## Example output for `Ubuntu 20.04 LTS (Focal Fossa)` kernel config
```
$ ./bin/kconfig-hardened-check -c kconfig_hardened_check/config_files/distros/ubuntu-focal.config
-[+] Config file to check: kconfig_hardened_check/config_files/distros/ubuntu-focal.config
+[+] Kconfig file to check: kconfig_hardened_check/config_files/distros/ubuntu-focal.config
[+] Detected architecture: X86_64
[+] Detected kernel version: 5.4
=========================================================================================================================
CONFIG_BUG |kconfig| y |defconfig | self_protection | OK
CONFIG_SLUB_DEBUG |kconfig| y |defconfig | self_protection | OK
CONFIG_GCC_PLUGINS |kconfig| y |defconfig | self_protection | FAIL: not found
+CONFIG_STACKPROTECTOR |kconfig| y |defconfig | self_protection | OK
CONFIG_STACKPROTECTOR_STRONG |kconfig| y |defconfig | self_protection | OK
CONFIG_STRICT_KERNEL_RWX |kconfig| y |defconfig | self_protection | OK
CONFIG_STRICT_MODULE_RWX |kconfig| y |defconfig | self_protection | OK
CONFIG_REFCOUNT_FULL |kconfig| y |defconfig | self_protection | FAIL: "is not set"
+CONFIG_THREAD_INFO_IN_TASK |kconfig| y |defconfig | self_protection | OK
CONFIG_IOMMU_SUPPORT |kconfig| y |defconfig | self_protection | OK
CONFIG_RANDOMIZE_BASE |kconfig| y |defconfig | self_protection | OK
-CONFIG_THREAD_INFO_IN_TASK |kconfig| y |defconfig | self_protection | OK
CONFIG_VMAP_STACK |kconfig| y |defconfig | self_protection | OK
CONFIG_MICROCODE |kconfig| y |defconfig | self_protection | OK
CONFIG_RETPOLINE |kconfig| y |defconfig | self_protection | OK
CONFIG_DEBUG_NOTIFIERS |kconfig| y | kspp | self_protection | FAIL: "is not set"
CONFIG_INIT_ON_ALLOC_DEFAULT_ON |kconfig| y | kspp | self_protection | OK
CONFIG_GCC_PLUGIN_LATENT_ENTROPY |kconfig| y | kspp | self_protection | FAIL: not found
+CONFIG_KFENCE |kconfig| y | kspp | self_protection | FAIL: not found
+CONFIG_WERROR |kconfig| y | kspp | self_protection | FAIL: not found
+CONFIG_IOMMU_DEFAULT_DMA_STRICT |kconfig| y | kspp | self_protection | FAIL: not found
+CONFIG_ZERO_CALL_USED_REGS |kconfig| y | kspp | self_protection | FAIL: not found
CONFIG_GCC_PLUGIN_RANDSTRUCT |kconfig| y | kspp | self_protection | FAIL: not found
CONFIG_HARDENED_USERCOPY |kconfig| y | kspp | self_protection | OK
CONFIG_HARDENED_USERCOPY_FALLBACK |kconfig| is not set | kspp | self_protection | FAIL: "y"
CONFIG_INIT_ON_FREE_DEFAULT_ON |kconfig| y | kspp | self_protection | OK: CONFIG_PAGE_POISONING_ZERO "y"
CONFIG_GCC_PLUGIN_STACKLEAK |kconfig| y | kspp | self_protection | FAIL: not found
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT |kconfig| y | kspp | self_protection | FAIL: not found
+CONFIG_SCHED_CORE |kconfig| y | kspp | self_protection | FAIL: not found
CONFIG_DEFAULT_MMAP_MIN_ADDR |kconfig| 65536 | kspp | self_protection | OK
CONFIG_UBSAN_BOUNDS |kconfig| y |maintainer| self_protection | FAIL: not found
CONFIG_UBSAN_SANITIZE_ALL |kconfig| y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y"
CONFIG_INTEL_IOMMU_DEFAULT_ON |kconfig| y | clipos | self_protection | FAIL: "is not set"
CONFIG_INTEL_IOMMU_SVM |kconfig| y | clipos | self_protection | OK
CONFIG_RESET_ATTACK_MITIGATION |kconfig| y | my | self_protection | OK
+CONFIG_SLS |kconfig| y | my | self_protection | FAIL: not found
CONFIG_AMD_IOMMU_V2 |kconfig| y | my | self_protection | FAIL: "m"
CONFIG_SECURITY |kconfig| y |defconfig | security_policy | OK
CONFIG_SECURITY_YAMA |kconfig| y | kspp | security_policy | OK
-CONFIG_SECURITY_WRITABLE_HOOKS |kconfig| is not set | my | security_policy | OK: not found
