Lucene search

K
kitploitKitPloitKITPLOIT:1463882138321251213
HistoryJun 18, 2021 - 9:30 p.m.

Kconfig-Hardened-Check - A Tool For Checking The Hardening Options In The Linux Kernel Config

2021-06-1821:30:00
www.kitploit.com
106

7 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

6.2 Medium

AI Score

Confidence

High

6.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

0.0004 Low

EPSS

Percentile

9.2%

Motivation

There are plenty of Linux kernel hardening config options. A lot of them are not enabled by the major distros. We have to enable these options ourselves to make our systems more secure.

But nobody likes checking configs manually. So let the computers do their job!

kconfig-hardened-check.py helps me to check the Linux kernel Kconfig option list against my hardening preferences, which are based on the

I also created Linux Kernel Defence Map that is a graphical representation of the relationships between these hardening features and the corresponding vulnerability classes or exploitation techniques.

Supported microarchitectures

  • X86_64
  • X86_32
  • ARM64
  • ARM

Installation

You can install the package:

pip install git+https://github.com/a13xp0p0v/kconfig-hardened-check  

or simply run ./bin/kconfig-hardened-check from the cloned repository.

Usage

usage: kconfig-hardened-check [-h] [--version] [-p {X86_64,X86_32,ARM64,ARM}]  
                              [-c CONFIG]  
                              [-m {verbose,json,show_ok,show_fail}]  
  
Checks the hardening options in the Linux kernel config  
  
optional arguments:  
  -h, --help            show this help message and exit  
  --version             show program's version number and exit  
  -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}  
                        print hardening preferences for selected architecture  
  -c CONFIG, --config CONFIG  
                        check the kernel config file against these preferences  
  -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}  
                        choose the report mode  

