-# kconfig-hardened-check
+# kernel-hardening-checker
-
-[](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check)
+__(formerly kconfig-hardened-check)__<br /><br />
+[](https://github.com/a13xp0p0v/kernel-hardening-checker/actions/workflows/functional_test.yml)
+[](https://app.codecov.io/gh/a13xp0p0v/kernel-hardening-checker?flags%5B0%5D=functional_test)<br />
+[](https://github.com/a13xp0p0v/kernel-hardening-checker/actions/workflows/engine_unit-test.yml)
+[](https://app.codecov.io/gh/a13xp0p0v/kernel-hardening-checker?flags%5B0%5D=engine_unit-test)<br />
+[](https://github.com/a13xp0p0v/kernel-hardening-checker/tags)
## Motivation
-There are plenty of security hardening options in the Linux kernel. A lot of them are
+There are plenty of security hardening options for the Linux kernel. A lot of them are
not enabled by the major distros. We have to enable these options ourselves to
make our systems more secure.
But nobody likes checking configs manually. So let the computers do their job!
-__kconfig-hardened-check.py__ helps me to check the Linux kernel Kconfig option list
-against my security hardening preferences, which are based on the
+__kernel-hardening-checker__ (formerly __kconfig-hardened-check__) is a tool for checking the security hardening options of the Linux kernel. It supports checking:
- - [KSPP recommended settings][1],
- - [CLIP OS kernel configuration][2],
- - Last public [grsecurity][3] patch (options which they disable),
- - [SECURITY_LOCKDOWN_LSM][5] patchset,
- - Direct feedback from Linux kernel maintainers (see [#38][6], [#53][15], [#54][16]).
+ - Kconfig options (compile-time)
+ - Kernel cmdline arguments (boot-time)
+ - Sysctl parameters (runtime)
-I also created [__Linux Kernel Defence Map__][4] that is a graphical representation of the
+The security hardening recommendations are based on:
+
+ - [KSPP recommended settings][1]
+ - [CLIP OS kernel configuration][2]
+ - Last public [grsecurity][3] patch (options which they disable)
+ - [SECURITY_LOCKDOWN_LSM][5] patchset
+ - [Direct feedback from the Linux kernel maintainers][23]
+
+I also created the [__Linux Kernel Defence Map__][4], which is a graphical representation of the
relationships between security hardening features and the corresponding vulnerability classes
or exploitation techniques.
+__Attention!__ Changing Linux kernel security parameters may also affect system performance
+and functionality of userspace software. So for choosing these parameters, consider
+the threat model of your Linux-based information system and perform thorough testing
+of its typical workload.
+
+## Repositories
+
+ - Main at GitHub <https://github.com/a13xp0p0v/kernel-hardening-checker>
+ - Mirror at Codeberg: <https://codeberg.org/a13xp0p0v/kernel-hardening-checker>
+ - Mirror at GitFlic: <https://gitflic.ru/project/a13xp0p0v/kernel-hardening-checker>
+
## Supported microarchitectures
- X86_64
- ARM64
- ARM
-TODO: RISC-V
+TODO: RISC-V (issue [#56][22])
## Installation
You can install the package:
```
-pip install git+https://github.com/a13xp0p0v/kconfig-hardened-check
+pip install git+https://github.com/a13xp0p0v/kernel-hardening-checker
```
-or simply run `./bin/kconfig-hardened-check` from the cloned repository.
+or simply run `./bin/kernel-hardening-checker` from the cloned repository.
-Some Linux distributions also provide `kconfig-hardened-check` as a package.
+Some Linux distributions also provide `kernel-hardening-checker` as a package.
## Usage
```
-usage: kconfig-hardened-check [-h] [--version] [-p {X86_64,X86_32,ARM64,ARM}]
- [-c CONFIG]
- [-m {verbose,json,show_ok,show_fail}]
+usage: kernel-hardening-checker [-h] [--version] [-m {verbose,json,show_ok,show_fail}]
+ [-c CONFIG] [-l CMDLINE] [-s SYSCTL] [-v KERNEL_VERSION]
+ [-p {X86_64,X86_32,ARM64,ARM}]
+ [-g {X86_64,X86_32,ARM64,ARM}]
A tool for checking the security hardening options of the Linux kernel
-optional arguments:
+options:
-h, --help show this help message and exit
--version show program's version number and exit
- -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
- print security hardening preferences for the selected architecture
- -c CONFIG, --config CONFIG
- check the kernel config file against these preferences
-m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}
choose the report mode
+ -c CONFIG, --config CONFIG
+ check the security hardening options in the kernel Kconfig file
+ (also supports *.gz files)
+ -l CMDLINE, --cmdline CMDLINE
+ check the security hardening options in the kernel cmdline file
+ (contents of /proc/cmdline)
+ -s SYSCTL, --sysctl SYSCTL
+ check the security hardening options in the sysctl output file
+ (`sudo sysctl -a > file`)
+ -v KERNEL_VERSION, --kernel-version KERNEL_VERSION
+ extract the version from the kernel version file (contents of
+ /proc/version)
