSCTL] [-v KERNEL_VERSION]

                                [-p {X86_64,X86_32,ARM64,ARM}]

                                [-g {X86_64,X86_32,ARM64,ARM}]

 

A tool for checking the security hardening options of the Linux kernel

 

options:

  -h, --help            显示此帮助消息并退出

  --version            显示程序的版本号并退出

  -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}

                        选择报告模式

  -c CONFIG, --config CONFIG

                        检查内核Kconfig文件中的安全强化选项

  -l CMDLINE, --cmdline CMDLINE

                        检查内核cmdline文件中的安全强化选项

  -s SYSCTL, --sysctl SYSCTL

                        检查sysctl输出文件中的安全强化选项

  -v KERNEL_VERSION, --kernel-version KERNEL_VERSION

                        从内核版本文件中提取版本

  -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}

                        打印所选微架构的安全强化建议

  -g {X86_64,X86_32,ARM64,ARM}, --generate {X86_64,X86_32,ARM64,ARM}            

对于选定的微体系结构使用安全强化选项生成Kconfig代码段

Ubuntu 22.04内核配置的示例输出

$ ./bin/kernel-hardening-checker -c kernel_hardening_checker/config_files/distros/ubuntu-22.04.config -l /proc/cmdline -s kernel_hardening_checker/config_files/distros/example_sysctls.txt

[+] Kconfig file to check: kernel_hardening_checker/config_files/distros/ubuntu-22.04.config

[+] Kernel cmdline file to check: /proc/cmdline

[+] Sysctl output file to check: kernel_hardening_checker/config_files/distros/example_sysctls.txt

[+] Detected microarchitecture: X86_64

[+] Detected kernel version: (5, 15, 0)

[+] Detected compiler: GCC 110200

=========================================================================================================================

              option_name               | type  |desired_val | decision |      reason      | check_result

=========================================================================================================================

CONFIG_BUG                              |kconfig|     y      |defconfig | self_protection  | OK

CONFIG_SLUB_DEBUG                       |kconfig|     y      |defconfig | self_protection  | OK

CONFIG_THREAD_INFO_IN_TASK              |kconfig|     y      |defconfig | self_protection  | OK

CONFIG_IOMMU_SUPPORT                    |kconfig|     y      |defconfig | self_protection  | OK

CONFIG_STACKPROTECTOR                   |kconfig|     y      |defconfig | self_protection  | OK

CONFIG_STACKPROTECTOR_STRONG            |kconfig|     y      |defconfig | self_protection  | OK

CONFIG_STRICT_KERNEL_RWX                |kconfig|     y      |defconfig | self_protection  | OK

CONFIG_STRICT_MODULE_RWX                |kconfig|     y      |defconfig | self_protection  | OK

CONFIG_REFCOUNT_FULL                    |kconfig|     y      |defconfig | self_protection  | OK: version >= (5, 4, 208)

CONFIG_INIT_STACK_ALL_ZERO              |kconfig|     y      |defconfig | self_protection  | FAIL: is not found

CONFIG_CPU_MITIGATIONS                  |kconfig|     y      |defconfig | self_protection  | FAIL: is not found

CONFIG_RANDOMIZE_BASE                   |kconfig|     y      |defconfig | self_protection  | OK

CONFIG_VMAP_STACK                       |kconfig|     y      |defconfig | self_protection  | OK

CONFIG_DEBUG_WX                         |kconfig|     y      |defconfig | self_protection  | OK

CONFIG_WERROR                           |kconfig|     y      |defconfig | self_protection  | FAIL: "is not set"

CONFIG_X86_MCE                          |kconfig|     y      |defconfig | self_protection  | OK

CONFIG_SYN_COOKIES                      |kconfig|     y      |defconfig | self_protection  | OK

CONFIG_MICROCODE                        |kconfig|     y      |defconfig | self_protection  | OK

CONFIG_MICROCODE_INTEL                  |kconfig|     y      |defconfig | self_protection  | OK

