Cookie Consent by Free Privacy Policy Generator ✅ Expertenwissen über das Thema "SAP"

🏠 Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeiträge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden Überblick über die wichtigsten Aspekte der IT-Sicherheit in einer sich ständig verändernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch übersetzen, erst Englisch auswählen dann wieder Deutsch!

Google Android Playstore Download Button für Team IT Security



📚 Kconfig-Hardened-Check - A Tool For Checking The Hardening Options In The Linux Kernel Config


💡 Newskategorie: IT Security Nachrichten
🔗 Quelle: feedproxy.google.com


Motivation

There are plenty of Linux kernel hardening config options. A lot of them are not enabled by the major distros. We have to enable these options ourselves to make our systems more secure.

But nobody likes checking configs manually. So let the computers do their job!

kconfig-hardened-check.py helps me to check the Linux kernel Kconfig option list against my hardening preferences, which are based on the

I also created Linux Kernel Defence Map that is a graphical representation of the relationships between these hardening features and the corresponding vulnerability classes or exploitation techniques.


Supported microarchitectures
  • X86_64
  • X86_32
  • ARM64
  • ARM

Installation

You can install the package:

pip install git+https://github.com/a13xp0p0v/kconfig-hardened-check

or simply run ./bin/kconfig-hardened-check from the cloned repository.


Usage
usage: kconfig-hardened-check [-h] [--version] [-p {X86_64,X86_32,ARM64,ARM}]
[-c CONFIG]
[-m {verbose,json,show_ok,show_fail}]

Checks the hardening options in the Linux kernel config

optional arguments:
-h, --help show this help message and exit
--version show program's version number and exit
-p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
print hardening preferences for selected architecture
-c CONFIG, --config CONFIG
check the kernel config file against these preferences
-m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}
choose the report mode