+ -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
+ print the security hardening recommendations for the selected
+ microarchitecture
+ -g {X86_64,X86_32,ARM64,ARM}, --generate {X86_64,X86_32,ARM64,ARM}
+ generate a Kconfig fragment with the security hardening options
+ for the selected microarchitecture
```
## Output modes
```
-------------------------------------------------------------------------------------------
<<< OR >>>
-CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface
-CONFIG_DEVMEM | is not set | kspp | cut_attack_surface
+CONFIG_STRICT_DEVMEM |kconfig| y |defconfig |cut_attack_surface
+CONFIG_DEVMEM |kconfig| is not set | kspp |cut_attack_surface
-------------------------------------------------------------------------------------------
```
- `-m show_fail` for showing only the failed checks
- `-m show_ok` for showing only the successful checks
- - `-m json` for printing the results in JSON format (for combining `kconfig-hardened-check` with other tools)
+ - `-m json` for printing the results in JSON format (for combining `kernel-hardening-checker` with other tools)
-## Example output for `Ubuntu 20.04 LTS (Focal Fossa)` kernel config
+## Example output for `Ubuntu 22.04` kernel configuration
```
-$ ./bin/kconfig-hardened-check -c kconfig_hardened_check/config_files/distros/ubuntu-focal.config
-[+] Kconfig file to check: kconfig_hardened_check/config_files/distros/ubuntu-focal.config
-[+] Detected architecture: X86_64
-[+] Detected kernel version: 5.4
+$ ./bin/kernel-hardening-checker -c kernel_hardening_checker/config_files/distros/ubuntu-22.04.config -l /proc/cmdline -s kernel_hardening_checker/config_files/distros/example_sysctls.txt
+[+] Kconfig file to check: kernel_hardening_checker/config_files/distros/ubuntu-22.04.config
+[+] Kernel cmdline file to check: /proc/cmdline
+[+] Sysctl output file to check: kernel_hardening_checker/config_files/distros/example_sysctls.txt
+[+] Detected microarchitecture: X86_64
+[+] Detected kernel version: (5, 15, 0)
+[+] Detected compiler: GCC 110200
=========================================================================================================================
- option name | type |desired val | decision | reason | check result
+ option_name | type |desired_val | decision | reason | check_result
=========================================================================================================================
CONFIG_BUG |kconfig| y |defconfig | self_protection | OK
CONFIG_SLUB_DEBUG |kconfig| y |defconfig | self_protection | OK
-CONFIG_GCC_PLUGINS |kconfig| y |defconfig | self_protection | FAIL: not found
+CONFIG_THREAD_INFO_IN_TASK |kconfig| y |defconfig | self_protection | OK
+CONFIG_IOMMU_SUPPORT |kconfig| y |defconfig | self_protection | OK
CONFIG_STACKPROTECTOR |kconfig| y |defconfig | self_protection | OK
CONFIG_STACKPROTECTOR_STRONG |kconfig| y |defconfig | self_protection | OK
CONFIG_STRICT_KERNEL_RWX |kconfig| y |defconfig | self_protection | OK
CONFIG_STRICT_MODULE_RWX |kconfig| y |defconfig | self_protection | OK
-CONFIG_REFCOUNT_FULL |kconfig| y |defconfig | self_protection | FAIL: "is not set"
-CONFIG_THREAD_INFO_IN_TASK |kconfig| y |defconfig | self_protection | OK
-CONFIG_IOMMU_SUPPORT |kconfig| y |defconfig | self_protection | OK
+CONFIG_REFCOUNT_FULL |kconfig| y |defconfig | self_protection | OK: version >= (5, 4, 208)
+CONFIG_INIT_STACK_ALL_ZERO |kconfig| y |defconfig | self_protection | FAIL: is not found
CONFIG_RANDOMIZE_BASE |kconfig| y |defconfig | self_protection | OK
CONFIG_VMAP_STACK |kconfig| y |defconfig | self_protection | OK
-CONFIG_MICROCODE |kconfig| y |defconfig | self_protection | OK
+CONFIG_SPECULATION_MITIGATIONS |kconfig| y |defconfig | self_protection | FAIL: is not found
+CONFIG_DEBUG_WX |kconfig| y |defconfig | self_protection | OK
+CONFIG_WERROR |kconfig| y |defconfig | self_protection | FAIL: "is not set"
+CONFIG_X86_MCE |kconfig| y |defconfig | self_protection | OK
+CONFIG_X86_MCE_INTEL |kconfig| y |defconfig | self_protection | OK
+CONFIG_X86_MCE_AMD |kconfig| y |defconfig | self_protection | OK
CONFIG_RETPOLINE |kconfig| y |defconfig | self_protection | OK
-CONFIG_X86_SMAP |kconfig| y |defconfig | self_protection | OK
CONFIG_SYN_COOKIES |kconfig| y |defconfig | self_protection | OK
-CONFIG_X86_UMIP |kconfig| y |defconfig | self_protection | OK: CONFIG_X86_INTEL_UMIP "y"
+CONFIG_MICROCODE |kconfig| y |defconfig | self_protection | OK
+CONFIG_MICROCODE_INTEL |kconfig| y |defconfig | self_protection | OK
+CONFIG_MICROCODE_AMD |kconfig| y |defconfig | self_protection | OK
+CONFIG_X86_SMAP |kconfig| y |defconfig | self_protection | OK
+CONFIG_X86_UMIP |kconfig| y |defconfig | self_protection | OK
CONFIG_PAGE_TABLE_ISOLATION |kconfig| y |defconfig | self_protection | OK
CONFIG_RANDOMIZE_MEMORY |kconfig| y |defconfig | self_protection | OK