CONFIG_MICROCODE_AMD                    |kconfig|     y      |defconfig | self_protection  | OK

CONFIG_X86_SMAP                         |kconfig|     y      |defconfig | self_protection  | OK

CONFIG_X86_UMIP                         |kconfig|     y      |defconfig | self_protection  | OK

CONFIG_X86_MCE_INTEL                    |kconfig|     y      |defconfig | self_protection  | OK

CONFIG_X86_MCE_AMD                      |kconfig|     y      |defconfig | self_protection  | OK

CONFIG_MITIGATION_RETPOLINE             |kconfig|     y      |defconfig | self_protection  | OK: CONFIG_RETPOLINE is "y"

CONFIG_MITIGATION_RFDS                  |kconfig|     y      |defconfig | self_protection  | FAIL: is not found

CONFIG_MITIGATION_SPECTRE_BHI           |kconfig|     y      |defconfig | self_protection  | FAIL: is not found

CONFIG_RANDOMIZE_MEMORY                 |kconfig|     y      |defconfig | self_protection  | OK

CONFIG_X86_KERNEL_IBT                   |kconfig|     y      |defconfig | self_protection  | FAIL: is not found

CONFIG_MITIGATION_PAGE_TABLE_ISOLATION  |kconfig|     y      |defconfig | self_protection  | OK: CONFIG_PAGE_TABLE_ISOLATION is "y"

CONFIG_MITIGATION_SRSO                  |kconfig|     y      |defconfig | self_protection  | FAIL: is not found

CONFIG_INTEL_IOMMU                      |kconfig|     y      |defconfig | self_protection  | OK

CONFIG_AMD_IOMMU                        |kconfig|     y      |defconfig | self_protection  | OK

CONFIG_LIST_HARDENED                    |kconfig|     y      |   kspp   | self_protection  | FAIL: is not found

CONFIG_RANDOM_KMALLOC_CACHES            |kconfig|     y      |   kspp   | self_protection  | FAIL: is not found

CONFIG_SLAB_MERGE_DEFAULT               |kconfig| is not set |   kspp   | self_protection  | FAIL: "y"

CONFIG_BUG_ON_DATA_CORRUPTION           |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"

CONFIG_SLAB_FREELIST_HARDENED           |kconfig|     y      |   kspp   | self_protection  | OK

CONFIG_SLAB_FREELIST_RANDOM             |kconfig|     y      |   kspp   | self_protection  | OK

CONFIG_SHUFFLE_PAGE_ALLOCATOR           |kconfig|     y      |   kspp   | self_protection  | OK

CONFIG_FORTIFY_SOURCE                   |kconfig|     y      |   kspp   | self_protection  | OK

CONFIG_DEBUG_LIST                       |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"

CONFIG_DEBUG_VIRTUAL                    |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"

CONFIG_DEBUG_SG                         |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"

CONFIG_INIT_ON_ALLOC_DEFAULT_ON         |kconfig|     y      |   kspp   | self_protection  | OK

CONFIG_STATIC_USERMODEHELPER            |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"

CONFIG_SCHED_CORE                       |kconfig|     y      |   kspp   | self_protection  | OK

CONFIG_SECURITY_LOCKDOWN_LSM            |kconfig|     y      |   kspp   | self_protection  | OK

CONFIG_SECURITY_LOCKDOWN_LSM_EARLY      |kconfig|     y      |   kspp   | self_protection  | OK

CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"

CONFIG_DEBUG_CREDENTIALS                |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"

CONFIG_DEBUG_NOTIFIERS                  |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"

CONFIG_SCHED_STACK_END_CHECK            |kconfig|     y      |   kspp   | self_protection  | OK

CONFIG_KFENCE                           |kconfig|     y      |   kspp   | self_protection  | OK

CONFIG_KFENCE_SAMPLE_INTERVAL           |kconfig|    100     |   kspp   | self_protection  | FAIL: "0"

CONFIG_RANDSTRUCT_FULL                  |kconfig|     y      |   kspp   | self_protection  | FAIL: is not found

