Improve --kernel-version and --cmdline

[jvoisin]

$ python3 ./bin/kernel-hardening-checker -h
usage: kernel-hardening-checker [-h] [--version] [-m {verbose,json,show_ok,show_fail}] [-c CONFIG] [-l CMDLINE] [-s SYSCTL] [-v KERNEL_VERSION] [-p {X86_64,X86_32,ARM64,ARM}] [-g {X86_64,X86_32,ARM64,ARM}]

A tool for checking the security hardening options of the Linux kernel

options:
  -h, --help            show this help message and exit
  --version             show program's version number and exit
  -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}
                        choose the report mode
  -c CONFIG, --config CONFIG
                        check the security hardening options in the kernel Kconfig file (also supports *.gz files)
  -l CMDLINE, --cmdline CMDLINE
                        check the security hardening options in the kernel cmdline file (contents of /proc/cmdline)
  -s SYSCTL, --sysctl SYSCTL
                        check the security hardening options in the sysctl output file (`sudo sysctl -a > file`)
  -v KERNEL_VERSION, --kernel-version KERNEL_VERSION
                        extract the version from the kernel version file (contents of /proc/version)
  -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
                        print the security hardening recommendations for the selected microarchitecture
  -g {X86_64,X86_32,ARM64,ARM}, --generate {X86_64,X86_32,ARM64,ARM}
                        generate a Kconfig fragment with the security hardening options for the selected microarchitecture
$

It would be nice to have --cmdline and --kernel-version use default values when not provided with one.

$  # current behaviour
$ python3 ./bin/kernel-hardening-checker -c /boot/config-* --kernel-version 
usage: kernel-hardening-checker [-h] [--version] [-m {verbose,json,show_ok,show_fail}] [-c CONFIG] [-l CMDLINE] [-s SYSCTL] [-v KERNEL_VERSION] [-p {X86_64,X86_32,ARM64,ARM}] [-g {X86_64,X86_32,ARM64,ARM}]
kernel-hardening-checker: error: argument -v/--kernel-version: expected one argument
$  # desired behaviour
$ python3 ./bin/kernel-hardening-checker -c /boot/config-6.6.3-414.asahi.fc39.aarch64+16k --kernel-version
[+] Kconfig file to check: /boot/config-6.6.3-414.asahi.fc39.aarch64+16k
[+] Detected microarchitecture: ARM64
[+] Detected kernel version: (6, 6, 3) from /proc/version
[+] Detected compiler: GCC 130201
$ # heck, detecting the current kernel and config would be even better:
$ python3 ./bin/kernel-hardening-checker --autodetect
[+] Detected kernel version: (6, 6, 3) from /proc/version
[+] Detected microarchitecture: ARM64
[+] Found corresponding Kconfig file to check: /boot/config-6.6.3-414.asahi.fc39.aarch64+16k
[+] Detected compiler: GCC 130201

[a13xp0p0v]

Hi @jvoisin,

I like this idea.

I see 2 additional features for --autodetect:

• Try using /proc/config.gz before searching in /boot/.
• Also check the current sysctl state.

What do you think?

Thank you!

[jvoisin]

Yup, those were on my todo-list (I should have mentioned it here tbh), but I wanted to see if you'd be interested in this before adding them.

I think I'd make sense to get this one merged, and then pile features on top of it :)

[a13xp0p0v]

Hi @jvoisin,

The --autodetect mode is incompatible with others and requires something like this:

assert(args.config is None and
       args.cmdline is None and
       args.sysctl is None and
       args.print is None and
       args.generate is None), \
       'unexpected args'

So I think the --autodetect mode checking kconfig, cmdline, and sysctls should be implemented in separate if block, similarly to if args.print and if args.generate in the current code.

I would propose reimplementing it in the current PR and get the final --autodetect argument behavior before merging.

[jvoisin]

Done in #130.