+CONFIG_X86_KERNEL_IBT |kconfig| y |defconfig | self_protection | FAIL: is not found
+CONFIG_CPU_SRSO |kconfig| y |defconfig | self_protection | FAIL: is not found
CONFIG_INTEL_IOMMU |kconfig| y |defconfig | self_protection | OK
CONFIG_AMD_IOMMU |kconfig| y |defconfig | self_protection | OK
-CONFIG_SECURITY_DMESG_RESTRICT |kconfig| y | kspp | self_protection | FAIL: "is not set"
CONFIG_BUG_ON_DATA_CORRUPTION |kconfig| y | kspp | self_protection | FAIL: "is not set"
-CONFIG_DEBUG_WX |kconfig| y | kspp | self_protection | OK
-CONFIG_SCHED_STACK_END_CHECK |kconfig| y | kspp | self_protection | OK
CONFIG_SLAB_FREELIST_HARDENED |kconfig| y | kspp | self_protection | OK
CONFIG_SLAB_FREELIST_RANDOM |kconfig| y | kspp | self_protection | OK
CONFIG_SHUFFLE_PAGE_ALLOCATOR |kconfig| y | kspp | self_protection | OK
CONFIG_FORTIFY_SOURCE |kconfig| y | kspp | self_protection | OK
CONFIG_DEBUG_LIST |kconfig| y | kspp | self_protection | FAIL: "is not set"
+CONFIG_DEBUG_VIRTUAL |kconfig| y | kspp | self_protection | FAIL: "is not set"
CONFIG_DEBUG_SG |kconfig| y | kspp | self_protection | FAIL: "is not set"
+CONFIG_INIT_ON_ALLOC_DEFAULT_ON |kconfig| y | kspp | self_protection | OK
+CONFIG_STATIC_USERMODEHELPER |kconfig| y | kspp | self_protection | FAIL: "is not set"
+CONFIG_SCHED_CORE |kconfig| y | kspp | self_protection | OK
+CONFIG_SECURITY_LOCKDOWN_LSM |kconfig| y | kspp | self_protection | OK
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY |kconfig| y | kspp | self_protection | OK
+CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|kconfig| y | kspp | self_protection | FAIL: "is not set"
CONFIG_DEBUG_CREDENTIALS |kconfig| y | kspp | self_protection | FAIL: "is not set"
CONFIG_DEBUG_NOTIFIERS |kconfig| y | kspp | self_protection | FAIL: "is not set"
-CONFIG_INIT_ON_ALLOC_DEFAULT_ON |kconfig| y | kspp | self_protection | OK
-CONFIG_GCC_PLUGIN_LATENT_ENTROPY |kconfig| y | kspp | self_protection | FAIL: not found
-CONFIG_KFENCE |kconfig| y | kspp | self_protection | FAIL: not found
-CONFIG_WERROR |kconfig| y | kspp | self_protection | FAIL: not found
-CONFIG_IOMMU_DEFAULT_DMA_STRICT |kconfig| y | kspp | self_protection | FAIL: not found
-CONFIG_ZERO_CALL_USED_REGS |kconfig| y | kspp | self_protection | FAIL: not found
-CONFIG_GCC_PLUGIN_RANDSTRUCT |kconfig| y | kspp | self_protection | FAIL: not found
+CONFIG_SCHED_STACK_END_CHECK |kconfig| y | kspp | self_protection | OK
+CONFIG_KFENCE |kconfig| y | kspp | self_protection | OK
+CONFIG_KFENCE_SAMPLE_INTERVAL |kconfig| is not off |a13xp0p0v | self_protection | FAIL: is off, "0"
+CONFIG_RANDSTRUCT_FULL |kconfig| y | kspp | self_protection | FAIL: is not found
+CONFIG_RANDSTRUCT_PERFORMANCE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_RANDSTRUCT_FULL is not "y"
CONFIG_HARDENED_USERCOPY |kconfig| y | kspp | self_protection | OK
-CONFIG_HARDENED_USERCOPY_FALLBACK |kconfig| is not set | kspp | self_protection | FAIL: "y"
+CONFIG_HARDENED_USERCOPY_FALLBACK |kconfig| is not set | kspp | self_protection | OK
CONFIG_HARDENED_USERCOPY_PAGESPAN |kconfig| is not set | kspp | self_protection | OK
+CONFIG_GCC_PLUGIN_LATENT_ENTROPY |kconfig| y | kspp | self_protection | FAIL: is not found
CONFIG_MODULE_SIG |kconfig| y | kspp | self_protection | OK
CONFIG_MODULE_SIG_ALL |kconfig| y | kspp | self_protection | OK
CONFIG_MODULE_SIG_SHA512 |kconfig| y | kspp | self_protection | OK
CONFIG_MODULE_SIG_FORCE |kconfig| y | kspp | self_protection | FAIL: "is not set"
-CONFIG_INIT_STACK_ALL_ZERO |kconfig| y | kspp | self_protection | FAIL: not found
-CONFIG_INIT_ON_FREE_DEFAULT_ON |kconfig| y | kspp | self_protection | OK: CONFIG_PAGE_POISONING_ZERO "y"
-CONFIG_GCC_PLUGIN_STACKLEAK |kconfig| y | kspp | self_protection | FAIL: not found
-CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT |kconfig| y | kspp | self_protection | FAIL: not found
-CONFIG_SCHED_CORE |kconfig| y | kspp | self_protection | FAIL: not found
+CONFIG_INIT_ON_FREE_DEFAULT_ON |kconfig| y | kspp | self_protection | FAIL: "is not set"
+CONFIG_EFI_DISABLE_PCI_DMA |kconfig| y | kspp | self_protection | FAIL: "is not set"
+CONFIG_RESET_ATTACK_MITIGATION |kconfig| y | kspp | self_protection | OK
+CONFIG_UBSAN_BOUNDS |kconfig| y | kspp | self_protection | OK
+CONFIG_UBSAN_LOCAL_BOUNDS |kconfig| y | kspp | self_protection | OK: CONFIG_UBSAN_BOUNDS is "y"
+CONFIG_UBSAN_TRAP |kconfig| y | kspp | self_protection | FAIL: CONFIG_UBSAN_ENUM is not "is not set"
+CONFIG_UBSAN_SANITIZE_ALL |kconfig| y | kspp | self_protection | OK
+CONFIG_GCC_PLUGIN_STACKLEAK |kconfig| y | kspp | self_protection | FAIL: is not found
+CONFIG_STACKLEAK_METRICS |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is not "y"
+CONFIG_STACKLEAK_RUNTIME_DISABLE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is not "y"
+CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT |kconfig| y | kspp | self_protection | OK
+CONFIG_CFI_CLANG |kconfig| y | kspp | self_protection | FAIL: CONFIG_CC_IS_CLANG is not "y"
+CONFIG_CFI_PERMISSIVE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_CC_IS_CLANG is not "y"
+CONFIG_HW_RANDOM_TPM |kconfig| y | kspp | self_protection | OK
CONFIG_DEFAULT_MMAP_MIN_ADDR |kconfig| 65536 | kspp | self_protection | OK
-CONFIG_UBSAN_BOUNDS |kconfig| y |maintainer| self_protection | FAIL: not found
-CONFIG_UBSAN_SANITIZE_ALL |kconfig| y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y"
-CONFIG_UBSAN_TRAP |kconfig| y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y"
-CONFIG_DEBUG_VIRTUAL |kconfig| y | clipos | self_protection | FAIL: "is not set"
-CONFIG_STATIC_USERMODEHELPER |kconfig| y | clipos | self_protection | FAIL: "is not set"
-CONFIG_EFI_DISABLE_PCI_DMA |kconfig| y | clipos | self_protection | FAIL: not found
+CONFIG_IOMMU_DEFAULT_DMA_STRICT |kconfig| y | kspp | self_protection | FAIL: "is not set"
+CONFIG_IOMMU_DEFAULT_PASSTHROUGH |kconfig| is not set | kspp | self_protection | OK
+CONFIG_INTEL_IOMMU_DEFAULT_ON |kconfig| y | kspp | self_protection | OK
+CONFIG_SLS |kconfig| y | kspp | self_protection | FAIL: is not found
+CONFIG_INTEL_IOMMU_SVM |kconfig| y | kspp | self_protection | OK
+CONFIG_AMD_IOMMU_V2 |kconfig| y | kspp | self_protection | FAIL: "m"
CONFIG_SLAB_MERGE_DEFAULT |kconfig| is not set | clipos | self_protection | FAIL: "y"
-CONFIG_RANDOM_TRUST_BOOTLOADER |kconfig| is not set | clipos | self_protection | FAIL: "y"
-CONFIG_RANDOM_TRUST_CPU |kconfig| is not set | clipos | self_protection | FAIL: "y"
-CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE|kconfig| is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT not "y"
-CONFIG_STACKLEAK_METRICS |kconfig| is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y"
-CONFIG_STACKLEAK_RUNTIME_DISABLE |kconfig| is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y"
-CONFIG_INTEL_IOMMU_DEFAULT_ON |kconfig| y | clipos | self_protection | FAIL: "is not set"
-CONFIG_INTEL_IOMMU_SVM |kconfig| y | clipos | self_protection | OK
-CONFIG_RESET_ATTACK_MITIGATION |kconfig| y | my | self_protection | OK
-CONFIG_SLS |kconfig| y | my | self_protection | FAIL: not found
-CONFIG_AMD_IOMMU_V2 |kconfig| y | my | self_protection | FAIL: "m"
+CONFIG_LIST_HARDENED |kconfig| y |a13xp0p0v | self_protection | FAIL: is not found
+CONFIG_RANDOM_KMALLOC_CACHES |kconfig| y |a13xp0p0v | self_protection | FAIL: is not found
CONFIG_SECURITY |kconfig| y |defconfig | security_policy | OK
CONFIG_SECURITY_YAMA |kconfig| y | kspp | security_policy | OK
+CONFIG_SECURITY_LANDLOCK |kconfig| y | kspp | security_policy | OK
CONFIG_SECURITY_SELINUX_DISABLE |kconfig| is not set | kspp | security_policy | OK
-CONFIG_SECURITY_LOCKDOWN_LSM |kconfig| y | clipos | security_policy | OK
-CONFIG_SECURITY_LOCKDOWN_LSM_EARLY |kconfig| y | clipos | security_policy | OK
-CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|kconfig| y | clipos | security_policy | FAIL: "is not set"
-CONFIG_SECURITY_WRITABLE_HOOKS |kconfig| is not set | my | security_policy | OK: not found
-CONFIG_SECURITY_SAFESETID |kconfig| y | my | security_policy | OK
-CONFIG_SECURITY_LOADPIN |kconfig| y | my | security_policy | FAIL: "is not set"
-CONFIG_SECURITY_LOADPIN_ENFORCE |kconfig| y | my | security_policy | FAIL: CONFIG_SECURITY_LOADPIN not "y"
-CONFIG_BPF_UNPRIV_DEFAULT_OFF |kconfig| y |defconfig |cut_attack_surface| FAIL: not found
+CONFIG_SECURITY_SELINUX_BOOTPARAM |kconfig| is not set | kspp | security_policy | FAIL: "y"
+CONFIG_SECURITY_SELINUX_DEVELOP |kconfig| is not set | kspp | security_policy | FAIL: "y"
+CONFIG_SECURITY_WRITABLE_HOOKS |kconfig| is not set | kspp | security_policy | OK: is not found
+CONFIG_SECURITY_SELINUX_DEBUG |kconfig| is not set |a13xp0p0v | security_policy | OK: is not found
+CONFIG_SECURITY_SELINUX |kconfig| y |a13xp0p0v | security_policy | OK
CONFIG_SECCOMP |kconfig| y |defconfig |cut_attack_surface| OK
CONFIG_SECCOMP_FILTER |kconfig| y |defconfig |cut_attack_surface| OK
+CONFIG_BPF_UNPRIV_DEFAULT_OFF |kconfig| y |defconfig |cut_attack_surface| OK
CONFIG_STRICT_DEVMEM |kconfig| y |defconfig |cut_attack_surface| OK
+CONFIG_X86_INTEL_TSX_MODE_OFF |kconfig| y |defconfig |cut_attack_surface| OK
+CONFIG_SECURITY_DMESG_RESTRICT |kconfig| y | kspp |cut_attack_surface| OK
CONFIG_ACPI_CUSTOM_METHOD |kconfig| is not set | kspp |cut_attack_surface| OK
CONFIG_COMPAT_BRK |kconfig| is not set | kspp |cut_attack_surface| OK
-CONFIG_DEVKMEM |kconfig| is not set | kspp |cut_attack_surface| OK
-CONFIG_COMPAT_VDSO |kconfig| is not set | kspp |cut_attack_surface| OK
+CONFIG_DEVKMEM |kconfig| is not set | kspp |cut_attack_surface| OK: is not found
CONFIG_BINFMT_MISC |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m"
