Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The kconfig-hardened-check tool and Linux Kernel Defence Map #20

Open
a13xp0p0v opened this issue Dec 11, 2020 · 4 comments
Open

The kconfig-hardened-check tool and Linux Kernel Defence Map #20

a13xp0p0v opened this issue Dec 11, 2020 · 4 comments

Comments

@a13xp0p0v
Copy link

Hello everyone!
Hope that creating this issue is a proper way of contributing to your working group.

Maybe my kconfig-hardened-check tool is in scope of your discussions.

Short intro:

There are plenty of Linux kernel hardening config options. A lot of them are not enabled by the major distributions.
kconfig-hardened-check helps to check the Linux kernel Kconfig option list against the hardening preferences,
which are based on the:

  • KSPP recommended settings,
  • CLIP OS kernel configuration,
  • last public grsecurity patch (options which they disable),
  • SECURITY_LOCKDOWN_LSM patchset,
  • direct feedback from Linux kernel maintainers.

As I know, several Linux distributions already use kconfig-hardened-check.

I also created the Linux Kernel Defence Map that is a graphical representation of the relationships between these hardening features and the corresponding vulnerability classes or exploitation techniques.

I gave a talk at the Linux Plumbers Conference 2020 about these projects.
See the video and slides if you are interested.

Please let me know if I can contribute by creating a pull request or doing something else.

Best regards,
Alexander
@ware
Copy link

ware commented Apr 5, 2021

Hey Alexander. Sorry this has laid dormant. Thank you for sharing this. It's exactly the kind of thing we're looking for. How quickly are you keeping the tool up to date with new kernel releases? How far back in kernel revisions do you support?

@a13xp0p0v
Copy link
Author

Hi @ware

In July I will start working on kconfig-hardened-check tool on regular basis. That will include supporting new kernel releases and developing new features.

This tool can be used for kernel configs of any kernel version.

@a13xp0p0v
Copy link
Author

Hello everyone! Hello @ware!

The kconfig-hardened-check tool and Linux Kernel Defence Map get regular updates, new features, and releases.

I believe these projects are relevant for the OpenSSF Security Tooling working group.
Thanks!

@a13xp0p0v
Copy link
Author

Hello!

As I mentioned, kconfig-hardened-check is a tool for checking the security hardening options of the Linux kernel.

In addition to Kconfig options, it now can check kernel cmdline arguments and sysctl parameters.

So this project got a new name that describes it better: kernel-hardening-checker.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ware @a13xp0p0v