diff --git a/README.md b/README.md index d6e22da87f0baab6a2fb54c0b2e46b6fd8b797b1..2ee441af886fd349df52f2b542afba99af36749d 100644 --- a/README.md +++ b/README.md @@ -32,207 +32,207 @@ Option | Desired Value | Source | Reason | Result | |--- | --- | --- | --- | --- | -CONFIG_BUG |kconfig| y |defconfig | self_protection | OK -CONFIG_THREAD_INFO_IN_TASK |kconfig| y |defconfig | self_protection | OK -CONFIG_IOMMU_SUPPORT |kconfig| y |defconfig | self_protection | OK -CONFIG_STACKPROTECTOR |kconfig| y |defconfig | self_protection | OK -CONFIG_STACKPROTECTOR_STRONG |kconfig| y |defconfig | self_protection | OK -CONFIG_STRICT_KERNEL_RWX |kconfig| y |defconfig | self_protection | OK -CONFIG_STRICT_MODULE_RWX |kconfig| y |defconfig | self_protection | OK -CONFIG_REFCOUNT_FULL |kconfig| y |defconfig | self_protection | OK: version >= 5.5 -CONFIG_INIT_STACK_ALL_ZERO |kconfig| y |defconfig | self_protection | OK -CONFIG_RANDOMIZE_BASE |kconfig| y |defconfig | self_protection | OK -CONFIG_VMAP_STACK |kconfig| y |defconfig | self_protection | OK -CONFIG_SPECULATION_MITIGATIONS |kconfig| y |defconfig | self_protection | OK -CONFIG_DEBUG_WX |kconfig| y |defconfig | self_protection | OK -CONFIG_WERROR |kconfig| y |defconfig | self_protection | OK -CONFIG_X86_MCE |kconfig| y |defconfig | self_protection | OK -CONFIG_X86_MCE_INTEL |kconfig| y |defconfig | self_protection | OK -CONFIG_X86_MCE_AMD |kconfig| y |defconfig | self_protection | OK -CONFIG_RETPOLINE |kconfig| y |defconfig | self_protection | OK -CONFIG_SYN_COOKIES |kconfig| y |defconfig | self_protection | OK -CONFIG_MICROCODE |kconfig| y |defconfig | self_protection | OK -CONFIG_MICROCODE_INTEL |kconfig| y |defconfig | self_protection | OK: CONFIG_MICROCODE is "y" -CONFIG_MICROCODE_AMD |kconfig| y |defconfig | self_protection | OK: CONFIG_MICROCODE is "y" -CONFIG_X86_SMAP |kconfig| y |defconfig | self_protection | OK: version >= 5.19 -CONFIG_X86_UMIP |kconfig| y |defconfig | self_protection | OK -CONFIG_PAGE_TABLE_ISOLATION |kconfig| y |defconfig | self_protection | OK -CONFIG_RANDOMIZE_MEMORY |kconfig| y |defconfig | self_protection | OK -CONFIG_X86_KERNEL_IBT |kconfig| y |defconfig | self_protection | OK -CONFIG_CPU_SRSO |kconfig| y |defconfig | self_protection | OK -CONFIG_INTEL_IOMMU |kconfig| y |defconfig | self_protection | OK -CONFIG_AMD_IOMMU |kconfig| y |defconfig | self_protection | OK -CONFIG_BUG_ON_DATA_CORRUPTION |kconfig| y | kspp | self_protection | OK -CONFIG_SLAB_FREELIST_HARDENED |kconfig| y | kspp | self_protection | OK -CONFIG_SLAB_FREELIST_RANDOM |kconfig| y | kspp | self_protection | OK -CONFIG_SHUFFLE_PAGE_ALLOCATOR |kconfig| y | kspp | self_protection | OK -CONFIG_FORTIFY_SOURCE |kconfig| y | kspp | self_protection | OK -CONFIG_DEBUG_LIST |kconfig| y | kspp | self_protection | OK -CONFIG_INIT_ON_ALLOC_DEFAULT_ON |kconfig| y | kspp | self_protection | OK -CONFIG_SCHED_CORE |kconfig| y | kspp | self_protection | OK -CONFIG_SCHED_STACK_END_CHECK |kconfig| y | kspp | self_protection | OK -CONFIG_KFENCE |kconfig| y | kspp | self_protection | OK -CONFIG_KFENCE_SAMPLE_INTERVAL |kconfig| is not off | my | self_protection | OK: is not off, "100" -CONFIG_HARDENED_USERCOPY |kconfig| y | kspp | self_protection | OK -CONFIG_HARDENED_USERCOPY_FALLBACK |kconfig| is not set | kspp | self_protection | OK: is not found -CONFIG_HARDENED_USERCOPY_PAGESPAN |kconfig| is not set | kspp | self_protection | OK: is not found -CONFIG_MODULE_SIG |kconfig| y | kspp | self_protection | OK -CONFIG_MODULE_SIG_ALL |kconfig| y | kspp | self_protection | OK -CONFIG_MODULE_SIG_SHA512 |kconfig| y | kspp | self_protection | OK -CONFIG_MODULE_SIG_FORCE |kconfig| y | kspp | self_protection | OK -CONFIG_INIT_ON_FREE_DEFAULT_ON |kconfig| y | kspp | self_protection | OK -CONFIG_EFI_DISABLE_PCI_DMA |kconfig| y | kspp | self_protection | OK -CONFIG_RESET_ATTACK_MITIGATION |kconfig| y | kspp | self_protection | OK -CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT |kconfig| y | kspp | self_protection | OK -CONFIG_HW_RANDOM_TPM |kconfig| y | kspp | self_protection | OK -CONFIG_DEFAULT_MMAP_MIN_ADDR |kconfig| 65536 | kspp | self_protection | OK -CONFIG_IOMMU_DEFAULT_DMA_STRICT |kconfig| y | kspp | self_protection | OK -CONFIG_IOMMU_DEFAULT_PASSTHROUGH |kconfig| is not set | kspp | self_protection | OK -CONFIG_INTEL_IOMMU_DEFAULT_ON |kconfig| y | kspp | self_protection | OK -CONFIG_SLS |kconfig| y | kspp | self_protection | OK -CONFIG_INTEL_IOMMU_SVM |kconfig| y | kspp | self_protection | OK -CONFIG_AMD_IOMMU_V2 |kconfig| y | kspp | self_protection | OK -CONFIG_SLAB_MERGE_DEFAULT |kconfig| is not set | clipos | self_protection | OK -CONFIG_LIST_HARDENED |kconfig| y | my | self_protection | OK -CONFIG_RANDOM_KMALLOC_CACHES |kconfig| y | my | self_protection | OK -CONFIG_SECURITY |kconfig| y |defconfig | security_policy | OK -CONFIG_SECURITY_YAMA |kconfig| y | kspp | security_policy | OK -CONFIG_SECURITY_LANDLOCK |kconfig| y | kspp | security_policy | OK -CONFIG_SECURITY_SELINUX_DISABLE |kconfig| is not set | kspp | security_policy | OK: is not found -CONFIG_SECURITY_LOCKDOWN_LSM |kconfig| y | kspp | security_policy | OK -CONFIG_SECURITY_LOCKDOWN_LSM_EARLY |kconfig| y | kspp | security_policy | OK -CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|kconfig| y | kspp | security_policy | OK -CONFIG_SECURITY_WRITABLE_HOOKS |kconfig| is not set | kspp | security_policy | OK: is not found -CONFIG_SECURITY_SELINUX_DEBUG |kconfig| is not set | my | security_policy | OK -CONFIG_SECURITY_SELINUX |kconfig| y | my | security_policy | OK -CONFIG_SECCOMP |kconfig| y |defconfig |cut_attack_surface| OK -CONFIG_SECCOMP_FILTER |kconfig| y |defconfig |cut_attack_surface| OK -CONFIG_BPF_UNPRIV_DEFAULT_OFF |kconfig| y |defconfig |cut_attack_surface| OK -CONFIG_STRICT_DEVMEM |kconfig| y |defconfig |cut_attack_surface| OK: CONFIG_DEVMEM is "is not set" -CONFIG_X86_INTEL_TSX_MODE_OFF |kconfig| y |defconfig |cut_attack_surface| OK -CONFIG_SECURITY_DMESG_RESTRICT |kconfig| y | kspp |cut_attack_surface| OK -CONFIG_ACPI_CUSTOM_METHOD |kconfig| is not set | kspp |cut_attack_surface| OK: is not found -CONFIG_COMPAT_BRK |kconfig| is not set | kspp |cut_attack_surface| OK -CONFIG_DEVKMEM |kconfig| is not set | kspp |cut_attack_surface| OK: is not found -CONFIG_INET_DIAG |kconfig| is not set | kspp |cut_attack_surface| OK -CONFIG_KEXEC |kconfig| is not set | kspp |cut_attack_surface| OK -CONFIG_PROC_KCORE |kconfig| is not set | kspp |cut_attack_surface| OK -CONFIG_LEGACY_PTYS |kconfig| is not set | kspp |cut_attack_surface| OK -CONFIG_HIBERNATION |kconfig| is not set | kspp |cut_attack_surface| OK -CONFIG_COMPAT |kconfig| is not set | kspp |cut_attack_surface| OK: is not found -CONFIG_IA32_EMULATION |kconfig| is not set | kspp |cut_attack_surface| OK -CONFIG_X86_X32 |kconfig| is not set | kspp |cut_attack_surface| OK: is not found -CONFIG_X86_X32_ABI |kconfig| is not set | kspp |cut_attack_surface| OK -CONFIG_MODIFY_LDT_SYSCALL |kconfig| is not set | kspp |cut_attack_surface| OK -CONFIG_OABI_COMPAT |kconfig| is not set | kspp |cut_attack_surface| OK: is not found -CONFIG_X86_MSR |kconfig| is not set | kspp |cut_attack_surface| OK -CONFIG_LEGACY_TIOCSTI |kconfig| is not set | kspp |cut_attack_surface| OK -CONFIG_DEVMEM |kconfig| is not set | kspp |cut_attack_surface| OK -CONFIG_IO_STRICT_DEVMEM |kconfig| y | kspp |cut_attack_surface| OK: CONFIG_DEVMEM is "is not set" -CONFIG_LDISC_AUTOLOAD |kconfig| is not set | kspp |cut_attack_surface| OK -CONFIG_COMPAT_VDSO |kconfig| is not set | kspp |cut_attack_surface| OK: is not found -CONFIG_X86_VSYSCALL_EMULATION |kconfig| is not set | kspp |cut_attack_surface| OK -CONFIG_ZSMALLOC_STAT |kconfig| is not set | grsec |cut_attack_surface| OK -CONFIG_PAGE_OWNER |kconfig| is not set | grsec |cut_attack_surface| OK -CONFIG_DEBUG_KMEMLEAK |kconfig| is not set | grsec |cut_attack_surface| OK -CONFIG_BINFMT_AOUT |kconfig| is not set | grsec |cut_attack_surface| OK: is not found -CONFIG_KPROBE_EVENTS |kconfig| is not set | grsec |cut_attack_surface| OK: is not found -CONFIG_UPROBE_EVENTS |kconfig| is not set | grsec |cut_attack_surface| OK: is not found -CONFIG_GENERIC_TRACER |kconfig| is not set | grsec |cut_attack_surface| OK: is not found -CONFIG_FUNCTION_TRACER |kconfig| is not set | grsec |cut_attack_surface| OK: is not found -CONFIG_STACK_TRACER |kconfig| is not set | grsec |cut_attack_surface| OK: is not found -CONFIG_HIST_TRIGGERS |kconfig| is not set | grsec |cut_attack_surface| OK: is not found -CONFIG_BLK_DEV_IO_TRACE |kconfig| is not set | grsec |cut_attack_surface| OK: is not found -CONFIG_PROC_VMCORE |kconfig| is not set | grsec |cut_attack_surface| OK -CONFIG_PROC_PAGE_MONITOR |kconfig| is not set | grsec |cut_attack_surface| OK -CONFIG_USELIB |kconfig| is not set | grsec |cut_attack_surface| OK -CONFIG_CHECKPOINT_RESTORE |kconfig| is not set | grsec |cut_attack_surface| OK -CONFIG_USERFAULTFD |kconfig| is not set | grsec |cut_attack_surface| OK -CONFIG_HWPOISON_INJECT |kconfig| is not set | grsec |cut_attack_surface| OK: is not found -CONFIG_MEM_SOFT_DIRTY |kconfig| is not set | grsec |cut_attack_surface| OK: is not found -CONFIG_DEVPORT |kconfig| is not set | grsec |cut_attack_surface| OK -CONFIG_DEBUG_FS |kconfig| is not set | grsec |cut_attack_surface| OK -CONFIG_NOTIFIER_ERROR_INJECTION |kconfig| is not set | grsec |cut_attack_surface| OK -CONFIG_FAIL_FUTEX |kconfig| is not set | grsec |cut_attack_surface| OK: is not found -CONFIG_PUNIT_ATOM_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK -CONFIG_ACPI_CONFIGFS |kconfig| is not set | grsec |cut_attack_surface| OK -CONFIG_EDAC_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK -CONFIG_DRM_I915_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK -CONFIG_BCACHE_CLOSURES_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK -CONFIG_DVB_C8SECTPFE |kconfig| is not set | grsec |cut_attack_surface| OK: is not found -CONFIG_MTD_SLRAM |kconfig| is not set | grsec |cut_attack_surface| OK: is not found -CONFIG_MTD_PHRAM |kconfig| is not set | grsec |cut_attack_surface| OK: is not found -CONFIG_IO_URING |kconfig| is not set | grsec |cut_attack_surface| OK -CONFIG_RSEQ |kconfig| is not set | grsec |cut_attack_surface| OK -CONFIG_LATENCYTOP |kconfig| is not set | grsec |cut_attack_surface| OK -CONFIG_KCOV |kconfig| is not set | grsec |cut_attack_surface| OK -CONFIG_PROVIDE_OHCI1394_DMA_INIT |kconfig| is not set | grsec |cut_attack_surface| OK -CONFIG_SUNRPC_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK: is not found -CONFIG_PTDUMP_DEBUGFS |kconfig| is not set | grsec |cut_attack_surface| OK: is not found -CONFIG_DRM_LEGACY |kconfig| is not set |maintainer|cut_attack_surface| OK -CONFIG_BLK_DEV_FD |kconfig| is not set |maintainer|cut_attack_surface| OK: is not found -CONFIG_BLK_DEV_FD_RAWCMD |kconfig| is not set |maintainer|cut_attack_surface| OK: is not found -CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT |kconfig| is not set |maintainer|cut_attack_surface| OK: is not found -CONFIG_STAGING |kconfig| is not set | clipos |cut_attack_surface| OK -CONFIG_KSM |kconfig| is not set | clipos |cut_attack_surface| OK -CONFIG_KALLSYMS |kconfig| is not set | clipos |cut_attack_surface| OK -CONFIG_MAGIC_SYSRQ |kconfig| is not set | clipos |cut_attack_surface| OK -CONFIG_KEXEC_FILE |kconfig| is not set | clipos |cut_attack_surface| OK -CONFIG_X86_CPUID |kconfig| is not set | clipos |cut_attack_surface| OK -CONFIG_X86_IOPL_IOPERM |kconfig| is not set | clipos |cut_attack_surface| OK -CONFIG_ACPI_TABLE_UPGRADE |kconfig| is not set | clipos |cut_attack_surface| OK -CONFIG_EFI_CUSTOM_SSDT_OVERLAYS |kconfig| is not set | clipos |cut_attack_surface| OK -CONFIG_AIO |kconfig| is not set | clipos |cut_attack_surface| OK -CONFIG_EFI_TEST |kconfig| is not set | lockdown |cut_attack_surface| OK -CONFIG_MMIOTRACE_TEST |kconfig| is not set | lockdown |cut_attack_surface| OK: is not found -CONFIG_KPROBES |kconfig| is not set | lockdown |cut_attack_surface| OK -CONFIG_MMIOTRACE |kconfig| is not set | my |cut_attack_surface| OK: is not found -CONFIG_LIVEPATCH |kconfig| is not set | my |cut_attack_surface| OK: is not found -CONFIG_IP_DCCP |kconfig| is not set | my |cut_attack_surface| OK -CONFIG_IP_SCTP |kconfig| is not set | my |cut_attack_surface| OK -CONFIG_FTRACE |kconfig| is not set | my |cut_attack_surface| OK -CONFIG_VIDEO_VIVID |kconfig| is not set | my |cut_attack_surface| OK -CONFIG_INPUT_EVBUG |kconfig| is not set | my |cut_attack_surface| OK -CONFIG_KGDB |kconfig| is not set | my |cut_attack_surface| OK -CONFIG_CORESIGHT |kconfig| is not set | my |cut_attack_surface| OK: is not found -CONFIG_XFS_SUPPORT_V4 |kconfig| is not set | my |cut_attack_surface| OK: is not found -CONFIG_TRIM_UNUSED_KSYMS |kconfig| y | my |cut_attack_surface| OK -CONFIG_MODULE_FORCE_LOAD |kconfig| is not set | my |cut_attack_surface| OK -CONFIG_COREDUMP |kconfig| is not set | clipos | harden_userspace | OK -CONFIG_ARCH_MMAP_RND_BITS |kconfig| 32 | my | harden_userspace | OK +CONFIG_BUG | y |defconfig | self_protection | OK +CONFIG_THREAD_INFO_IN_TASK | y |defconfig | self_protection | OK +CONFIG_IOMMU_SUPPORT | y |defconfig | self_protection | OK +CONFIG_STACKPROTECTOR | y |defconfig | self_protection | OK +CONFIG_STACKPROTECTOR_STRONG | y |defconfig | self_protection | OK +CONFIG_STRICT_KERNEL_RWX | y |defconfig | self_protection | OK +CONFIG_STRICT_MODULE_RWX | y |defconfig | self_protection | OK +CONFIG_REFCOUNT_FULL | y |defconfig | self_protection | OK: version >= 5.5 +CONFIG_INIT_STACK_ALL_ZERO | y |defconfig | self_protection | OK +CONFIG_RANDOMIZE_BASE | y |defconfig | self_protection | OK +CONFIG_VMAP_STACK | y |defconfig | self_protection | OK +CONFIG_SPECULATION_MITIGATIONS | y |defconfig | self_protection | OK +CONFIG_DEBUG_WX | y |defconfig | self_protection | OK +CONFIG_WERROR | y |defconfig | self_protection | OK +CONFIG_X86_MCE | y |defconfig | self_protection | OK +CONFIG_X86_MCE_INTEL | y |defconfig | self_protection | OK +CONFIG_X86_MCE_AMD | y |defconfig | self_protection | OK +CONFIG_RETPOLINE | y |defconfig | self_protection | OK +CONFIG_SYN_COOKIES | y |defconfig | self_protection | OK +CONFIG_MICROCODE | y |defconfig | self_protection | OK +CONFIG_MICROCODE_INTEL | y |defconfig | self_protection | OK: CONFIG_MICROCODE is "y" +CONFIG_MICROCODE_AMD | y |defconfig | self_protection | OK: CONFIG_MICROCODE is "y" +CONFIG_X86_SMAP | y |defconfig | self_protection | OK: version >= 5.19 +CONFIG_X86_UMIP | y |defconfig | self_protection | OK +CONFIG_PAGE_TABLE_ISOLATION | y |defconfig | self_protection | OK +CONFIG_RANDOMIZE_MEMORY | y |defconfig | self_protection | OK +CONFIG_X86_KERNEL_IBT | y |defconfig | self_protection | OK +CONFIG_CPU_SRSO | y |defconfig | self_protection | OK +CONFIG_INTEL_IOMMU | y |defconfig | self_protection | OK +CONFIG_AMD_IOMMU | y |defconfig | self_protection | OK +CONFIG_BUG_ON_DATA_CORRUPTION | y | kspp | self_protection | OK +CONFIG_SLAB_FREELIST_HARDENED | y | kspp | self_protection | OK +CONFIG_SLAB_FREELIST_RANDOM | y | kspp | self_protection | OK +CONFIG_SHUFFLE_PAGE_ALLOCATOR | y | kspp | self_protection | OK +CONFIG_FORTIFY_SOURCE | y | kspp | self_protection | OK +CONFIG_DEBUG_LIST | y | kspp | self_protection | OK +CONFIG_INIT_ON_ALLOC_DEFAULT_ON | y | kspp | self_protection | OK +CONFIG_SCHED_CORE | y | kspp | self_protection | OK +CONFIG_SCHED_STACK_END_CHECK | y | kspp | self_protection | OK +CONFIG_KFENCE | y | kspp | self_protection | OK +CONFIG_KFENCE_SAMPLE_INTERVAL | is not off | my | self_protection | OK: is not off, "100" +CONFIG_HARDENED_USERCOPY | y | kspp | self_protection | OK +CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp | self_protection | OK: is not found +CONFIG_HARDENED_USERCOPY_PAGESPAN | is not set | kspp | self_protection | OK: is not found +CONFIG_MODULE_SIG | y | kspp | self_protection | OK +CONFIG_MODULE_SIG_ALL | y | kspp | self_protection | OK +CONFIG_MODULE_SIG_SHA512 | y | kspp | self_protection | OK +CONFIG_MODULE_SIG_FORCE | y | kspp | self_protection | OK +CONFIG_INIT_ON_FREE_DEFAULT_ON | y | kspp | self_protection | OK +CONFIG_EFI_DISABLE_PCI_DMA | y | kspp | self_protection | OK +CONFIG_RESET_ATTACK_MITIGATION | y | kspp | self_protection | OK +CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT | y | kspp | self_protection | OK +CONFIG_HW_RANDOM_TPM | y | kspp | self_protection | OK +CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | kspp | self_protection | OK +CONFIG_IOMMU_DEFAULT_DMA_STRICT | y | kspp | self_protection | OK +CONFIG_IOMMU_DEFAULT_PASSTHROUGH | is not set | kspp | self_protection | OK +CONFIG_INTEL_IOMMU_DEFAULT_ON | y | kspp | self_protection | OK +CONFIG_SLS | y | kspp | self_protection | OK +CONFIG_INTEL_IOMMU_SVM | y | kspp | self_protection | OK +CONFIG_AMD_IOMMU_V2 | y | kspp | self_protection | OK +CONFIG_SLAB_MERGE_DEFAULT | is not set | clipos | self_protection | OK +CONFIG_LIST_HARDENED | y | my | self_protection | OK +CONFIG_RANDOM_KMALLOC_CACHES | y | my | self_protection | OK +CONFIG_SECURITY | y |defconfig | security_policy | OK +CONFIG_SECURITY_YAMA | y | kspp | security_policy | OK +CONFIG_SECURITY_LANDLOCK | y | kspp | security_policy | OK +CONFIG_SECURITY_SELINUX_DISABLE | is not set | kspp | security_policy | OK: is not found +CONFIG_SECURITY_LOCKDOWN_LSM | y | kspp | security_policy | OK +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY | y | kspp | security_policy | OK +CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY| y | kspp | security_policy | OK +CONFIG_SECURITY_WRITABLE_HOOKS | is not set | kspp | security_policy | OK: is not found +CONFIG_SECURITY_SELINUX_DEBUG | is not set | my | security_policy | OK +CONFIG_SECURITY_SELINUX | y | my | security_policy | OK +CONFIG_SECCOMP | y |defconfig |cut_attack_surface| OK +CONFIG_SECCOMP_FILTER | y |defconfig |cut_attack_surface| OK +CONFIG_BPF_UNPRIV_DEFAULT_OFF | y |defconfig |cut_attack_surface| OK +CONFIG_STRICT_DEVMEM | y |defconfig |cut_attack_surface| OK: CONFIG_DEVMEM is "is not set" +CONFIG_X86_INTEL_TSX_MODE_OFF | y |defconfig |cut_attack_surface| OK +CONFIG_SECURITY_DMESG_RESTRICT | y | kspp |cut_attack_surface| OK +CONFIG_ACPI_CUSTOM_METHOD | is not set | kspp |cut_attack_surface| OK: is not found +CONFIG_COMPAT_BRK | is not set | kspp |cut_attack_surface| OK +CONFIG_DEVKMEM | is not set | kspp |cut_attack_surface| OK: is not found +CONFIG_INET_DIAG | is not set | kspp |cut_attack_surface| OK +CONFIG_KEXEC | is not set | kspp |cut_attack_surface| OK +CONFIG_PROC_KCORE | is not set | kspp |cut_attack_surface| OK +CONFIG_LEGACY_PTYS | is not set | kspp |cut_attack_surface| OK +CONFIG_HIBERNATION | is not set | kspp |cut_attack_surface| OK +CONFIG_COMPAT | is not set | kspp |cut_attack_surface| OK: is not found +CONFIG_IA32_EMULATION | is not set | kspp |cut_attack_surface| OK +CONFIG_X86_X32 | is not set | kspp |cut_attack_surface| OK: is not found +CONFIG_X86_X32_ABI | is not set | kspp |cut_attack_surface| OK +CONFIG_MODIFY_LDT_SYSCALL | is not set | kspp |cut_attack_surface| OK +CONFIG_OABI_COMPAT | is not set | kspp |cut_attack_surface| OK: is not found +CONFIG_X86_MSR | is not set | kspp |cut_attack_surface| OK +CONFIG_LEGACY_TIOCSTI | is not set | kspp |cut_attack_surface| OK +CONFIG_DEVMEM | is not set | kspp |cut_attack_surface| OK +CONFIG_IO_STRICT_DEVMEM | y | kspp |cut_attack_surface| OK: CONFIG_DEVMEM is "is not set" +CONFIG_LDISC_AUTOLOAD | is not set | kspp |cut_attack_surface| OK +CONFIG_COMPAT_VDSO | is not set | kspp |cut_attack_surface| OK: is not found +CONFIG_X86_VSYSCALL_EMULATION | is not set | kspp |cut_attack_surface| OK +CONFIG_ZSMALLOC_STAT | is not set | grsec |cut_attack_surface| OK +CONFIG_PAGE_OWNER | is not set | grsec |cut_attack_surface| OK +CONFIG_DEBUG_KMEMLEAK | is not set | grsec |cut_attack_surface| OK +CONFIG_BINFMT_AOUT | is not set | grsec |cut_attack_surface| OK: is not found +CONFIG_KPROBE_EVENTS | is not set | grsec |cut_attack_surface| OK: is not found +CONFIG_UPROBE_EVENTS | is not set | grsec |cut_attack_surface| OK: is not found +CONFIG_GENERIC_TRACER | is not set | grsec |cut_attack_surface| OK: is not found +CONFIG_FUNCTION_TRACER | is not set | grsec |cut_attack_surface| OK: is not found +CONFIG_STACK_TRACER | is not set | grsec |cut_attack_surface| OK: is not found +CONFIG_HIST_TRIGGERS | is not set | grsec |cut_attack_surface| OK: is not found +CONFIG_BLK_DEV_IO_TRACE | is not set | grsec |cut_attack_surface| OK: is not found +CONFIG_PROC_VMCORE | is not set | grsec |cut_attack_surface| OK +CONFIG_PROC_PAGE_MONITOR | is not set | grsec |cut_attack_surface| OK +CONFIG_USELIB | is not set | grsec |cut_attack_surface| OK +CONFIG_CHECKPOINT_RESTORE | is not set | grsec |cut_attack_surface| OK +CONFIG_USERFAULTFD | is not set | grsec |cut_attack_surface| OK +CONFIG_HWPOISON_INJECT | is not set | grsec |cut_attack_surface| OK: is not found +CONFIG_MEM_SOFT_DIRTY | is not set | grsec |cut_attack_surface| OK: is not found +CONFIG_DEVPORT | is not set | grsec |cut_attack_surface| OK +CONFIG_DEBUG_FS | is not set | grsec |cut_attack_surface| OK +CONFIG_NOTIFIER_ERROR_INJECTION | is not set | grsec |cut_attack_surface| OK +CONFIG_FAIL_FUTEX | is not set | grsec |cut_attack_surface| OK: is not found +CONFIG_PUNIT_ATOM_DEBUG | is not set | grsec |cut_attack_surface| OK +CONFIG_ACPI_CONFIGFS | is not set | grsec |cut_attack_surface| OK +CONFIG_EDAC_DEBUG | is not set | grsec |cut_attack_surface| OK +CONFIG_DRM_I915_DEBUG | is not set | grsec |cut_attack_surface| OK +CONFIG_BCACHE_CLOSURES_DEBUG | is not set | grsec |cut_attack_surface| OK +CONFIG_DVB_C8SECTPFE | is not set | grsec |cut_attack_surface| OK: is not found +CONFIG_MTD_SLRAM | is not set | grsec |cut_attack_surface| OK: is not found +CONFIG_MTD_PHRAM | is not set | grsec |cut_attack_surface| OK: is not found +CONFIG_IO_URING | is not set | grsec |cut_attack_surface| OK +CONFIG_RSEQ | is not set | grsec |cut_attack_surface| OK +CONFIG_LATENCYTOP | is not set | grsec |cut_attack_surface| OK +CONFIG_KCOV | is not