CONFIG_HARDENED_USERCOPY                |kconfig|     y      |   kspp   | self_protection  | OK

CONFIG_HARDENED_USERCOPY_FALLBACK       |kconfig| is not set |   kspp   | self_protection  | OK

CONFIG_HARDENED_USERCOPY_PAGESPAN       |kconfig| is not set |   kspp   | self_protection  | OK

CONFIG_GCC_PLUGIN_LATENT_ENTROPY        |kconfig|     y      |   kspp   | self_protection  | FAIL: is not found

CONFIG_MODULE_SIG                       |kconfig|     y      |   kspp   | self_protection  | OK

CONFIG_MODULE_SIG_ALL                   |kconfig|     y      |   kspp   | self_protection  | OK

CONFIG_MODULE_SIG_SHA512                |kconfig|     y      |   kspp   | self_protection  | OK

CONFIG_MODULE_SIG_FORCE                 |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"

CONFIG_INIT_ON_FREE_DEFAULT_ON          |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"

CONFIG_EFI_DISABLE_PCI_DMA              |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"

CONFIG_RESET_ATTACK_MITIGATION          |kconfig|     y      |   kspp   | self_protection  | OK

CONFIG_UBSAN_BOUNDS                     |kconfig|     y      |   kspp   | self_protection  | OK

CONFIG_UBSAN_LOCAL_BOUNDS               |kconfig|     y      |   kspp   | self_protection  | OK: CONFIG_UBSAN_BOUNDS is "y"

CONFIG_UBSAN_TRAP                       |kconfig|     y      |   kspp   | self_protection  | FAIL: CONFIG_UBSAN_ENUM is not "is not set"

CONFIG_UBSAN_SANITIZE_ALL               |kconfig|     y      |   kspp   | self_protection  | OK

CONFIG_GCC_PLUGIN_STACKLEAK             |kconfig|     y      |   kspp   | self_protection  | FAIL: is not found

CONFIG_STACKLEAK_METRICS                |kconfig| is not set |   kspp   | self_protection  | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is not "y"

CONFIG_STACKLEAK_RUNTIME_DISABLE        |kconfig| is not set |   kspp   | self_protection  | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is not "y"

CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT  |kconfig|     y      |   kspp   | self_protection  | OK

CONFIG_PAGE_TABLE_CHECK                 |kconfig|     y      |   kspp   | self_protection  | FAIL: is not found

CONFIG_PAGE_TABLE_CHECK_ENFORCED        |kconfig|     y      |   kspp   | self_protection  | FAIL: is not found

CONFIG_CFI_CLANG                        |kconfig|     y      |   kspp   | self_protection  | FAIL: CONFIG_CC_IS_CLANG is not "y"

CONFIG_CFI_PERMISSIVE                   |kconfig| is not set |   kspp   | self_protection  | FAIL: CONFIG_CC_IS_CLANG is not "y"

CONFIG_HW_RANDOM_TPM                    |kconfig|     y      |   kspp   | self_protection  | OK

CONFIG_DEFAULT_MMAP_MIN_ADDR            |kconfig|   65536    |   kspp   | self_protection  | OK

CONFIG_IOMMU_DEFAULT_DMA_STRICT         |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"

CONFIG_IOMMU_DEFAULT_PASSTHROUGH        |kconfig| is not set |   kspp   | self_protection  | OK

CONFIG_INTEL_IOMMU_DEFAULT_ON           |kconfig|     y      |   kspp   | self_protection  | OK

CONFIG_MITIGATION_SLS                   |kconfig|     y      |   kspp   | self_protection  | FAIL: is not found

CONFIG_INTEL_IOMMU_SVM                  |kconfig|     y      |   kspp   | self_protection  | OK

CONFIG_AMD_IOMMU_V2                     |kconfig|     y      |   kspp   | self_protection  | FAIL: "m"

CONFIG_SECURITY                         |kconfig|     y      |defconfig | security_policy  | OK