Output for Ubuntu 20.04 LTS (Focal Fossa) kernel config
$ ./bin/kconfig-hardened-check -c kconfig_hardened_check/config_files/distros/ubuntu-focal.config 
[+] Config file to check: kconfig_hardened_check/config_files/distros/ubuntu-focal.config
[+] Detected architecture: X86_64
[+] Detected kernel version: 5.4
=========================================================================================================================
option name | desired val | decision | reason | check result
=========================================================================================================================
CONFIG_BUG | y |defconfig | self_protection | OK
CONFIG_SLUB_DEBUG | y |defconfig | self_protection | OK
CONFIG_GCC_PLUGINS | y |defconfig | self_protection | FAIL: not found
CONFIG_STACKPROTECTOR_STRONG | y |defconfig | self_protection | OK
CONFIG_STRICT_KERNEL_RWX | y |defconfig | self_protection | OK
CONFIG_STRICT_MODULE_RWX | y |defconfig | self_protection | OK
CONFIG_REFCOUNT_FULL | y |defconfig | self_protection | FAIL: "is not set"
CONFIG_IOMMU_SUPPORT | y |defconfig | self_protection | OK
CONFIG_MICROCODE | y |defconfig | self_protection | OK
CONFIG_RETPOLINE | y |defconfig | self_protection | OK
CONFIG_X86_SMAP | y |defconfig | self_protection | OK
CONFIG_SYN_COOKIES | y |defconfig | self_protection | OK
CONFIG_X86_UMIP | y |defconfig | self_protection | OK: CONFIG_X86_INTEL_UMIP "y"
CONFIG_PAGE_TABLE_ISOLATION | y |defconfig | self_protection | OK
CONFIG_RANDOMIZE_MEMORY | y |defconfig | self_protection | OK
CONFIG_INTEL_IOMMU | y |defconfig | self_protection | OK
CONFIG_AMD_IOMMU | y |defconfig | self_protection | OK
CONFIG_VMAP_STACK | y |defconfig | self_protection | OK
CONFIG_RANDOMIZE_BASE | y |defconfig | self_protection | OK
CONFIG_THREAD_INFO_IN_TASK | y |defconfig | self_protection | OK
CONFIG_BUG_ON_DATA_CORRUPTION | y | kspp | self_protection | FAIL: "is not set"
CONFIG_DEBUG_WX | y | kspp | self_protection | OK
CONFIG_SCHED_STACK_END_CHEC K | y | kspp | self_protection | OK
CONFIG_SLAB_FREELIST_HARDENED | y | kspp | self_protection | OK
CONFIG_SLAB_FREELIST_RANDOM | y | kspp | self_protection | OK
CONFIG_SHUFFLE_PAGE_ALLOCATOR | y | kspp | self_protection | OK
CONFIG_FORTIFY_SOURCE | y | kspp | self_protection | OK
CONFIG_DEBUG_LIST | y | kspp | self_protection | FAIL: "is not set"
CONFIG_DEBUG_SG | y | kspp | self_protection | FAIL: "is not set"
CONFIG_DEBUG_CREDENTIALS | y | kspp | self_protection | FAIL: "is not set"
CONFIG_DEBUG_NOTIFIERS | y | kspp | self_protection | FAIL: "is not set"
CONFIG_INIT_ON_ALLOC_DEFAULT_ON | y | kspp | self_protection | OK
CONFIG_GCC_PLUGIN_LATENT_ENTROPY | y | kspp | self_protection | FAIL: not found
CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection | FAIL: not found
CONFIG_HARDENED_USERCOPY | y | kspp | self_protection | OK
CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp | self_protection | FAIL: "y"
CONFIG_MODULE_SIG | y | kspp | self_protection | OK
CONFIG_MODULE_SIG_ALL | y | kspp | self_protection | OK
CONFIG_MODULE_SIG_SHA512 | y | kspp | self_protection | OK
CONFIG_MODULE_SIG_FORCE | y | kspp | self_protection | FAIL: "is not set"
CONFIG_INIT_STACK_ALL_ZERO | y | kspp | self_protection | FAIL: not found
CONFIG_INIT_ON_FREE_DEFAULT_ON | y | kspp | self_protection | OK: CONFIG_PAGE_POISONING_ZERO "y"
CONFIG_GCC_PLUGIN_STACKLEAK | y | kspp | self_protection | FAIL: not found
CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | kspp | self_protection | OK
CONFIG_SECURITY_DMESG_RESTRICT | y | clipos | self_protection | FAIL: "is not set"
CONFIG_DEBUG_VIRTUAL | y | clipos | self_protection | FAIL: "is not set"
CONFIG_STATIC_USERMODEHELPER | y | clipos | self_protection | FAIL: "is not set"
CONFIG_EFI_DISABLE_PCI_DMA | y | clipos | self_protection | FAIL: not found
CONFIG_SLAB_MERGE_DEFAULT | is not set | clipos | self_protection | FAIL: "y"
CONFIG_RANDOM_TRUST_BOOTL OADER | is not set | clipos | self_protection | FAIL: "y"
CONFIG_RANDOM_TRUST_CPU | is not set | clipos | self_protection | FAIL: "y"
CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT not "y"
CONFIG_STACKLEAK_METRICS | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y"
CONFIG_STACKLEAK_RUNTIME_DISABLE | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y"
CONFIG_INTEL_IOMMU_SVM | y | clipos | self_protection | OK
CONFIG_INTEL_IOMMU_DEFAULT_ON | y | clipos | self_protection | FAIL: "is not set"
CONFIG_UBSAN_BOUNDS | y | my | self_protection | FAIL: CONFIG_UBSAN_TRAP not "y"
CONFIG_SLUB_DEBUG_ON | y | my | self_protection | FAIL: "is not set"
CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection | OK
CONFIG_AMD_IOMMU_V2 | y | my | self_protection | FAIL: "m"
CONFIG_SECURITY | y |defconfig | security_policy | OK
CONFIG_SECURITY_YAMA | y | kspp | security_policy | OK
CONFIG_SECURITY_WRITABLE_HOOKS | is not set | my | security_policy | OK: not found
CONFIG_SECURITY_LOCKDOWN_LSM | y | clipos | security_policy | OK
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY | y | clipos | security_policy | OK
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY| y | clipos | security_policy | FAIL: "is not set"
CONFIG_SECURITY_SAFESETID | y | my | security_policy | OK
