kconfig-hardened-check
kconfig-hardened-check copied to clipboard
a13xp0p0v
A tool for checking the security hardening options of the Linux kernel
Instead of having to specify Kconfig file and /proc/cmdline, --autodetect will try to infer them. This is related to #129
Splitting the checks by arch family makes the code a tad more readable and self-contains, and makes it easier to inspect what checks are architecture-specific, instead of having the read...
The CI scripts of `kernel-hardening-checker` run on Python versions that are currently officially supported:   (from https://devguide.python.org/versions/) **Question** Should `kernel-hardening-checker` also work on some older Python versions? Is...
I have an idea: to add a column `|with care|` for the options that may break some kernel functionality or introduce significant performance impact. (refers to #137)
Encrypted RAM is a security mechanism, if only against forensic.
```console $ python3 ./bin/kernel-hardening-checker -h usage: kernel-hardening-checker [-h] [--version] [-m {verbose,json,show_ok,show_fail}] [-c CONFIG] [-l CMDLINE] [-s SYSCTL] [-v KERNEL_VERSION] [-p {X86_64,X86_32,ARM64,ARM}] [-g {X86_64,X86_32,ARM64,ARM}] A tool for checking the security hardening...
realised issue #153 tested on `bullseye` image, also there is an default option for my ubutu. didnt cause any issuses with booting or something this option can reduces chances to...
there is an implementation of #149 a few words about logic: `OK` is `cfi=kcfi` in __cmdline__. if this parameter is not set, we looking for `CONFIG_CFI_AUTO_DEFAULT` which should be off,...
implementation of of issue #158 some **sysct** checks depend on the microarchitecture, for example: #157 what i did: - renamed the existing `detect_arch()` into `detect_arch_kconfig()` - implemented `detect_arch_sysctl()`. now we...