CONFIG_SECURITY_YAMA                    |kconfig|     y      |   kspp   | security_policy  | OK

CONFIG_SECURITY_LANDLOCK                |kconfig|     y      |   kspp   | security_policy  | OK

CONFIG_SECURITY_SELINUX_DISABLE         |kconfig| is not set |   kspp   | security_policy  | OK

CONFIG_SECURITY_SELINUX_BOOTPARAM       |kconfig| is not set |   kspp   | security_policy  | FAIL: "y"

CONFIG_SECURITY_SELINUX_DEVELOP         |kconfig| is not set |   kspp   | security_policy  | FAIL: "y"

CONFIG_SECURITY_WRITABLE_HOOKS          |kconfig| is not set |   kspp   | security_policy  | OK: is not found

CONFIG_SECURITY_SELINUX_DEBUG           |kconfig| is not set |   kspp   | security_policy  | OK: is not found

CONFIG_SECURITY_SELINUX                 |kconfig|     y      |a13xp0p0v | security_policy  | OK

CONFIG_SECCOMP                          |kconfig|     y      |defconfig |cut_attack_surface| OK

CONFIG_SECCOMP_FILTER                   |kconfig|     y      |defconfig |cut_attack_surface| OK

CONFIG_BPF_UNPRIV_DEFAULT_OFF           |kconfig|     y      |defconfig |cut_attack_surface| OK

CONFIG_STRICT_DEVMEM                    |kconfig|     y      |defconfig |cut_attack_surface| OK

CONFIG_X86_INTEL_TSX_MODE_OFF           |kconfig|     y      |defconfig |cut_attack_surface| OK

CONFIG_SECURITY_DMESG_RESTRICT          |kconfig|     y      |   kspp   |cut_attack_surface| OK

CONFIG_ACPI_CUSTOM_METHOD               |kconfig| is not set |   kspp   |cut_attack_surface| OK

CONFIG_COMPAT_BRK                       |kconfig| is not set |   kspp   |cut_attack_surface| OK

CONFIG_DEVKMEM                          |kconfig| is not set |   kspp   |cut_attack_surface| OK: is not found

CONFIG_BINFMT_MISC                      |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "m"

CONFIG_INET_DIAG                        |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "m"

CONFIG_KEXEC                            |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"

CONFIG_PROC_KCORE                       |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"

CONFIG_LEGACY_PTYS                      |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"

CONFIG_HIBERNATION                      |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"

CONFIG_COMPAT                           |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"

CONFIG_IA32_EMULATION                   |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"

CONFIG_X86_X32                          |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"

CONFIG_X86_X32_ABI                      |kconfig| is not set |   kspp   |cut_attack_surface| OK: is not found

CONFIG_MODIFY_LDT_SYSCALL               |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"

CONFIG_OABI_COMPAT                      |kconfig| is not set |   kspp   |cut_attack_surface| OK: is not found

CONFIG_X86_MSR                          |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "m"

CONFIG_LEGACY_TIOCSTI                   |kconfig| is not set |   kspp   |cut_attack_surface| OK: is not found

CONFIG_MODULE_FORCE_LOAD                |kconfig| is not set |   kspp   |cut_attack_surface| OK

CONFIG_MODULES                          |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"

CONFIG_DEVMEM                           |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"

CONFIG_IO_STRICT_DEVMEM                 |kconfig|     y      |   kspp   |cut_attack_surface| FAIL: "is not set"

CONFIG_LDISC_AUTOLOAD                   |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"

CONFIG_X86_VSYSCALL_EMULATION           |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"

CONFIG_COMPAT_VDSO                      |kconfig| is not set |   kspp   |cut_attack_surface| OK

CONFIG_DRM_LEGACY                       |kconfig| is not set |maintainer|cut_attack_surface| OK

CONFIG_FB                               |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"

CONFIG_VT                               |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"

CONFIG_BLK_DEV_FD                       |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "m"

CONFIG_BLK_DEV_FD_RAWCMD                |kconfig| is not set |maintainer|cut_attack_surface| OK: is not found

CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT       |kconfig| is not set |maintainer|cut_attack_surface| OK

CONFIG_N_GSM                            |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "m"

CONFIG_ZSMALLOC_STAT                    |kconfig| is not set |  grsec   |cut_attack_surface| OK

CONFIG_DEBUG_KMEMLEAK                   |kconfig| is not set |  grsec   |cut_attack_surface| OK

CONFIG_BINFMT_AOUT                      |kconfig| is not set |  grsec   |cut_attack_surface| OK: is not found

CONFIG_KPROBE_EVENTS                    |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"

CONFIG_UPROBE_EVENTS                    |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"

CONFIG_GENERIC_TRACER                   |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"

CONFIG_FUNCTION_TRACER                  |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"

CONFIG_STACK_TRACER                     |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"

CONFIG_HIST_TRIGGERS                    |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"

CONFIG_BLK_DEV_IO_TRACE                 |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"

CONFIG_PROC_VMCORE                      |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"

CONFIG_PROC_PAGE_MONITOR                |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"

CONFIG_USELIB                           |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"

CONFIG_CHECKPOINT_RESTORE               |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"

CONFIG_USERFAULTFD                      |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"

CONFIG_HWPOISON_INJECT                  |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "m"

CONFIG_MEM_SOFT_DIRTY                   |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"

CONFIG_DEVPORT                          |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"

CONFIG_DEBUG_FS                         |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"

CONFIG_NOTIFIER_ERROR_INJECTION         |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "m"

CONFIG_FAIL_FUTEX                       |kconfig| is not set |  grsec   |cut_attack_surface| OK: is not found

CONFIG_PUNIT_ATOM_DEBUG                 |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "m"

CONFIG_ACPI_CONFIGFS                    |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "m"

CONFIG_EDAC_DEBUG                       |kconfig| is not set |  grsec   |cut_attack_surface| OK

CONFIG_DRM_I915_DEBUG                   |kconfig| is not set |  grsec   |cut_attack_surface| OK

CONFIG_DVB_C8SECTPFE                    |kconfig| is not set |  grsec   |cut_attack_surface| OK: is not found

CONFIG_MTD_SLRAM                        |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "m"

CONFIG_MTD_PHRAM                        |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "m"

CONFIG_IO_URING                         |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"

CONFIG_KCMP                             |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"

CONFIG_RSEQ                             |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"

CONFIG_LATENCYTOP                       |kconfig| is not set |  grsec   |cut_attack_surface| OK

CONFIG_KCOV                             |kconfig| is not set |  grsec   |cut_attack_surface| OK

CONFIG_PROVIDE_OHCI1394_DMA_INIT        |kconfig| is not set |  grsec   |cut_attack_surface| OK

CONFIG_SUNRPC_DEBUG                     |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"

CONFIG_X86_16BIT                        |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"

CONFIG_BLK_DEV_UBLK                     |kconfig| is not set |  grsec   |cut_attack_surface| OK: is not found

CONFIG_SMB_SERVER                       |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "m"

CONFIG_XFS_ONLINE_SCRUB_STATS           |kconfig| is not set |  grsec   |cut_attack_surface| OK: is not found

CONFIG_CACHESTAT_SYSCALL                |kconfig| is not set |  grsec   |cut_attack_surface| OK: is not found

CONFIG_PREEMPTIRQ_TRACEPOINTS           |kconfig| is not set |  grsec   |cut_attack_surface| OK: is not found

CONFIG_ENABLE_DEFAULT_TRACERS           |kconfig| is not set |  grsec   |cut_attack_surface| OK: is not found

CONFIG_PROVE_LOCKING                    |kconfig| is not set |  grsec   |cut_attack_surface| OK

CONFIG_TEST_DEBUG_VIRTUAL               |kconfig| is not set |  grsec   |cut_attack_surface| OK: is not found

CONFIG_MPTCP                            |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"

CONFIG_TLS                              |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "m"

