search

ossf / wg-security-tooling

OpenSSF Security Tooling Working Group
https://openssf.org
Apache License 2.0
295 stars 52 forks source link

The kconfig-hardened-check tool and Linux Kernel Defence Map #20

Open a13xp0p0v opened 3 years ago

a13xp0p0v commented 3 years ago

Hello everyone! Hope that creating this issue is a proper way of contributing to your working group.

Maybe my kconfig-hardened-check tool is in scope of your discussions.

Short intro:

There are plenty of Linux kernel hardening config options. A lot of them are not enabled by the major distributions. kconfig-hardened-check helps to check the Linux kernel Kconfig option list against the hardening preferences, which are based on the:

As I know, several Linux distributions already use kconfig-hardened-check.

I also created the Linux Kernel Defence Map that is a graphical representation of the relationships between these hardening features and the corresponding vulnerability classes or exploitation techniques.

I gave a talk at the Linux Plumbers Conference 2020 about these projects. See the video and slides if you are interested.

Please let me know if I can contribute by creating a pull request or doing something else.

Best regards, Alexander

ware commented 3 years ago

Hey Alexander. Sorry this has laid dormant. Thank you for sharing this. It's exactly the kind of thing we're looking for. How quickly are you keeping the tool up to date with new kernel releases? How far back in kernel revisions do you support?

a13xp0p0v commented 3 years ago

Hi @ware

In July I will start working on kconfig-hardened-check tool on regular basis. That will include supporting new kernel releases and developing new features.

This tool can be used for kernel configs of any kernel version.

a13xp0p0v commented 2 years ago

Hello everyone! Hello @ware!

The kconfig-hardened-check tool and Linux Kernel Defence Map get regular updates, new features, and releases.

I believe these projects are relevant for the OpenSSF Security Tooling working group. Thanks!

a13xp0p0v commented 9 months ago

Hello!

As I mentioned, kconfig-hardened-check is a tool for checking the security hardening options of the Linux kernel.

In addition to Kconfig options, it now can check kernel cmdline arguments and sysctl parameters.

So this project got a new name that describes it better: kernel-hardening-checker.