Output for Ubuntu 20.04 LTS (Focal Fossa) kernel config

$ ./bin/kconfig-hardened-check -c kconfig_hardened_check/config_files/distros/ubuntu-focal.config   
[+] Config file to check: kconfig_hardened_check/config_files/distros/ubuntu-focal.config  
[+] Detected architecture: X86_64  
[+] Detected kernel version: 5.4  
=========================================================================================================================  
                 option name                 | desired val | decision |       reason       |   check result  
=========================================================================================================================  
CONFIG_BUG                                   |      y      |defconfig |  self_protection   |   OK  
CONFIG_SLUB_DEBUG                            |      y      |defconfig |  self_protection   |   OK  
CONFIG_GCC_PLUGINS                           |      y      |defconfig |  self_protection   |   FAIL: not found  
CONFIG_STACKPROTECTOR_STRONG                    |      y      |defconfig |  self_protection   |   OK  
CONFIG_STRICT_KERNEL_RWX                     |      y      |defconfig |  self_protection   |   OK  
CONFIG_STRICT_MODULE_RWX                     |      y      |defconfig |  self_protection   |   OK  
CONFIG_REFCOUNT_FULL                         |      y      |defconfig |  self_protection   |   FAIL: "is not set"  
CONFIG_IOMMU_SUPPORT                         |      y      |defconfig |  self_protection   |   OK  
CONFIG_MICROCODE                             |      y      |defconfig |  self_protection   |   OK  
CONFIG_RETPOLINE                             |      y      |defconfig |  self_protection   |   OK  
CONFIG_X86_SMAP                              |      y      |defconfig |  self_protection   |   OK  
CONFIG_SYN_COOKIES                           |      y      |defconfig |  self_protection   |   OK  
CONFIG_X86_UMIP                              |      y      |defconfig |  self_protection   |      OK: CONFIG_X86_INTEL_UMIP "y"  
CONFIG_PAGE_TABLE_ISOLATION                  |      y      |defconfig |  self_protection   |   OK  
CONFIG_RANDOMIZE_MEMORY                      |      y      |defconfig |  self_protection   |   OK  
CONFIG_INTEL_IOMMU                           |      y      |defconfig |  self_protection   |   OK  
CONFIG_AMD_IOMMU                             |      y      |defconfig |  self_protection   |   OK  
CONFIG_VMAP_STACK                            |      y      |defconfig |  self_protection   |   OK  
CONFIG_RANDOMIZE_BASE                        |      y      |defconfig |  self_protection   |   OK  
CONFIG_THREAD_INFO_IN_TASK                   |      y      |defconfig |  self_protection   |   OK  
CONFIG_BUG_ON_DATA_CORRUPTION                |      y      |   kspp   |  self_protection   |   FAIL: "is not set"  
CONFIG_DEBUG_WX                              |      y      |   kspp   |  self_protection   |   OK  
CONFIG_SCHED_STACK_END_CHEC   K                 |      y      |   kspp   |  self_protection   |   OK  
CONFIG_SLAB_FREELIST_HARDENED                |      y      |   kspp   |  self_protection   |   OK  
CONFIG_SLAB_FREELIST_RANDOM                  |      y      |   kspp   |  self_protection   |   OK  
CONFIG_SHUFFLE_PAGE_ALLOCATOR                |      y      |   kspp   |  self_protection   |   OK  
CONFIG_FORTIFY_SOURCE                        |      y      |   kspp   |  self_protection   |   OK  
CONFIG_DEBUG_LIST                            |      y      |   kspp   |  self_protection   |   FAIL: "is not set"  
CONFIG_DEBUG_SG                              |      y      |   kspp   |  self_protection   |   FAIL: "is not set"  
CONFIG_DEBUG_CREDENTIALS                     |      y      |   kspp   |  self_protection   |   FAIL: "is not set"  
CONFIG_DEBUG_NOTIFIERS                       |      y      |   kspp   |  self_protection   |   FAIL: "is not set"  
CONFIG_INIT_ON_ALLOC_DEFAULT_ON                 |      y      |   kspp   |  self_protection   |   OK  
CONFIG_GCC_PLUGIN_LATENT_ENTROPY             |      y      |   kspp   |  self_protection   |   FAIL: not found  
CONFIG_GCC_PLUGIN_RANDSTRUCT                 |      y      |   kspp   |  self_protection   |   FAIL: not found  
CONFIG_HARDENED_USERCOPY                     |      y      |   kspp   |  self_protection   |   OK  
CONFIG_HARDENED_USERCOPY_FALLBACK            | is not set  |   kspp   |  self_protection   |   FAIL: "y"  
CONFIG_MODULE_SIG                            |      y      |   kspp   |  self_protection   |   OK  
CONFIG_MODULE_SIG_ALL                        |      y      |   kspp   |  self_protection   |   OK  
CONFIG_MODULE_SIG_SHA512                     |      y      |   kspp   |  self_protection   |   OK  
CONFIG_MODULE_SIG_FORCE                      |      y      |   kspp   |  self_protection   |   FAIL: "is not set"  
CONFIG_INIT_STACK_ALL_ZERO                   |      y      |   kspp   |     self_protection   |   FAIL: not found  
CONFIG_INIT_ON_FREE_DEFAULT_ON               |      y      |   kspp   |  self_protection   |   OK: CONFIG_PAGE_POISONING_ZERO "y"  
CONFIG_GCC_PLUGIN_STACKLEAK                  |      y      |   kspp   |  self_protection   |   FAIL: not found  
CONFIG_DEFAULT_MMAP_MIN_ADDR                 |    65536    |   kspp   |  self_protection   |   OK  