CONFIG_TIPC                             |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "m"

CONFIG_IP_SCTP                          |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "m"

CONFIG_KGDB                             |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"

CONFIG_PTDUMP_DEBUGFS                   |kconfig| is not set |  grsec   |cut_attack_surface| OK

CONFIG_X86_PTDUMP                       |kconfig| is not set |  grsec   |cut_attack_surface| OK: is not found

CONFIG_DEBUG_CLOSURES                   |kconfig| is not set |  grsec   |cut_attack_surface| OK: is not found

CONFIG_BCACHE_CLOSURES_DEBUG            |kconfig| is not set |  grsec   |cut_attack_surface| OK

CONFIG_STAGING                          |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"

CONFIG_KSM                              |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"

CONFIG_KALLSYMS                         |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"

CONFIG_KEXEC_FILE                       |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"

CONFIG_CRASH_DUMP                       |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"

CONFIG_USER_NS                          |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"

CONFIG_X86_CPUID                        |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "m"

CONFIG_X86_IOPL_IOPERM                  |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"

CONFIG_ACPI_TABLE_UPGRADE               |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"

CONFIG_EFI_CUSTOM_SSDT_OVERLAYS         |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"

CONFIG_AIO                              |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"

CONFIG_MAGIC_SYSRQ                      |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"

CONFIG_MAGIC_SYSRQ_SERIAL               |kconfig| is not set |grapheneos|cut_attack_surface| FAIL: "y"

CONFIG_EFI_TEST                         |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "m"

CONFIG_MMIOTRACE_TEST                   |kconfig| is not set | lockdown |cut_attack_surface| OK

CONFIG_KPROBES                          |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"

CONFIG_BPF_SYSCALL                      |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"

CONFIG_MMIOTRACE                        |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "y"

CONFIG_LIVEPATCH                        |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "y"

CONFIG_IP_DCCP                          |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "m"

CONFIG_FTRACE                           |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "y"

CONFIG_VIDEO_VIVID                      |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "m"

CONFIG_INPUT_EVBUG                      |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "m"

CONFIG_CORESIGHT                        |kconfig| is not set |a13xp0p0v |cut_attack_surface| OK: is not found

CONFIG_XFS_SUPPORT_V4                   |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "y"

CONFIG_BLK_DEV_WRITE_MOUNTED            |kconfig| is not set |a13xp0p0v |cut_attack_surface| OK: is not found

CONFIG_FAULT_INJECTION                  |kconfig| is not set |a13xp0p0v |cut_attack_surface| OK

CONFIG_ARM_PTDUMP_DEBUGFS               |kconfig| is not set |a13xp0p0v |cut_attack_surface| OK: is not found

CONFIG_ARM_PTDUMP                       |kconfig| is not set |a13xp0p0v |cut_attack_surface| OK: is not found

CONFIG_LKDTM                            |kconfig| is not set |a13xp0p0v |cut_attack_surface| OK

CONFIG_TRIM_UNUSED_KSYMS                |kconfig|     y      |a13xp0p0v |cut_attack_surface| FAIL: "is not set"

CONFIG_COREDUMP                         |kconfig| is not set |  clipos  | harden_userspace | FAIL: "y"

CONFIG_ARCH_MMAP_RND_BITS               |kconfig|     32     |a13xp0p0v | harden_userspace | FAIL: "28"

CONFIG_X86_USER_SHADOW_STACK            |kconfig|     y      |   kspp   | harden_userspace | FAIL: is not found

nosmep                                  |cmdline| is not set |defconfig | self_protection  | OK: is not found

nosmap                                  |cmdline| is not set |defconfig | self_protection  | OK: is not found

nokaslr                                 |cmdline| is not set |defconfig | self_protection  | OK: is not found

nopti                                   |cmdline| is not set |defconfig | self_protection  | OK: is not found

nospectre_v1                            |cmdline| is not set |defconfig | self_protection  | OK: is not found

nospectre_v2                            |cmdline| is not set |defconfig | self_protection  | OK: is not found