set | grsec |cut_attack_surface| OK +CONFIG_PROVIDE_OHCI1394_DMA_INIT | is not set | grsec |cut_attack_surface| OK +CONFIG_SUNRPC_DEBUG | is not set | grsec |cut_attack_surface| OK: is not found +CONFIG_PTDUMP_DEBUGFS | is not set | grsec |cut_attack_surface| OK: is not found +CONFIG_DRM_LEGACY | is not set |maintainer|cut_attack_surface| OK +CONFIG_BLK_DEV_FD | is not set |maintainer|cut_attack_surface| OK: is not found +CONFIG_BLK_DEV_FD_RAWCMD | is not set |maintainer|cut_attack_surface| OK: is not found +CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT | is not set |maintainer|cut_attack_surface| OK: is not found +CONFIG_STAGING | is not set | clipos |cut_attack_surface| OK +CONFIG_KSM | is not set | clipos |cut_attack_surface| OK +CONFIG_KALLSYMS | is not set | clipos |cut_attack_surface| OK +CONFIG_MAGIC_SYSRQ | is not set | clipos |cut_attack_surface| OK +CONFIG_KEXEC_FILE | is not set | clipos |cut_attack_surface| OK +CONFIG_X86_CPUID | is not set | clipos |cut_attack_surface| OK +CONFIG_X86_IOPL_IOPERM | is not set | clipos |cut_attack_surface| OK +CONFIG_ACPI_TABLE_UPGRADE | is not set | clipos |cut_attack_surface| OK +CONFIG_EFI_CUSTOM_SSDT_OVERLAYS | is not set | clipos |cut_attack_surface| OK +CONFIG_AIO | is not set | clipos |cut_attack_surface| OK +CONFIG_EFI_TEST | is not set | lockdown |cut_attack_surface| OK +CONFIG_MMIOTRACE_TEST | is not set | lockdown |cut_attack_surface| OK: is not found +CONFIG_KPROBES | is not set | lockdown |cut_attack_surface| OK +CONFIG_MMIOTRACE | is not set | my |cut_attack_surface| OK: is not found +CONFIG_LIVEPATCH | is not set | my |cut_attack_surface| OK: is not found +CONFIG_IP_DCCP | is not set | my |cut_attack_surface| OK +CONFIG_IP_SCTP | is not set | my |cut_attack_surface| OK +CONFIG_FTRACE | is not set | my |cut_attack_surface| OK +CONFIG_VIDEO_VIVID | is not set | my |cut_attack_surface| OK +CONFIG_INPUT_EVBUG | is not set | my |cut_attack_surface| OK +CONFIG_KGDB | is not set | my |cut_attack_surface| OK +CONFIG_CORESIGHT | is not set | my |cut_attack_surface| OK: is not found +CONFIG_XFS_SUPPORT_V4 | is not set | my |cut_attack_surface| OK: is not found +CONFIG_TRIM_UNUSED_KSYMS | y | my |cut_attack_surface| OK +CONFIG_MODULE_FORCE_LOAD | is not set | my |cut_attack_surface| OK +CONFIG_COREDUMP | is not set | clipos | harden_userspace | OK +CONFIG_ARCH_MMAP_RND_BITS | 32 | my | harden_userspace | OK #### Fails Option | Desired Value | Source | Reason | Result | |--- | --- | --- | --- | --- | -CONFIG_SLUB_DEBUG |kconfig| y |defconfig | self_protection | FAIL: "is not set" -CONFIG_GCC_PLUGINS |kconfig| y |defconfig | self_protection | FAIL: is not found -CONFIG_DEBUG_VIRTUAL |kconfig| y | kspp | self_protection | FAIL: "is not set" -CONFIG_DEBUG_SG |kconfig| y | kspp | self_protection | FAIL: "is not set" -CONFIG_DEBUG_CREDENTIALS |kconfig| y | kspp | self_protection | FAIL: is not found -CONFIG_STATIC_USERMODEHELPER |kconfig| y | kspp | self_protection | FAIL: "is not set" -CONFIG_DEBUG_NOTIFIERS |kconfig| y | kspp | self_protection | FAIL: "is not set" -CONFIG_RANDSTRUCT_FULL |kconfig| y | kspp | self_protection | FAIL: is not found -CONFIG_RANDSTRUCT_PERFORMANCE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_RANDSTRUCT_FULL is not "y" -CONFIG_GCC_PLUGIN_LATENT_ENTROPY |kconfig| y | kspp | self_protection | FAIL: CONFIG_GCC_PLUGINS is not "y" -CONFIG_UBSAN_BOUNDS |kconfig| y | kspp | self_protection | FAIL: is not found -CONFIG_UBSAN_LOCAL_BOUNDS |kconfig| y | kspp | self_protection | FAIL: is not found -CONFIG_UBSAN_TRAP |kconfig| y | kspp | self_protection | FAIL: CONFIG_UBSAN_BOUNDS is not "y" -CONFIG_UBSAN_SANITIZE_ALL |kconfig| y | kspp | self_protection | FAIL: CONFIG_UBSAN_BOUNDS is not "y" -CONFIG_GCC_PLUGIN_STACKLEAK |kconfig| y | kspp | self_protection | FAIL: CONFIG_GCC_PLUGINS is not "y" -CONFIG_STACKLEAK_METRICS |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGINS is not "y" -CONFIG_STACKLEAK_RUNTIME_DISABLE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGINS is not "y" -CONFIG_CFI_CLANG |kconfig| y | kspp | self_protection | FAIL: is not found -CONFIG_CFI_PERMISSIVE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_CFI_CLANG is not "y" -CONFIG_SECURITY_SELINUX_BOOTPARAM |kconfig| is not set | kspp | security_policy | FAIL: "y" -CONFIG_SECURITY_SELINUX_DEVELOP |kconfig| is not set | kspp | security_policy | FAIL: "y" -CONFIG_BINFMT_MISC |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m" -CONFIG_MODULES |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" -CONFIG_FAIL_FUTEX |kconfig| is not set | grsec |cut_attack_surface| OK: is not found -CONFIG_KCMP |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" -CONFIG_FB |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y" -CONFIG_VT |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y" -CONFIG_USER_NS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" -CONFIG_BPF_SYSCALL |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y" +CONFIG_SLUB_DEBUG | y |defconfig | self_protection | FAIL: "is not set" +CONFIG_GCC_PLUGINS | y |defconfig | self_protection | FAIL: is not found +CONFIG_DEBUG_VIRTUAL | y | kspp | self_protection | FAIL: "is not set" +CONFIG_DEBUG_SG | y | kspp | self_protection | FAIL: "is not set" +CONFIG_DEBUG_CREDENTIALS | y | kspp | self_protection | FAIL: is not found +CONFIG_STATIC_USERMODEHELPER | y | kspp | self_protection | FAIL: "is not set" +CONFIG_DEBUG_NOTIFIERS | y | kspp | self_protection | FAIL: "is not set" +CONFIG_RANDSTRUCT_FULL | y | kspp | self_protection | FAIL: is not found +CONFIG_RANDSTRUCT_PERFORMANCE | is not set | kspp | self_protection | FAIL: CONFIG_RANDSTRUCT_FULL is not "y" +CONFIG_GCC_PLUGIN_LATENT_ENTROPY | y | kspp | self_protection | FAIL: CONFIG_GCC_PLUGINS is not "y" +CONFIG_UBSAN_BOUNDS | y | kspp | self_protection | FAIL: is not found +CONFIG_UBSAN_LOCAL_BOUNDS | y | kspp | self_protection | FAIL: is not found +CONFIG_UBSAN_TRAP | y | kspp | self_protection | FAIL: CONFIG_UBSAN_BOUNDS is not "y" +CONFIG_UBSAN_SANITIZE_ALL | y | kspp | self_protection | FAIL: CONFIG_UBSAN_BOUNDS is not "y" +CONFIG_GCC_PLUGIN_STACKLEAK | y | kspp | self_protection | FAIL: CONFIG_GCC_PLUGINS is not "y" +CONFIG_STACKLEAK_METRICS | is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGINS is not "y" +CONFIG_STACKLEAK_RUNTIME_DISABLE | is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGINS is not "y" +CONFIG_CFI_CLANG | y | kspp | self_protection | FAIL: is not found +CONFIG_CFI_PERMISSIVE | is not set | kspp | self_protection | FAIL: CONFIG_CFI_CLANG is not "y" +CONFIG_SECURITY_SELINUX_BOOTPARAM | is not set | kspp | security_policy | FAIL: "y" +CONFIG_SECURITY_SELINUX_DEVELOP | is not set | kspp | security_policy | FAIL: "y" +CONFIG_BINFMT_MISC | is not set | kspp |cut_attack_surface| FAIL: "m" +CONFIG_MODULES | is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_FAIL_FUTEX | is not set | grsec |cut_attack_surface| OK: is not found +CONFIG_KCMP | is not set | grsec |cut_attack_surface| FAIL: "y" +CONFIG_FB | is not set |maintainer|cut_attack_surface| FAIL: "y" +CONFIG_VT | is not set |maintainer|cut_attack_surface| FAIL: "y" +CONFIG_USER_NS | is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_BPF_SYSCALL | is not set | lockdown |cut_attack_surface| FAIL: "y" ``` Totals: 'OK' - 148 / 'FAIL' - 16