CONFIG_INET_DIAG |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m"
CONFIG_KEXEC |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
CONFIG_PROC_KCORE |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
CONFIG_LEGACY_PTYS |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
CONFIG_HIBERNATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
+CONFIG_COMPAT |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
CONFIG_IA32_EMULATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
CONFIG_X86_X32 |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
+CONFIG_X86_X32_ABI |kconfig| is not set | kspp |cut_attack_surface| OK: is not found
CONFIG_MODIFY_LDT_SYSCALL |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
-CONFIG_OABI_COMPAT |kconfig| is not set | kspp |cut_attack_surface| OK: not found
+CONFIG_OABI_COMPAT |kconfig| is not set | kspp |cut_attack_surface| OK: is not found
CONFIG_X86_MSR |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m"
+CONFIG_LEGACY_TIOCSTI |kconfig| is not set | kspp |cut_attack_surface| OK: is not found
CONFIG_MODULES |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
CONFIG_DEVMEM |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
CONFIG_IO_STRICT_DEVMEM |kconfig| y | kspp |cut_attack_surface| FAIL: "is not set"
-CONFIG_LEGACY_VSYSCALL_NONE |kconfig| y | kspp |cut_attack_surface| FAIL: "is not set"
+CONFIG_LDISC_AUTOLOAD |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
+CONFIG_COMPAT_VDSO |kconfig| is not set | kspp |cut_attack_surface| OK
+CONFIG_X86_VSYSCALL_EMULATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
CONFIG_ZSMALLOC_STAT |kconfig| is not set | grsec |cut_attack_surface| OK
CONFIG_PAGE_OWNER |kconfig| is not set | grsec |cut_attack_surface| OK
CONFIG_DEBUG_KMEMLEAK |kconfig| is not set | grsec |cut_attack_surface| OK
-CONFIG_BINFMT_AOUT |kconfig| is not set | grsec |cut_attack_surface| OK: not found
+CONFIG_BINFMT_AOUT |kconfig| is not set | grsec |cut_attack_surface| OK: is not found
CONFIG_KPROBE_EVENTS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
CONFIG_UPROBE_EVENTS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
CONFIG_GENERIC_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
CONFIG_DEVPORT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
CONFIG_DEBUG_FS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
CONFIG_NOTIFIER_ERROR_INJECTION |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
-CONFIG_FAIL_FUTEX |kconfig| is not set | grsec |cut_attack_surface| OK: not found
+CONFIG_FAIL_FUTEX |kconfig| is not set | grsec |cut_attack_surface| OK: is not found
CONFIG_PUNIT_ATOM_DEBUG |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
CONFIG_ACPI_CONFIGFS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
CONFIG_EDAC_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK
CONFIG_DRM_I915_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK
CONFIG_BCACHE_CLOSURES_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK
-CONFIG_DVB_C8SECTPFE |kconfig| is not set | grsec |cut_attack_surface| OK: not found
+CONFIG_DVB_C8SECTPFE |kconfig| is not set | grsec |cut_attack_surface| OK: is not found
CONFIG_MTD_SLRAM |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
CONFIG_MTD_PHRAM |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
CONFIG_IO_URING |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
-CONFIG_KCMP |kconfig| is not set | grsec |cut_attack_surface| OK: not found
+CONFIG_KCMP |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
CONFIG_RSEQ |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
CONFIG_LATENCYTOP |kconfig| is not set | grsec |cut_attack_surface| OK
CONFIG_KCOV |kconfig| is not set | grsec |cut_attack_surface| OK
CONFIG_PROVIDE_OHCI1394_DMA_INIT |kconfig| is not set | grsec |cut_attack_surface| OK
CONFIG_SUNRPC_DEBUG |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
-CONFIG_PTDUMP_DEBUGFS |kconfig| is not set | grsec |cut_attack_surface| OK: not found
+CONFIG_PTDUMP_DEBUGFS |kconfig| is not set | grsec |cut_attack_surface| OK
CONFIG_DRM_LEGACY |kconfig| is not set |maintainer|cut_attack_surface| OK
CONFIG_FB |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
CONFIG_VT |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
CONFIG_BLK_DEV_FD |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "m"
-CONFIG_BLK_DEV_FD_RAWCMD |kconfig| is not set |maintainer|cut_attack_surface| OK: not found
-CONFIG_AIO |kconfig| is not set |grapheneos|cut_attack_surface| FAIL: "y"
+CONFIG_BLK_DEV_FD_RAWCMD |kconfig| is not set |maintainer|cut_attack_surface| OK: is not found
+CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT |kconfig| is not set |maintainer|cut_attack_surface| OK
CONFIG_STAGING |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
CONFIG_KSM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