CONFIG_SECURITY_LOADPIN | y | my | security_policy | FAIL: "is not set"
CONFIG_SECURITY_LOADPIN_ENFORCE | y | my | security_policy | FAIL: CONFIG_SECURITY_LOADPIN not "y"
CONFIG_SECCOMP | y |defconfig | cut_attack_surface | OK
CONFIG_SECCOMP_FILTER | y |defconfig | cut_attack_surface | OK
CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface | OK
CONFIG_ACPI_CUSTOM_METHOD | is not set | kspp | cut_attack_surface | OK
CONFIG_COMPAT_BRK | is not set | kspp | cut_attack_surface | OK
CONFIG_DEVKMEM | is not set | kspp | cut_attack_surface | OK
CONFIG_COMPAT_VDSO | is not set | kspp | cut_attack_sur face | OK
CONFIG_BINFMT_MISC | is not set | kspp | cut_attack_surface | FAIL: "m"
CONFIG_INET_DIAG | is not set | kspp | cut_attack_surface | FAIL: "m"
CONFIG_KEXEC | is not set | kspp | cut_attack_surface | FAIL: "y"
CONFIG_PROC_KCORE | is not set | kspp | cut_attack_surface | FAIL: "y"
CONFIG_LEGACY_PTYS | is not set | kspp | cut_attack_surface | FAIL: "y"
CONFIG_HIBERNATION | is not set | kspp | cut_attack_surface | FAIL: "y"
CONFIG_IA32_EMULATION | is not set | kspp | cut_attack_surface | FAIL: "y"
CONFIG_X86_X32 | is not set | kspp | cut_attack_surface | FAIL: "y"
CONFIG_MODIFY_LDT_SYSCALL | is not set | kspp | cut_attack_surface | FAIL: "y"
CONFIG_OABI_COMPAT | is not set | kspp | cut_attack_surface | OK: not found
CONFIG_MODULES | is not set | kspp | cut_attack_surface | FAIL: "y"
CONFIG_DEVMEM | is not set | kspp | cut_attack_surface | FAIL: "y"
CONFIG_IO_STRICT_DEVMEM | y | kspp | cut_attack_surface | FAIL: "is not set"
CONFIG_LEGACY_VSYSCALL_NONE | y | kspp | cut_attack_surface | FAIL: "is not set"
CONFIG_ZSMALLOC_STAT | is not set |grsecurity| cut_attack_surface | OK
CONFIG_PAGE_OWNER | is not set |grsecurity| cut_attack_surface | OK
CONFIG_DEBUG_KMEMLEAK | is not set |grsecurity| cut_attack_surface | OK
CONFIG_BINFMT_AOUT | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_KPRO BES | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_UPROBES | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_GENERIC_TRACER | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_PROC_VMCORE | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_PROC_PAGE_MONITOR | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_USELIB | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_CHECKPOINT_RESTORE | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_USERFAULTFD | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_HWPOISON_INJECT | is not set |grsecurity| cut_attack_surface | FAIL: "m"
CONFIG_MEM_SOFT_DIRTY | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_DEVPORT | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_DEBUG_FS | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_NOTIFIER_ERROR_INJECTION | is not set |grsecurity| cut_attack_surface | FAIL: "m"
CONFIG_X86_PTDUMP | is not set |grsecurity| cut_attack_surface | OK
CONFIG_DRM_LEGACY | is not set |maintainer| cut_attack_surface | OK
CONFIG_FB | is not set |maintainer| cut_attack_surface | FAIL: "y"
CONFIG_VT | is not set |maintainer| cut_attack_surface | FAIL: "y"
CONFIG_AIO | is not set |grapheneos| cut_attack_surface | FAIL: "y"
CONFIG_STAGING | is not set | clipos | cut_attack_surface | FAIL: "y"
CONFIG_KSM | is not set | clipos | cut_attack_surface | FAIL: "y"
CONFIG_KALLSYMS | is not set | clipos | cut_attack_surface | FAIL: "y"
CONFIG_X86_VSYSCALL_EMULATION | is not set | clipos | cut_attack_surface | FAIL: "y"
CONFIG_MAGIC_SYSRQ | is not set | clipos | cut_attack_surface | FAIL: "y"
CONFIG_KEXEC_FILE | is not set | clipos | cut_attack_surface | FAIL: "y"
CONFIG_USER_NS | is not set | clipos | cut_attack_surface | FAIL: "y"
CONFIG_X86_MSR | is not set | clipos | cut_attack_surface | FAIL: "m"
CONFIG_X86_CPUID | is not set | clipos | cut_attack_surface | FAIL: "m"
CONFIG_IO_URING | is not set | clipos | c ut_attack_surface | FAIL: "y"
CONFIG_X86_IOPL_IOPERM | is not set | clipos | cut_attack_surface | OK: not found
CONFIG_ACPI_TABLE_UPGRADE | is not set | clipos | cut_attack_surface | FAIL: "y"
CONFIG_EFI_CUSTOM_SSDT_OVERLAYS | is not set | clipos | cut_attack_surface | OK: not found
CONFIG_LDISC_AUTOLOAD | is not set | clipos | cut_attack_surface | FAIL: "y"
CONFIG_X86_INTEL_TSX_MODE_OFF | y | clipos | cut_attack_surface | OK
CONFIG_EFI_TEST | is not set | lockdown | cut_attack_surface | FAIL: "m"
CONFIG_BPF_SYSCALL | is not set | lockdown | cut_attack_surface | FAIL: "y"
CONFIG_MMIOTRACE_TEST | is not set | lockdown | cut_attack_surface | OK
CONFIG_TRIM_UNUSED_KSYMS | y | my | cut_attack_surface | FAIL: not found
CONFIG_MMIOTRACE | is not set | my | cut_attack_surface | FAIL: "y"
CONFIG_LIVEPATCH | is not set | my | cut_attack_surface | FAIL: "y"
CONFIG_IP_DCCP | is not set | my | cut_attack_surface | FAIL: "m"
CONFIG_IP_SCTP | is not set | my | cut_attack_surface | FAIL: "m"
CONFIG_FTRACE | is not set | my | cut_attack_surface | FAIL: "y"
CONFIG_VIDEO_VIVID | is not set | my | cut_attack_surface | FAIL: "m"
CONFIG_INPUT_EVBUG | is not set | my | cut_attack_surface | FAIL: "m"
CONFIG_INTEGRITY | y |defconfig |userspace_hardening | OK
CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_hardening | FAIL: "28"
[+] Config check is finished: 'OK' - 58 / 'FAIL' - 82