CONFIG_SECURITY_DMESG_RESTRICT               |      y      |  clipos  |  self_protection   |   FAIL: "is not set"  
CONFIG_DEBUG_VIRTUAL                         |      y      |  clipos  |  self_protection   |   FAIL: "is not set"  
CONFIG_STATIC_USERMODEHELPER                 |      y      |  clipos  |  self_protection   |   FAIL: "is not set"  
CONFIG_EFI_DISABLE_PCI_DMA                   |      y      |  clipos  |  self_protection   |   FAIL: not found  
CONFIG_SLAB_MERGE_DEFAULT                    | is not set  |  clipos  |  self_protection   |   FAIL: "y"  
CONFIG_RANDOM_TRUST_BOOTL   OADER               | is not set  |  clipos  |  self_protection   |   FAIL: "y"  
CONFIG_RANDOM_TRUST_CPU                      | is not set  |  clipos  |  self_protection   |   FAIL: "y"  
CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE     | is not set  |  clipos  |  self_protection   |   FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT not "y"  
CONFIG_STACKLEAK_METRICS                     | is not set  |  clipos  |  self_protection   |   FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y"  
CONFIG_STACKLEAK_RUNTIME_DISABLE             | is not set  |  clipos  |  self_protection   |   FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y"  
CONFIG_INTEL_IOMMU_SVM                       |      y      |  clipos  |  self_protection   |   OK  
CONFIG_INTEL_IOMMU_DEFAULT_ON                |      y      |  clipos  |  self_protection   |   FAIL: "is not set"  
CONFIG_UBSAN_BOUNDS                          |      y      |    my    |  self_protection   |   FAIL: CONFIG_UBSAN_TRAP not "y"  
CONFIG_SLUB_DEBUG_ON                            |      y      |    my    |  self_protection   |   FAIL: "is not set"  
CONFIG_RESET_ATTACK_MITIGATION               |      y      |    my    |  self_protection   |   OK  
CONFIG_AMD_IOMMU_V2                          |      y      |    my    |  self_protection   |   FAIL: "m"  
CONFIG_SECURITY                              |      y      |defconfig |  security_policy   |   OK  
CONFIG_SECURITY_YAMA                         |      y      |   kspp   |  security_policy   |   OK  
CONFIG_SECURITY_WRITABLE_HOOKS               | is not set  |    my    |  security_policy   |   OK: not found  
CONFIG_SECURITY_LOCKDOWN_LSM                 |      y      |  clipos  |  security_policy   |   OK  
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY           |      y      |  clipos  |  security_policy   |   OK  
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|      y      |  clipos  |  security_policy   |   FAIL: "is not set"  
CONFIG_SECURITY_SAFESETID                    |      y         |    my    |  security_policy   |   OK  
CONFIG_SECURITY_LOADPIN                      |      y      |    my    |  security_policy   |   FAIL: "is not set"  
CONFIG_SECURITY_LOADPIN_ENFORCE              |      y      |    my    |  security_policy   |   FAIL: CONFIG_SECURITY_LOADPIN not "y"  
CONFIG_SECCOMP                               |      y      |defconfig | cut_attack_surface |   OK  
CONFIG_SECCOMP_FILTER                        |      y      |defconfig | cut_attack_surface |   OK  
CONFIG_STRICT_DEVMEM                         |      y      |defconfig | cut_attack_surface |   OK  
CONFIG_ACPI_CUSTOM_METHOD                    | is not set  |   kspp   | cut_attack_surface |   OK  
CONFIG_COMPAT_BRK                            | is not set  |   kspp   | cut_attack_surface |   OK  
CONFIG_DEVKMEM                               | is not set  |   kspp   | cut_attack_surface |   OK  
CONFIG_COMPAT_VDSO                           | is not set  |   kspp   | cut_attack_sur   face |   OK  
CONFIG_BINFMT_MISC                           | is not set  |   kspp   | cut_attack_surface |   FAIL: "m"  
CONFIG_INET_DIAG                             | is not set  |   kspp   | cut_attack_surface |   FAIL: "m"  
CONFIG_KEXEC                                 | is not set  |   kspp   | cut_attack_surface |   FAIL: "y"  
CONFIG_PROC_KCORE                            | is not set  |   kspp   | cut_attack_surface |   FAIL: "y"  
CONFIG_LEGACY_PTYS                           | is not set  |   kspp   | cut_attack_surface |   FAIL: "y"  
CONFIG_HIBERNATION                           | is not set  |   kspp   | cut_attack_surface |   FAIL: "y"  
CONFIG_IA32_EMULATION                        | is not set  |   kspp   | cut_attack_surface |   FAIL: "y"  
CONFIG_X86_X32                               | is not set  |   kspp   | cut_attack_surface |   FAIL: "y"  
CONFIG_MODIFY_LDT_SYSCALL                    | is not set  |   kspp   | cut_attack_surface |   FAIL: "y"  
   CONFIG_OABI_COMPAT                           | is not set  |   kspp   | cut_attack_surface |   OK: not found  
CONFIG_MODULES                               | is not set  |   kspp   | cut_attack_surface |   FAIL: "y"  
CONFIG_DEVMEM                                | is not set  |   kspp   | cut_attack_surface |   FAIL: "y"  
CONFIG_IO_STRICT_DEVMEM                      |      y      |   kspp   | cut_attack_surface |   FAIL: "is not set"  
CONFIG_LEGACY_VSYSCALL_NONE                  |      y      |   kspp   | cut_attack_surface |   FAIL: "is not set"  
CONFIG_ZSMALLOC_STAT                         | is not set  |grsecurity| cut_attack_surface |   OK  