CONFIG_KALLSYMS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
-CONFIG_X86_VSYSCALL_EMULATION |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
CONFIG_MAGIC_SYSRQ |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
CONFIG_KEXEC_FILE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
CONFIG_USER_NS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
CONFIG_X86_CPUID |kconfig| is not set | clipos |cut_attack_surface| FAIL: "m"
-CONFIG_X86_IOPL_IOPERM |kconfig| is not set | clipos |cut_attack_surface| OK: not found
+CONFIG_X86_IOPL_IOPERM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
CONFIG_ACPI_TABLE_UPGRADE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
-CONFIG_EFI_CUSTOM_SSDT_OVERLAYS |kconfig| is not set | clipos |cut_attack_surface| OK: not found
-CONFIG_LDISC_AUTOLOAD |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
-CONFIG_X86_INTEL_TSX_MODE_OFF |kconfig| y | clipos |cut_attack_surface| OK
-CONFIG_BPF_SYSCALL |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
+CONFIG_EFI_CUSTOM_SSDT_OVERLAYS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
+CONFIG_AIO |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
CONFIG_EFI_TEST |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "m"
CONFIG_MMIOTRACE_TEST |kconfig| is not set | lockdown |cut_attack_surface| OK
CONFIG_KPROBES |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
-CONFIG_TRIM_UNUSED_KSYMS |kconfig| y | my |cut_attack_surface| FAIL: not found
-CONFIG_MMIOTRACE |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
-CONFIG_LIVEPATCH |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
-CONFIG_IP_DCCP |kconfig| is not set | my |cut_attack_surface| FAIL: "m"
-CONFIG_IP_SCTP |kconfig| is not set | my |cut_attack_surface| FAIL: "m"
-CONFIG_FTRACE |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
-CONFIG_VIDEO_VIVID |kconfig| is not set | my |cut_attack_surface| FAIL: "m"
-CONFIG_INPUT_EVBUG |kconfig| is not set | my |cut_attack_surface| FAIL: "m"
-CONFIG_INTEGRITY |kconfig| y |defconfig | harden_userspace | OK
-CONFIG_ARCH_MMAP_RND_BITS |kconfig| 32 | clipos | harden_userspace | FAIL: "28"
-
-[+] Config check is finished: 'OK' - 71 / 'FAIL' - 103
+CONFIG_BPF_SYSCALL |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
+CONFIG_MMIOTRACE |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "y"
+CONFIG_LIVEPATCH |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "y"
+CONFIG_IP_DCCP |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "m"
+CONFIG_IP_SCTP |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "m"
+CONFIG_FTRACE |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "y"
+CONFIG_VIDEO_VIVID |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "m"
+CONFIG_INPUT_EVBUG |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "m"
+CONFIG_KGDB |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "y"
+CONFIG_CORESIGHT |kconfig| is not set |a13xp0p0v |cut_attack_surface| OK: is not found
+CONFIG_XFS_SUPPORT_V4 |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "y"
+CONFIG_TRIM_UNUSED_KSYMS |kconfig| y |a13xp0p0v |cut_attack_surface| FAIL: "is not set"
+CONFIG_MODULE_FORCE_LOAD |kconfig| is not set |a13xp0p0v |cut_attack_surface| OK
+CONFIG_COREDUMP |kconfig| is not set | clipos | harden_userspace | FAIL: "y"
+CONFIG_ARCH_MMAP_RND_BITS |kconfig| 32 |a13xp0p0v | harden_userspace | FAIL: "28"
+nosmep |cmdline| is not set |defconfig | self_protection | OK: is not found
+nosmap |cmdline| is not set |defconfig | self_protection | OK: is not found
+nokaslr |cmdline| is not set |defconfig | self_protection | OK: is not found
+nopti |cmdline| is not set |defconfig | self_protection | OK: is not found
+nospectre_v1 |cmdline| is not set |defconfig | self_protection | OK: is not found
+nospectre_v2 |cmdline| is not set |defconfig | self_protection | OK: is not found
+nospectre_bhb |cmdline| is not set |defconfig | self_protection | OK: is not found
+nospec_store_bypass_disable |cmdline| is not set |defconfig | self_protection | OK: is not found
+dis_ucode_ldr |cmdline| is not set |defconfig | self_protection | OK: is not found
+arm64.nobti |cmdline| is not set |defconfig | self_protection | OK: is not found
+arm64.nopauth |cmdline| is not set |defconfig | self_protection | OK: is not found
+arm64.nomte |cmdline| is not set |defconfig | self_protection | OK: is not found
+spectre_v2 |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
+spectre_v2_user |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
+spec_store_bypass_disable |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
+l1tf |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
+mds |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
+tsx_async_abort |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
+srbds |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
