search

a13xp0p0v / kernel-hardening-checker

A tool for checking the security hardening options of the Linux kernel
GNU General Public License v3.0
1.69k stars 156 forks source link

Get rid of CONFIG_DEBUG_CREDENTIALS #97

Closed Sporif closed 8 months ago

Sporif commented 10 months ago

This config has been removed recently.

master

stable

thestinger commented 10 months ago

The checking tool isn't only for the most recent kernel versions, and this was a mildly useful hardening feature despite not being designed as one. It would be possible to do a much better job, but people use what's available upstream.

a13xp0p0v commented 10 months ago

Thanks for the info!

Later, I'll add the dependency on the kernel version for the CONFIG_DEBUG_CREDENTIALS check.

a13xp0p0v commented 8 months ago

Hello @Sporif and @thestinger,

I've implemented parsing all three numbers of the kernel version and added the version check for DEBUG_CREDENTIALS https://github.com/a13xp0p0v/kernel-hardening-checker/commit/1a595757bc0aaef86550440f2a449569b6450ba5.

$ diff config667 config668
3c3
< # Linux/x86 6.6.7 Kernel Configuration
---
> # Linux/x86 6.6.8 Kernel Configuration
5065,5066d5064
< 
< # CONFIG_DEBUG_CREDENTIALS is not set

Output for v6.6.7:

[+] Special report mode: verbose
[+] Kconfig file to check: /home/a13x/develop_local/linux-stable/linux-stable/config667
[+] Detected microarchitecture: X86_64
[+] Detected kernel version: (6, 6, 7)
...
-------------------------------------------------------------------------------------------------------------------------
    <<< OR >>>                                                                             | FAIL: "is not set"
CONFIG_DEBUG_CREDENTIALS                |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
kernel version >= (6, 6, 8)                                                                | FAIL: version < (6, 6, 8)
-------------------------------------------------------------------------------------------------------------------------

Output for v6.6.8:

[+] Special report mode: verbose
[+] Kconfig file to check: /home/a13x/develop_local/linux-stable/linux-stable/config668
[+] Detected microarchitecture: X86_64
[+] Detected kernel version: (6, 6, 8)
...
-------------------------------------------------------------------------------------------------------------------------
    <<< OR >>>                                                                             | OK: version >= (6, 6, 8)
CONFIG_DEBUG_CREDENTIALS                |kconfig|     y      |   kspp   | self_protection  | FAIL: is not found
kernel version >= (6, 6, 8)                                                                | OK: version >= (6, 6, 8)
-------------------------------------------------------------------------------------------------------------------------