This is a reminder to myself in order to research whether other security projects than KSPP or Capsule8 recommend additional Kernel configuration flags or sysctls. Triggered by: https://github.com/a13xp0p0v/kconfig-hardened-check
For the records: [root@maverick bin]# ./kconfig-hardened-check -c /boot/config-4.14.173-ipfire [+] Trying to detect architecture in "/boot/config-4.14.173-ipfire"... [+] Detected architecture: X86_64 [+] Trying to detect kernel version in "/boot/config-4.14.173-ipfire"... [+] Found version line: "# Linux/x86 4.14.173 Kernel Configuration" [+] Detected kernel version: 4.14 [+] Checking "/boot/config-4.14.173-ipfire" against X86_64 hardening preferences... ========================================================================================================================= option name | desired val | decision | reason | check result ========================================================================================================================= CONFIG_BUG | y |defconfig | self_protection | OK CONFIG_STRICT_KERNEL_RWX | y |defconfig | self_protection | OK CONFIG_STACKPROTECTOR_STRONG | y |defconfig | self_protection | OK: CONFIG_CC_STACKPROTECTOR_STRONG "y" CONFIG_SLUB_DEBUG | y |defconfig | self_protection | OK CONFIG_STRICT_MODULE_RWX | y |defconfig | self_protection | OK CONFIG_GCC_PLUGINS | y |defconfig | self_protection | OK CONFIG_REFCOUNT_FULL | y |defconfig | self_protection | OK CONFIG_IOMMU_SUPPORT | y |defconfig | self_protection | OK CONFIG_MICROCODE | y |defconfig | self_protection | OK CONFIG_RETPOLINE | y |defconfig | self_protection | OK CONFIG_X86_SMAP | y |defconfig | self_protection | OK CONFIG_X86_UMIP | y |defconfig | self_protection | FAIL: not found CONFIG_SYN_COOKIES | y |defconfig | self_protection | OK CONFIG_PAGE_TABLE_ISOLATION | y |defconfig | self_protection | OK CONFIG_RANDOMIZE_MEMORY | y |defconfig | self_protection | OK CONFIG_INTEL_IOMMU | y |defconfig | self_protection | OK CONFIG_AMD_IOMMU | y |defconfig | self_protection | OK CONFIG_VMAP_STACK | y |defconfig | self_protection | OK CONFIG_RANDOMIZE_BASE | y |defconfig | self_protection | OK CONFIG_THREAD_INFO_IN_TASK | y |defconfig | self_protection | OK CONFIG_BUG_ON_DATA_CORRUPTION | y | kspp | self_protection | FAIL: "is not set" CONFIG_DEBUG_WX | y | kspp | self_protection | OK CONFIG_SCHED_STACK_END_CHECK | y | kspp | self_protection | FAIL: "is not set" CONFIG_SLAB_FREELIST_HARDENED | y | kspp | self_protection | OK CONFIG_SLAB_FREELIST_RANDOM | y | kspp | self_protection | OK CONFIG_SHUFFLE_PAGE_ALLOCATOR | y | kspp | self_protection | FAIL: not found CONFIG_FORTIFY_SOURCE | y | kspp | self_protection | OK CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection | FAIL: "is not set" CONFIG_GCC_PLUGIN_LATENT_ENTROPY | y | kspp | self_protection | OK CONFIG_DEBUG_LIST | y | kspp | self_protection | FAIL: "is not set" CONFIG_DEBUG_SG | y | kspp | self_protection | FAIL: "is not set" CONFIG_DEBUG_CREDENTIALS | y | kspp | self_protection | FAIL: "is not set" CONFIG_DEBUG_NOTIFIERS | y | kspp | self_protection | FAIL: "is not set" CONFIG_HARDENED_USERCOPY | y | kspp | self_protection | OK CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp | self_protection | OK: not found CONFIG_MODULE_SIG | y | kspp | self_protection | OK CONFIG_MODULE_SIG_ALL | y | kspp | self_protection | OK CONFIG_MODULE_SIG_SHA512 | y | kspp | self_protection | OK CONFIG_MODULE_SIG_FORCE | y | kspp | self_protection | OK CONFIG_INIT_STACK_ALL | y | kspp | self_protection | OK: CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL "y" CONFIG_INIT_ON_ALLOC_DEFAULT_ON | y | kspp | self_protection | FAIL: not found CONFIG_INIT_ON_FREE_DEFAULT_ON | y | kspp | self_protection | FAIL: not found CONFIG_GCC_PLUGIN_STACKLEAK | y | kspp | self_protection | FAIL: not found CONFIG_STACKLEAK_METRICS | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed CONFIG_STACKLEAK_RUNTIME_DISABLE | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | kspp | self_protection | OK CONFIG_SECURITY_DMESG_RESTRICT | y | clipos | self_protection | OK CONFIG_DEBUG_VIRTUAL | y | clipos | self_protection | FAIL: "is not set" CONFIG_STATIC_USERMODEHELPER | y | clipos | self_protection | FAIL: "is not set" CONFIG_SLAB_MERGE_DEFAULT | is not set | clipos | self_protection | FAIL: "y" CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT is needed CONFIG_RANDOM_TRUST_BOOTLOADER | is not set | clipos | self_protection | OK: not found CONFIG_RANDOM_TRUST_CPU | is not set | clipos | self_protection | OK: not found CONFIG_INTEL_IOMMU_SVM | y | clipos | self_protection | FAIL: "is not set" CONFIG_INTEL_IOMMU_DEFAULT_ON | y | clipos | self_protection | FAIL: "is not set" CONFIG_SLUB_DEBUG_ON | y | my | self_protection | FAIL: "is not set" CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection | FAIL: "is not set" CONFIG_AMD_IOMMU_V2 | y | my | self_protection | FAIL: "is not set" CONFIG_SECURITY | y |defconfig | security_policy | OK CONFIG_SECURITY_YAMA | y | kspp | security_policy | FAIL: "is not set" CONFIG_SECURITY_WRITABLE_HOOKS | is not set | my | security_policy | OK CONFIG_SECURITY_LOCKDOWN_LSM | y | clipos | security_policy | FAIL: not found CONFIG_SECURITY_LOCKDOWN_LSM_EARLY | y | clipos | security_policy | FAIL: not found CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY| y | clipos | security_policy | FAIL: not found CONFIG_SECURITY_LOADPIN | y | my | security_policy | FAIL: "is not set" CONFIG_SECURITY_LOADPIN_ENFORCE | y | my | security_policy | FAIL: CONFIG_SECURITY_LOADPIN is needed CONFIG_SECURITY_SAFESETID | y | my | security_policy | FAIL: not found CONFIG_SECCOMP | y |defconfig | cut_attack_surface | OK CONFIG_SECCOMP_FILTER | y |defconfig | cut_attack_surface | OK CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface | OK CONFIG_MODULES | is not set | kspp | cut_attack_surface | FAIL: "y" CONFIG_DEVMEM | is not set | kspp | cut_attack_surface | FAIL: "y" CONFIG_IO_STRICT_DEVMEM | y | kspp | cut_attack_surface | OK CONFIG_LEGACY_VSYSCALL_NONE | y | kspp | cut_attack_surface | OK CONFIG_ACPI_CUSTOM_METHOD | is not set | kspp | cut_attack_surface | FAIL: "m" CONFIG_COMPAT_BRK | is not set | kspp | cut_attack_surface | OK CONFIG_DEVKMEM | is not set | kspp | cut_attack_surface | OK CONFIG_COMPAT_VDSO | is not set | kspp | cut_attack_surface | OK CONFIG_BINFMT_MISC | is not set | kspp | cut_attack_surface | FAIL: "y" CONFIG_INET_DIAG | is not set | kspp | cut_attack_surface | FAIL: "m" CONFIG_KEXEC | is not set | kspp | cut_attack_surface | OK CONFIG_PROC_KCORE | is not set | kspp | cut_attack_surface | OK CONFIG_LEGACY_PTYS | is not set | kspp | cut_attack_surface | OK CONFIG_HIBERNATION | is not set | kspp | cut_attack_surface | OK CONFIG_IA32_EMULATION | is not set | kspp | cut_attack_surface | FAIL: "y" CONFIG_X86_X32 | is not set | kspp | cut_attack_surface | OK CONFIG_MODIFY_LDT_SYSCALL | is not set | kspp | cut_attack_surface | FAIL: "y" CONFIG_OABI_COMPAT | is not set | kspp | cut_attack_surface | OK: not found CONFIG_X86_PTDUMP | is not set |grsecurity| cut_attack_surface | OK CONFIG_ZSMALLOC_STAT | is not set |grsecurity| cut_attack_surface | OK: not found CONFIG_PAGE_OWNER | is not set |grsecurity| cut_attack_surface | OK CONFIG_DEBUG_KMEMLEAK | is not set |grsecurity| cut_attack_surface | OK CONFIG_BINFMT_AOUT | is not set |grsecurity| cut_attack_surface | OK: not found CONFIG_KPROBES | is not set |grsecurity| cut_attack_surface | OK CONFIG_UPROBES | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_GENERIC_TRACER | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_PROC_VMCORE | is not set |grsecurity| cut_attack_surface | OK CONFIG_PROC_PAGE_MONITOR | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_USELIB | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_CHECKPOINT_RESTORE | is not set |grsecurity| cut_attack_surface | OK CONFIG_USERFAULTFD | is not set |grsecurity| cut_attack_surface | OK CONFIG_HWPOISON_INJECT | is not set |grsecurity| cut_attack_surface | OK CONFIG_MEM_SOFT_DIRTY | is not set |grsecurity| cut_attack_surface | OK: not found CONFIG_DEVPORT | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_DEBUG_FS | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_NOTIFIER_ERROR_INJECTION | is not set |grsecurity| cut_attack_surface | OK CONFIG_DRM_LEGACY | is not set |maintainer| cut_attack_surface | OK CONFIG_FB | is not set |maintainer| cut_attack_surface | FAIL: "y" CONFIG_VT | is not set |maintainer| cut_attack_surface | FAIL: "y" CONFIG_ACPI_TABLE_UPGRADE | is not set | lockdown | cut_attack_surface | FAIL: "y" CONFIG_X86_IOPL_IOPERM | is not set | lockdown | cut_attack_surface | OK: not found CONFIG_EFI_TEST | is not set | lockdown | cut_attack_surface | OK CONFIG_BPF_SYSCALL | is not set | lockdown | cut_attack_surface | OK CONFIG_MMIOTRACE_TEST | is not set | lockdown | cut_attack_surface | OK: not found CONFIG_X86_INTEL_TSX_MODE_OFF | y | clipos | cut_attack_surface | OK CONFIG_STAGING | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_KSM | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_KALLSYMS | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_X86_VSYSCALL_EMULATION | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_MAGIC_SYSRQ | is not set | clipos | cut_attack_surface | OK CONFIG_KEXEC_FILE | is not set | clipos | cut_attack_surface | OK CONFIG_USER_NS | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_X86_MSR | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_X86_CPUID | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_LDISC_AUTOLOAD | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_AIO | is not set |grapheneos| cut_attack_surface | FAIL: "y" CONFIG_MMIOTRACE | is not set | my | cut_attack_surface | OK CONFIG_LIVEPATCH | is not set | my | cut_attack_surface | OK CONFIG_IP_DCCP | is not set | my | cut_attack_surface | OK CONFIG_IP_SCTP | is not set | my | cut_attack_surface | FAIL: "m" CONFIG_FTRACE | is not set | my | cut_attack_surface | FAIL: "y" CONFIG_BPF_JIT | is not set | my | cut_attack_surface | FAIL: "y" CONFIG_VIDEO_VIVID | is not set | my | cut_attack_surface | OK: not found CONFIG_INPUT_EVBUG | is not set | my | cut_attack_surface | OK CONFIG_INTEGRITY | y |defconfig |userspace_hardening | OK CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_hardening | FAIL: "28" [+] config check is finished: 'OK' - 77 / 'FAIL' - 59 Looks there is still room for improvement...
As we have made quite some progress on this, and I am now well aware of the remaining kernel configuration changes, I would close this in favour of individual bugs, which are more easy to track. Also, all sysctl hardening options have been implemented meanwhile.