+mmio_stale_data |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
+retbleed |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
+spec_rstack_overflow |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
+gather_data_sampling |cmdline| is not off |defconfig | self_protection | FAIL: is off, not found
+rodata |cmdline| on |defconfig | self_protection | OK: rodata is not found
+mitigations |cmdline| auto,nosmt | kspp | self_protection | FAIL: is not found
+slab_merge |cmdline| is not set | kspp | self_protection | OK: is not found
+slub_merge |cmdline| is not set | kspp | self_protection | OK: is not found
+page_alloc.shuffle |cmdline| 1 | kspp | self_protection | FAIL: is not found
+slab_nomerge |cmdline| is present | kspp | self_protection | FAIL: is not present
+init_on_alloc |cmdline| 1 | kspp | self_protection | OK: CONFIG_INIT_ON_ALLOC_DEFAULT_ON is "y"
+init_on_free |cmdline| 1 | kspp | self_protection | FAIL: is not found
+hardened_usercopy |cmdline| 1 | kspp | self_protection | OK: CONFIG_HARDENED_USERCOPY is "y"
+slab_common.usercopy_fallback |cmdline| is not set | kspp | self_protection | OK: is not found
+iommu.strict |cmdline| 1 | kspp | self_protection | FAIL: is not found
+iommu.passthrough |cmdline| 0 | kspp | self_protection | OK: CONFIG_IOMMU_DEFAULT_PASSTHROUGH is "is not set"
+randomize_kstack_offset |cmdline| 1 | kspp | self_protection | OK: CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT is "y"
+pti |cmdline| on | kspp | self_protection | FAIL: is not found
+iommu |cmdline| force | clipos | self_protection | FAIL: is not found
+kfence.sample_interval |cmdline| is not off |a13xp0p0v | self_protection | FAIL: is off, not found
+tsx |cmdline| off |defconfig |cut_attack_surface| OK: CONFIG_X86_INTEL_TSX_MODE_OFF is "y"
+nosmt |cmdline| is present | kspp |cut_attack_surface| FAIL: is not present
+vsyscall |cmdline| none | kspp |cut_attack_surface| FAIL: is not found
+vdso32 |cmdline| 0 | kspp |cut_attack_surface| OK: CONFIG_COMPAT_VDSO is "is not set"
+debugfs |cmdline| off | grsec |cut_attack_surface| FAIL: is not found
+sysrq_always_enabled |cmdline| is not set |a13xp0p0v |cut_attack_surface| OK: is not found
+ia32_emulation |cmdline| 0 |a13xp0p0v |cut_attack_surface| FAIL: is not found
+norandmaps |cmdline| is not set |defconfig | harden_userspace | OK: is not found
+net.core.bpf_jit_harden |sysctl | 2 | kspp | self_protection | FAIL: "0"
+kernel.dmesg_restrict |sysctl | 1 | kspp |cut_attack_surface| OK
+kernel.perf_event_paranoid |sysctl | 3 | kspp |cut_attack_surface| FAIL: "4"
+kernel.kexec_load_disabled |sysctl | 1 | kspp |cut_attack_surface| FAIL: "0"
+user.max_user_namespaces |sysctl | 0 | kspp |cut_attack_surface| FAIL: "31231"
+dev.tty.ldisc_autoload |sysctl | 0 | kspp |cut_attack_surface| FAIL: "1"
+kernel.unprivileged_bpf_disabled |sysctl | 1 | kspp |cut_attack_surface| FAIL: "2"
+kernel.kptr_restrict |sysctl | 2 | kspp |cut_attack_surface| FAIL: "1"
+dev.tty.legacy_tiocsti |sysctl | 0 | kspp |cut_attack_surface| FAIL: is not found
+vm.unprivileged_userfaultfd |sysctl | 0 | kspp |cut_attack_surface| OK
+kernel.modules_disabled |sysctl | 1 | clipos |cut_attack_surface| FAIL: "0"
+fs.protected_symlinks |sysctl | 1 | kspp | harden_userspace | OK
+fs.protected_hardlinks |sysctl | 1 | kspp | harden_userspace | OK
+fs.protected_fifos |sysctl | 2 | kspp | harden_userspace | FAIL: "1"
+fs.protected_regular |sysctl | 2 | kspp | harden_userspace | OK
+fs.suid_dumpable |sysctl | 0 | kspp | harden_userspace | FAIL: "2"
+kernel.randomize_va_space |sysctl | 2 | kspp | harden_userspace | OK
+kernel.yama.ptrace_scope |sysctl | 3 | kspp | harden_userspace | FAIL: "1"
+
+[+] Config check is finished: 'OK' - 121 / 'FAIL' - 139
```
-## kconfig-hardened-check versioning
+## Generating a Kconfig fragment with the security hardening options
+
+With the `-g` argument, the tool generates a Kconfig fragment with the security hardening options for the selected microarchitecture.
-I usually update the kernel security hardening recommendations after each Linux kernel release.
+This Kconfig fragment can be merged with the existing Linux kernel config:
+```
+$ ./bin/kernel-hardening-checker -g X86_64 > /tmp/fragment
+$ cd ~/linux-src/
+$ ./scripts/kconfig/merge_config.sh .config /tmp/fragment
+Using .config as base
+Merging /tmp/fragment
+Value of CONFIG_BUG_ON_DATA_CORRUPTION is redefined by fragment /tmp/fragment:
+Previous value: # CONFIG_BUG_ON_DATA_CORRUPTION is not set
+New value: CONFIG_BUG_ON_DATA_CORRUPTION=y
+ ...
+```
-So the version of `kconfig-hardened-check` is associated with the corresponding version of the kernel.
+## Questions and answers
-The version format is: __[major_number].[kernel_version].[kernel_patchlevel]__
+__Q:__ How all these kernel parameters influence the Linux kernel security?