+CONFIG_SECURITY_SELINUX_DISABLE |kconfig| is not set | kspp | security_policy | OK
CONFIG_SECURITY_LOCKDOWN_LSM |kconfig| y | clipos | security_policy | OK
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY |kconfig| y | clipos | security_policy | OK
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|kconfig| y | clipos | security_policy | FAIL: "is not set"
+CONFIG_SECURITY_WRITABLE_HOOKS |kconfig| is not set | my | security_policy | OK: not found
CONFIG_SECURITY_SAFESETID |kconfig| y | my | security_policy | OK
CONFIG_SECURITY_LOADPIN |kconfig| y | my | security_policy | FAIL: "is not set"
CONFIG_SECURITY_LOADPIN_ENFORCE |kconfig| y | my | security_policy | FAIL: CONFIG_SECURITY_LOADPIN not "y"
+CONFIG_BPF_UNPRIV_DEFAULT_OFF |kconfig| y |defconfig |cut_attack_surface| FAIL: not found
CONFIG_SECCOMP |kconfig| y |defconfig |cut_attack_surface| OK
CONFIG_SECCOMP_FILTER |kconfig| y |defconfig |cut_attack_surface| OK
CONFIG_STRICT_DEVMEM |kconfig| y |defconfig |cut_attack_surface| OK
CONFIG_X86_X32 |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
CONFIG_MODIFY_LDT_SYSCALL |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
CONFIG_OABI_COMPAT |kconfig| is not set | kspp |cut_attack_surface| OK: not found
+CONFIG_X86_MSR |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m"
CONFIG_MODULES |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
CONFIG_DEVMEM |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
CONFIG_IO_STRICT_DEVMEM |kconfig| y | kspp |cut_attack_surface| FAIL: "is not set"
CONFIG_FB |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
CONFIG_VT |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
CONFIG_BLK_DEV_FD |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "m"
+CONFIG_BLK_DEV_FD_RAWCMD |kconfig| is not set |maintainer|cut_attack_surface| OK: not found
CONFIG_AIO |kconfig| is not set |grapheneos|cut_attack_surface| FAIL: "y"
CONFIG_STAGING |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
CONFIG_KSM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
CONFIG_MAGIC_SYSRQ |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
CONFIG_KEXEC_FILE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
CONFIG_USER_NS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
-CONFIG_X86_MSR |kconfig| is not set | clipos |cut_attack_surface| FAIL: "m"
CONFIG_X86_CPUID |kconfig| is not set | clipos |cut_attack_surface| FAIL: "m"
CONFIG_X86_IOPL_IOPERM |kconfig| is not set | clipos |cut_attack_surface| OK: not found
CONFIG_ACPI_TABLE_UPGRADE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
CONFIG_EFI_CUSTOM_SSDT_OVERLAYS |kconfig| is not set | clipos |cut_attack_surface| OK: not found
CONFIG_LDISC_AUTOLOAD |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
CONFIG_X86_INTEL_TSX_MODE_OFF |kconfig| y | clipos |cut_attack_surface| OK
-CONFIG_EFI_TEST |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "m"
CONFIG_BPF_SYSCALL |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
+CONFIG_EFI_TEST |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "m"
CONFIG_MMIOTRACE_TEST |kconfig| is not set | lockdown |cut_attack_surface| OK
CONFIG_KPROBES |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
CONFIG_TRIM_UNUSED_KSYMS |kconfig| y | my |cut_attack_surface| FAIL: not found
CONFIG_INTEGRITY |kconfig| y |defconfig | harden_userspace | OK
CONFIG_ARCH_MMAP_RND_BITS |kconfig| 32 | clipos | harden_userspace | FAIL: "28"
-[+] Config check is finished: 'OK' - 68 / 'FAIL' - 96
+[+] Config check is finished: 'OK' - 71 / 'FAIL' - 103
```
## kconfig-hardened-check versioning
projects / kconfig-hardened-check.git / commitdiff