CONFIG_PAGE_OWNER                            | is not set  |grsecurity| cut_attack_surface |   OK  
CONFIG_DEBUG_KMEMLEAK                        | is not set  |grsecurity| cut_attack_surface |   OK  
CONFIG_BINFMT_AOUT                           | is not set  |grsecurity| cut_attack_surface |   OK: not found  
CONFIG_KPRO   BES                               | is not set  |grsecurity| cut_attack_surface |   FAIL: "y"  
CONFIG_UPROBES                               | is not set  |grsecurity| cut_attack_surface |   FAIL: "y"  
CONFIG_GENERIC_TRACER                        | is not set  |grsecurity| cut_attack_surface |   FAIL: "y"  
CONFIG_PROC_VMCORE                           | is not set  |grsecurity| cut_attack_surface |   FAIL: "y"  
CONFIG_PROC_PAGE_MONITOR                     | is not set  |grsecurity| cut_attack_surface |   FAIL: "y"  
CONFIG_USELIB                                | is not set  |grsecurity| cut_attack_surface |   FAIL: "y"  
CONFIG_CHECKPOINT_RESTORE                    | is not set  |grsecurity| cut_attack_surface |   FAIL: "y"  
CONFIG_USERFAULTFD                           | is not set  |grsecurity| cut_attack_surface |   FAIL: "y"  
CONFIG_HWPOISON_INJECT                       | is not set  |grsecurity| cut_attack_surface |   FAIL: "m"  
CONFIG_MEM_SOFT_DIRTY                           | is not set  |grsecurity| cut_attack_surface |   FAIL: "y"  
CONFIG_DEVPORT                               | is not set  |grsecurity| cut_attack_surface |   FAIL: "y"  
CONFIG_DEBUG_FS                              | is not set  |grsecurity| cut_attack_surface |   FAIL: "y"  
CONFIG_NOTIFIER_ERROR_INJECTION              | is not set  |grsecurity| cut_attack_surface |   FAIL: "m"  
CONFIG_X86_PTDUMP                            | is not set  |grsecurity| cut_attack_surface |   OK  
CONFIG_DRM_LEGACY                            | is not set  |maintainer| cut_attack_surface |   OK  
CONFIG_FB                                    | is not set  |maintainer| cut_attack_surface |   FAIL: "y"  
CONFIG_VT                                    | is not set  |maintainer| cut_attack_surface |   FAIL: "y"  
CONFIG_AIO                                   | is not set  |grapheneos| cut_attack_surface |   FAIL: "y"  
CONFIG_STAGING                               | is not set     |  clipos  | cut_attack_surface |   FAIL: "y"  
CONFIG_KSM                                   | is not set  |  clipos  | cut_attack_surface |   FAIL: "y"  
CONFIG_KALLSYMS                              | is not set  |  clipos  | cut_attack_surface |   FAIL: "y"  
CONFIG_X86_VSYSCALL_EMULATION                | is not set  |  clipos  | cut_attack_surface |   FAIL: "y"  
CONFIG_MAGIC_SYSRQ                           | is not set  |  clipos  | cut_attack_surface |   FAIL: "y"  
CONFIG_KEXEC_FILE                            | is not set  |  clipos  | cut_attack_surface |   FAIL: "y"  
CONFIG_USER_NS                               | is not set  |  clipos  | cut_attack_surface |   FAIL: "y"  
CONFIG_X86_MSR                               | is not set  |  clipos  | cut_attack_surface |   FAIL: "m"  
CONFIG_X86_CPUID                             | is not set  |  clipos  | cut_attack_surface |   FAIL: "m"  
CONFIG_IO_URING                              | is not set  |  clipos  | c   ut_attack_surface |   FAIL: "y"  
CONFIG_X86_IOPL_IOPERM                       | is not set  |  clipos  | cut_attack_surface |   OK: not found  
CONFIG_ACPI_TABLE_UPGRADE                    | is not set  |  clipos  | cut_attack_surface |   FAIL: "y"  
CONFIG_EFI_CUSTOM_SSDT_OVERLAYS              | is not set  |  clipos  | cut_attack_surface |   OK: not found  
CONFIG_LDISC_AUTOLOAD                        | is not set  |  clipos  | cut_attack_surface |   FAIL: "y"  
CONFIG_X86_INTEL_TSX_MODE_OFF                |      y      |  clipos  | cut_attack_surface |   OK  
CONFIG_EFI_TEST                              | is not set  | lockdown | cut_attack_surface |   FAIL: "m"  
CONFIG_BPF_SYSCALL                           | is not set  | lockdown | cut_attack_surface |   FAIL: "y"  
CONFIG_MMIOTRACE_TEST                        | is not set  | lockdown | cut_attack_surface |   OK  
CONFIG_TRIM_UNUSED_KSYMS                     |      y      |    my    | cut_attack_surface |      FAIL: not found  
CONFIG_MMIOTRACE                             | is not set  |    my    | cut_attack_surface |   FAIL: "y"  
CONFIG_LIVEPATCH                             | is not set  |    my    | cut_attack_surface |   FAIL: "y"  
CONFIG_IP_DCCP                               | is not set  |    my    | cut_attack_surface |   FAIL: "m"  
CONFIG_IP_SCTP                               | is not set  |    my    | cut_attack_surface |   FAIL: "m"  
CONFIG_FTRACE                                | is not set  |    my    | cut_attack_surface |   FAIL: "y"  
CONFIG_VIDEO_VIVID                           | is not set  |    my    | cut_attack_surface |   FAIL: "m"  
CONFIG_INPUT_EVBUG                           | is not set  |    my    | cut_attack_surface |   FAIL: "m"  
CONFIG_INTEGRITY                             |      y      |defconfig |userspace_hardening |   OK  
CONFIG_ARCH_MMAP_RND_BITS                    |     32      |  clipos  |userspace_hardening |   FAIL: "28"  
**[+] Config check is finished: 'OK' - 58 / 'FAIL' - 82  
**