+__A:__ To answer this question, you can use the `kernel-hardening-checker` [sources of recommendations][24]
+and the [Linux Kernel Defence Map][4] with its references.
-## Questions and answers
+<br />
__Q:__ How disabling `CONFIG_USER_NS` cuts the attack surface? It's needed for containers!
The rationale:
- - A nice LWN article about the corresponding LKML discussion: https://lwn.net/Articles/673597/
+ - An LWN article about the corresponding LKML discussion: https://lwn.net/Articles/673597/
- A twitter thread about `CONFIG_USER_NS` and security: https://twitter.com/robertswiecki/status/1095447678949953541
<br />
-__Q:__ Why `CONFIG_GCC_PLUGINS` is automatically disabled during the kernel compilation?
+__Q:__ KSPP and CLIP OS recommend `CONFIG_PANIC_ON_OOPS=y`. Why doesn't this tool do the same?
-__A:__ It means that your gcc doesn't support plugins. For example, if you have `gcc-7` on Ubuntu,
-try to install `gcc-7-plugin-dev` package, it should help.
+__A:__ I personally don't support this recommendation because:
+ - It decreases system safety (kernel oops is still not a rare situation)
+ - It allows easier denial-of-service attacks for the whole system
+
+I think having `CONFIG_BUG` is enough here.
+If a kernel oops happens in the process context, the offending/attacking process is killed.
+In other cases, the kernel panics, which is similar to `CONFIG_PANIC_ON_OOPS=y`.
<br />
-__Q:__ KSPP and CLIP OS recommend `CONFIG_PANIC_ON_OOPS=y`. Why doesn't this tool do the same?
+__Q:__ Why enabling `CONFIG_STATIC_USERMODEHELPER` breaks various things in my GNU/Linux system?
+Do I really need that feature?
-__A:__ I personally don't support this recommendation because it provides easy denial-of-service
-attacks for the whole system (kernel oops is not a rare situation). I think having `CONFIG_BUG` is enough here --
-if we have a kernel oops in the process context, the offending/attacking process is killed.
+__A:__ Linux kernel usermode helpers can be used for privilege escalation in kernel exploits
+([example 1][9], [example 2][10]). `CONFIG_STATIC_USERMODEHELPER` prevents that method. But it
+requires the corresponding support in the userspace: see the [example implementation][11] by
+Tycho Andersen [@tych0][12].
<br />
__Q:__ What about performance impact of these security hardening options?
__A:__ Ike Devolder [@BlackIkeEagle][7] made some performance tests and described the results in [this article][8].
+A more detailed evaluation is in the TODO list (the issue [#66][21]).
<br />
-__Q:__ Why enabling `CONFIG_STATIC_USERMODEHELPER` breaks various things in my GNU/Linux system?
-Do I really need that feature?
+__Q:__ Can I easily check which kernel versions support some Kconfig option?
-__A:__ Linux kernel usermode helpers can be used for privilege escalation in kernel exploits
-([example 1][9], [example 2][10]). `CONFIG_STATIC_USERMODEHELPER` prevents that method. But it
-requires the corresponding support in the userspace: see the [example implementation][11] by
-Tycho Andersen [@tych0][12].
+__A:__ Yes. See the [LKDDb][18] project (Linux Kernel Driver Database) by Giacomo Catenazzi [@cateee][19].
+You can use it for the `mainline` or `stable` tree from [kernel.org][20] or for your custom kernel sources.
<br />
__A:__ Checking the kernel config is not enough to answer this question.
I highly recommend using [spectre-meltdown-checker][13] tool maintained by Stéphane Lesimple [@speed47][14].
+<br />
+
+__Q:__ Why the `CONFIG_GCC_PLUGINS` option is automatically disabled during the kernel compilation?
+
+__A:__ It means that your gcc doesn't support plugins. For example, if you have `gcc-7` on Ubuntu,
+try to install `gcc-7-plugin-dev` package, it should help.
+
[1]: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
[2]: https://docs.clip-os.org/clipos/kernel.html#configuration
[3]: https://grsecurity.net/
[4]: https://github.com/a13xp0p0v/linux-kernel-defence-map
[5]: https://lwn.net/Articles/791863/
-[6]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/38
+[6]: https://github.com/a13xp0p0v/kernel-hardening-checker/issues/38
[7]: https://github.com/BlackIkeEagle
[8]: https://blog.herecura.eu/blog/2020-05-30-kconfig-hardening-tests/
[9]: https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html
[12]: https://github.com/tych0
[13]: https://github.com/speed47/spectre-meltdown-checker
[14]: https://github.com/speed47
-[15]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/53
-[16]: https://github.com/a13xp0p0v/kconfig-hardened-check/pull/54
+[15]: https://github.com/a13xp0p0v/kernel-hardening-checker/issues/53
+[16]: https://github.com/a13xp0p0v/kernel-hardening-checker/pull/54
+[17]: https://github.com/a13xp0p0v/kernel-hardening-checker/pull/62
+[18]: https://cateee.net/lkddb/web-lkddb/
+[19]: https://github.com/cateee/lkddb
+[20]: https://kernel.org/
+[21]: https://github.com/a13xp0p0v/kernel-hardening-checker/issues/66
+[22]: https://github.com/a13xp0p0v/kernel-hardening-checker/issues/56
+[23]: https://github.com/a13xp0p0v/kernel-hardening-checker/issues?q=label%3Akernel_maintainer_feedback
+[24]: https://github.com/a13xp0p0v/kernel-hardening-checker#motivation
projects / kconfig-hardened-check.git / blobdiff