nospectre_bhb                           |cmdline| is not set |defconfig | self_protection  | OK: is not found

nospec_store_bypass_disable             |cmdline| is not set |defconfig | self_protection  | OK: is not found

dis_ucode_ldr                           |cmdline| is not set |defconfig | self_protection  | OK: is not found

arm64.nobti                             |cmdline| is not set |defconfig | self_protection  | OK: is not found

arm64.nopauth                           |cmdline| is not set |defconfig | self_protection  | OK: is not found

arm64.nomte                             |cmdline| is not set |defconfig | self_protection  | OK: is not found

spectre_v2                              |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found

spectre_v2_user                         |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found

spectre_bhi                             |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found

spec_store_bypass_disable               |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found

l1tf                                    |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found

mds                                     |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found

tsx_async_abort                         |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found

srbds                                   |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found

mmio_stale_data                         |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found

retbleed                                |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found

spec_rstack_overflow                    |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found

gather_data_sampling                    |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found

reg_file_data_sampling                  |cmdline| is not off |defconfig | self_protection  | FAIL: is off, not found

rodata                                  |cmdline|     on     |defconfig | self_protection  | OK: rodata is not found

slab_merge                              |cmdline| is not set |   kspp   | self_protection  | OK: is not found

slub_merge                              |cmdline| is not set |   kspp   | self_protection  | OK: is not found

page_alloc.shuffle                      |cmdline|     1      |   kspp   | self_protection  | FAIL: is not found

cfi                                     |cmdline|    kcfi    |   kspp   | self_protection  | FAIL: is not found

slab_nomerge                            |cmdline| is present |   kspp   | self_protection  | FAIL: is not present

init_on_alloc                           |cmdline|     1      |   kspp   | self_protection  | OK: CONFIG_INIT_ON_ALLOC_DEFAULT_ON is "y"

init_on_free                            |cmdline|     1      |   kspp   | self_protection  | FAIL: is not found

hardened_usercopy                       |cmdline|     1      |   kspp   | self_protection  | OK: CONFIG_HARDENED_USERCOPY is "y"

slab_common.usercopy_fallback           |cmdline| is not set |   kspp   | self_protection  | OK: is not found

kfence.sample_interval                  |cmdline|    100     |   kspp   | self_protection  | FAIL: is not found

iommu.strict                            |cmdline|     1      |   kspp   | self_protection  | FAIL: is not found

iommu.passthrough                       |cmdline|     0      |   kspp   | self_protection  | OK: CONFIG_IOMMU_DEFAULT_PASSTHROUGH is "is not set"

randomize_kstack_offset                 |cmdline|     1      |   kspp   | self_protection  | OK: CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT is "y"

mitigations                             |cmdline| auto,nosmt |   kspp   | self_protection  | FAIL: is not found

pti                                     |cmdline|     on     |   kspp   | self_protection  | FAIL: is not found

iommu                                   |cmdline|   force    |  clipos  | self_protection  | FAIL: is not found

tsx                                     |cmdline|    off     |defconfig |cut_attack_surface| OK: CONFIG_X86_INTEL_TSX_MODE_OFF is "y"

nosmt                                   |cmdline| is present |   kspp   |cut_attack_surface| FAIL: is not present

vsyscall                                |cmdline|    none    |   kspp   |cut_attack_surface| FAIL: is not found

vdso32                                  |cmdline|     0      |   kspp   |cut_attack_surface| OK: CONFIG_COMPAT_VDSO is "is not set"

debugfs                                 |cmdline|    off     |  grsec   |cut_attack_surface| FAIL: is not found

sysrq_always_enabled                    |cmdline| is not set |grapheneos|cut_attack_surface| OK: is not found

bdev_allow_write_mounted                |cmdline|     0      |a13xp0p0v |cut_attack_surface| OK: CONFIG_BLK_DEV_WRITE_MOUNTED is not found

ia32_emulation                          |cmdline|     0      |a13xp0p0v |cut_attack_surface| FAIL: is not found

