kernel hardening checker: checking the hardening options in the Linux kernel config

kernel hardening checker

There are plenty of Linux kernel hardening config options. A lot of them are not enabled by the major distros. We have to enable these options ourselves to make our systems more secure.

But nobody likes checking configs manually. So let the computers do their job!

kernel hardening checker (formerly kconfig-hardened-check) is a tool for checking the security hardening options of the Linux kernel. It supports checking:

• Kconfig options (compile-time)
• Kernel cmdline arguments (boot-time)
• Sysctl parameters (runtime)

The security hardening recommendations are based on:

• KSPP recommended settings
• CLIP OS kernel configuration
• Last public grsecurity patch (options which they disable)
• SECURITY_LOCKDOWN_LSM patchset
• Direct feedback from the Linux kernel maintainers

Attention! Changing Linux kernel security parameters may also affect system performance and functionality of userspace software. So for choosing these parameters, consider the threat model of your Linux-based information system and perform thorough testing of its typical workload.

Supported microarchitectures

• X86_64
• X86_32
• ARM64
• ARM

Installation

You can install the package:

pip install git+https://github.com/a13xp0p0v/kernel-hardening-checker

or simply run ./bin/kernel-hardening-checker from the cloned repository.

Some Linux distributions also provide kernel-hardening-checker as a package.

Usage

Copyright (C) 2020 a13xp0p0v 

Source: https://github.com/a13xp0p0v/