kconfig-hardened-check versioning

I usually update the kernel hardening recommendations after each Linux kernel release.

So the version of kconfig-hardened-check is associated with the corresponding version of the kernel.

The version format is: [major_number].[kernel_version].[kernel_patchlevel]

Questions and answers

Q: How disabling CONFIG_USER_NS cuts the attack surface? It’s needed for containers!

A: Yes, the CONFIG_USER_NS option provides some isolation between the userspace programs, but the tool recommends disabling it to cut the attack surfaceof the kernel.

The rationale:

Q: Why CONFIG_GCC_PLUGINS is automatically disabled during the kernel compilation?

A: It means that your gcc doesn’t support plugins. For example, if you have gcc-7 on Ubuntu, try to install gcc-7-plugin-dev package, it should help.

Q: KSPP and CLIP OS recommend CONFIG_PANIC_ON_OOPS=y. Why doesn’t this tool do the same?

A: I personally don’t support this recommendation because it provides easy denial-of-service attacks for the whole system (kernel oops is not a rare situation). I think having CONFIG_BUG is enough here – if we have a kernel oops in the process context, the offending/attacking process is killed.

Q: What about performance impact of these kernel hardening options?

A: Ike Devolder @BlackIkeEagle made some performance tests and described the results in this article.

Q: Why enabling CONFIG_STATIC_USERMODEHELPER breaks various things in my GNU/Linux system? Do I really need that feature?

A: Linux kernel usermode helpers can be used for privilege escalation in kernel exploits (example 1, example 2). CONFIG_STATIC_USERMODEHELPER prevents that method. But it requires the corresponding support in the userspace: see the example implementation by Tycho Andersen @tych0.

Q: Does my kernel have all those mitigations of Transient Execution Vulnerabilities in my hardware?

A: Checking the kernel config is not enough to answer this question. I highly recommend using spectre-meltdown-checker tool maintained by Stéphane Lesimple @speed47.

Download Kconfig-Hardened-Check

7 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

6.2 Medium

AI Score

Confidence

High

6.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

0.0004 Low

EPSS

Percentile

9.2%