norandmaps                              |cmdline| is not set |defconfig | harden_userspace | OK: is not found

net.core.bpf_jit_harden                 |sysctl |     2      |   kspp   | self_protection  | FAIL: "0"

kernel.oops_limit                       |sysctl |    100     |a13xp0p0v | self_protection  | FAIL: is not found

kernel.warn_limit                       |sysctl |    100     |a13xp0p0v | self_protection  | FAIL: is not found

kernel.dmesg_restrict                   |sysctl |     1      |   kspp   |cut_attack_surface| OK

kernel.perf_event_paranoid              |sysctl |     3      |   kspp   |cut_attack_surface| FAIL: "4"

user.max_user_namespaces                |sysctl |     0      |   kspp   |cut_attack_surface| FAIL: "31231"

dev.tty.ldisc_autoload                  |sysctl |     0      |   kspp   |cut_attack_surface| FAIL: "1"

kernel.kptr_restrict                    |sysctl |     2      |   kspp   |cut_attack_surface| FAIL: "1"

dev.tty.legacy_tiocsti                  |sysctl |     0      |   kspp   |cut_attack_surface| FAIL: is not found

kernel.kexec_load_disabled              |sysctl |     1      |   kspp   |cut_attack_surface| FAIL: "0"

kernel.unprivileged_bpf_disabled        |sysctl |     1      |   kspp   |cut_attack_surface| FAIL: "2"

vm.unprivileged_userfaultfd             |sysctl |     0      |   kspp   |cut_attack_surface| OK

kernel.modules_disabled                 |sysctl |     1      |   kspp   |cut_attack_surface| FAIL: "0"

kernel.io_uring_disabled                |sysctl |     2      |  grsec   |cut_attack_surface| FAIL: is not found

kernel.sysrq                            |sysctl |     0      |a13xp0p0v |cut_attack_surface| FAIL: "176"

fs.protected_symlinks                   |sysctl |     1      |   kspp   | harden_userspace | OK

fs.protected_hardlinks                  |sysctl |     1      |   kspp   | harden_userspace | OK

fs.protected_fifos                      |sysctl |     2      |   kspp   | harden_userspace | FAIL: "1"

fs.protected_regular                    |sysctl |     2      |   kspp   | harden_userspace | OK

fs.suid_dumpable                        |sysctl |     0      |   kspp   | harden_userspace | FAIL: "2"

kernel.randomize_va_space               |sysctl |     2      |   kspp   | harden_userspace | OK

kernel.yama.ptrace_scope                |sysctl |     3      |   kspp   | harden_userspace | FAIL: "1"

 

[+] Config check is finished: 'OK' - 135 / 'FAIL' - 158

生成带有安全强化选项的 Kconfig 代码段

通过该-g参数,该工具会生成一个 Kconfig 代码段,其中包含针对所选微架构的安全强化选项。

此 Kconfig 代码段可以与现有的 Linux 内核配置合并:

$ ./bin/kernel-hardening-checker -g X86_64 > /tmp/fragment

$ cd ~/linux-src/

$ ./scripts/kconfig/merge_config.sh .config /tmp/fragment

Using .config as base

Merging /tmp/fragment

Value of CONFIG_BUG_ON_DATA_CORRUPTION is redefined by fragment /tmp/fragment:

Previous value: # CONFIG_BUG_ON_DATA_CORRUPTION is not set

New value: CONFIG_BUG_ON_DATA_CORRUPTION=y

 ...

许可证协议

本项目的开发与发布遵循GPL-3.0开源许可协议。

项目地址

kernel-hardening-checker:【GitHub传送门

参考资料

https://kspp.github.io/Recommended_Settings

https://grsecurity.net/

https://docs.clip-os.org/clipos/kernel.html#configuration

https://grapheneos.org/features

https://lwn.net/Articles/791863/

# linux安全 # linux安全加固 # Linux内核 # Linux 安全运维
本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
  • 0 文章数
  • 0 关注者
文章目录