kconfig-hardened-check versioning

I usually update the kernel hardening recommendations after each Linux kernel release.

So the version of kconfig-hardened-check is associated with the corresponding version of the kernel.

The version format is: [major_number].[kernel_version].[kernel_patchlevel]


Questions and answers

Q: How disabling CONFIG_USER_NS cuts the attack surface? It's needed for containers!

A: Yes, the CONFIG_USER_NS option provides some isolation between the userspace programs, but the tool recommends disabling it to cut the attack surface of the kernel.

The rationale:


Q: Why CONFIG_GCC_PLUGINS is automatically disabled during the kernel compilation?

A: It means that your gcc doesn't support plugins. For example, if you have gcc-7 on Ubuntu, try to install gcc-7-plugin-dev package, it should help.


Q: KSPP and CLIP OS recommend CONFIG_PANIC_ON_OOPS=y. Why doesn't this tool do the same?

A: I personally don't support this recommendation because it provides easy denial-of-service attacks for the whole system (kernel oops is not a rare situation). I think having CONFIG_BUG is enough here -- if we have a kernel oops in the process context, the offending/attacking process is killed.


Q: What about performance impact of these kernel hardening options?

A: Ike Devolder @BlackIkeEagle made some performance tests and described the results in this article.


Q: Why enabling CONFIG_STATIC_USERMODEHELPER breaks various things in my GNU/Linux system? Do I really need that feature?

