kconfig-hardened-check: checking the hardening options in the Linux kernel config
There are plenty of Linux kernel hardening config options. A lot of them are not enabled by the major distros. We have to enable these options ourselves to make our systems more secure.
But nobody likes checking configs manually. So let the computers do their job!
kconfig-hardened-check.py helps me to check the Linux kernel Kconfig option list against my hardening preferences, which are based on the
- KSPP recommended settings,
- CLIP OS kernel configuration,
- last public grsecurity patch (options which they disable),
- SECURITY_LOCKDOWN_LSM patchset,
- direct feedback from Linux kernel maintainers (Daniel Vetter in issue #38).
You can install the package:
pip install git+https://github.com/a13xp0p0v/kconfig-hardened-check
or simply run ./bin/kconfig-hardened-check from the cloned repository.
Copyright (C) 2020 a13xp0p0v