A: Linux kernel usermode helpers can be used for privilege escalation in kernel exploits (example 1, example 2). CONFIG_STATIC_USERMODEHELPER prevents that method. But it requires the corresponding support in the userspace: see the example implementation by Tycho Andersen @tych0.


Q: Does my kernel have all those mitigations of Transient Execution Vulnerabilities in my hardware?

A: Checking the kernel config is not enough to answer this question. I highly recommend using spectre-meltdown-checker tool maintained by Stéphane Lesimple @speed47.



...



📌 Where should I put my font and color config? In my Terminal config? My shell config?


📈 32.67 Punkte

📌 Proactively Hardening Systems: Application and Version Hardening


📈 32.24 Punkte

📌 Proactive System Hardening: Continuous Hardening’s Coming of Age


📈 32.24 Punkte

📌 Exploring the Linux kernel: The secrets of Kconfig/kbuild


📈 31.85 Punkte

📌 Linux Kernel bis 4.13.9 config.c usb_get_bos_descriptor Config Pufferüberlauf


📈 28.58 Punkte

📌 Linux Kernel up to 4.13.9 config.c usb_get_bos_descriptor Config memory corruption


📈 28.58 Punkte

📌 Ausführen beliebiger Kommandos in kconfig (Debian)


📈 25.04 Punkte

📌 Security: Ausführen beliebiger Kommandos in kconfig (Debian)


📈 25.04 Punkte

📌 Ausführen beliebiger Kommandos in kf5-kconfig (Fedora)


📈 25.04 Punkte

📌 Security: Ausführen beliebiger Kommandos in kf5-kconfig (Fedora)


📈 25.04 Punkte

📌 Ausführen beliebiger Kommandos in kconfig und kdelibs4 (SUSE)


📈 25.04 Punkte

📌 Security: Ausführen beliebiger Kommandos in kconfig und kdelibs4 (SUSE)


📈 25.04 Punkte

📌 Ausführen beliebiger Kommandos in KDE KConfig (Gentoo)


📈 25.04 Punkte

📌 Security: Ausführen beliebiger Kommandos in KDE KConfig (Gentoo)


📈 25.04 Punkte

📌 Zwei Probleme in KConfig (Ubuntu)


📈 25.04 Punkte

📌 Security: Zwei Probleme in KConfig (Ubuntu)


📈 25.04 Punkte

📌 DSA-4494 kconfig - security update


📈 25.04 Punkte

📌 Nach Sicherheitslücke: KDE verzichtet auf ausführbare KConfig-Dateien


📈 25.04 Punkte

📌 Nach Sicherheitslücke: KDE verzichtet auf ausführbare KConfig-Dateien


📈 25.04 Punkte

📌 USN-4100-1: KConfig and KDE libraries vulnerabilities


📈 25.04 Punkte

📌 KDE Frameworks KConfig up to 5.60.x Configuration File libKF5ConfigCore.so Remote Code Execution


📈 25.04 Punkte

📌 Leaked? - A Checking Tool For Hash Codes And Passwords Leaked on Kali Linux


📈 22.78 Punkte

📌 AWStats 6.5 1.857 Config awstats.pl config cross site scripting


📈 21.78 Punkte

📌 Config-Model up to 2.x INC Array lib/Config/Model.pm Directory privilege escalation


📈 21.78 Punkte

📌 radare2 1.5.0 DEX File libr/config/config.c r_config_set denial of service


📈 21.78 Punkte

📌 Config-Model bis 2.x INC Array lib/Config/Model.pm Directory erweiterte Rechte


📈 21.78 Punkte

📌 Datenstrom Yellow 0.7.3 Edit Page Action system/config/config.ini cross site scripting


📈 21.78 Punkte

📌 Emerson Liebert Control Access Control config/configUser.htm Config privilege escalation


📈 21.78 Punkte

📌 Spring Cloud Config up to 1.4.5/2.0.3/2.1.1 spring-cloud-config-server directory traversal


📈 21.78 Punkte

📌 Google Anroid up to 9.0 Proxy Auto Config spaces.h heap Config File information disclosure


📈 21.78 Punkte











matomo