Last active
July 13, 2020 21:03
-
-
Save fonic/9af8deaae7b7297361fb137bde7b530a to your computer and use it in GitHub Desktop.
Check hardened Linux kernel configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # ------------------------------------------------------------------------- | |
| # - | |
| # Check hardened Linux kernel configuration - | |
| # - | |
| # Created by Fonic <https://github.com/fonic> - | |
| # Date: 07/13/20 - | |
| # - | |
| # ------------------------------------------------------------------------- | |
| # Check command line | |
| [[ -n "${1+set}" && "$1" == "--hide-ok" ]] && { hide_ok="true"; shift; } || hide_ok="false" | |
| if (( $# < 1 )); then | |
| echo "Usage: $(basename "$0") [--hide-ok] CONFIG..." | |
| echo "Example: $(basename "$0") /usr/src/linux/.config" | |
| exit 2 | |
| fi | |
| # Check if root | |
| # NOTE: would work fine as root, but it's just never a good idea to run downloaded | |
| # stuff as root... | |
| if (( ${EUID} == 0 )); then | |
| echo -e "\e[1;33mRoot should not do this.\e[0m" | |
| exit 1 | |
| fi | |
| # Check required commands | |
| if ! command -v "pip" &>/dev/null; then | |
| echo -e "\e[1;31mError: required command 'pip' is not available\e[0m" | |
| [[ "$(uname -r 2>/dev/null)" == *gentoo ]] && echo -e "\e[1;31mPlease install package 'dev-python/pip'\e[0m" | |
| exit 1 | |
| fi | |
| # Install Python packages 'kcc' (https://github.com/clearlinux/kernel-config-checker) | |
| # and 'kconfig-hardened-check' (https://github.com/a13xp0p0v/kconfig-hardened-check) | |
| # NOTE on '2>&1': a few lines of git output are sent to stderr for some reason, thus | |
| # we redirect to stdout so user can easily redirect all script output to file | |
| echo -e "\e[1mInstalling packages...\e[0m" | |
| pip install --user git+https://github.com/clearlinux/kernel-config-checker 2>&1 || { echo -e "\e[1;31mFailed to install Python package 'kcc', aborting.\e[0m"; exit 1; } | |
| pip install --user git+https://github.com/a13xp0p0v/kconfig-hardened-check 2>&1 || { echo -e "\e[1;31mFailed to install Python package 'kconfig-hardened-check', aborting.\e[0m"; exit 1; } | |
| # Check specified kernel configuration(s) | |
| for config; do | |
| echo | |
| [[ ! -f "${config}" ]] && { echo -e "\e[1;31mConfiguration file '${config}' not found, skipping.\e[0m"; continue; } | |
| echo -e "\e[1mChecking config '${config}' using 'kcc'...\e[0m" | |
| ~/.local/bin/kcc --query "${config}" | |
| echo | |
| echo -e "\e[1mChecking config '${config}' using 'kconfig-hardened-check'...\e[0m" | |
| if [[ "${hide_ok}" == "true" ]]; then | |
| ~/.local/bin/kconfig-hardened-check --config "${config}" | grep -v "| OK" | |
| else | |
| ~/.local/bin/kconfig-hardened-check --config "${config}" | |
| fi | |
| done | |
| # Uninstall 'kcc' / 'kconfig-hardened-check' | |
| echo | |
| echo -e "\e[1mUninstalling packages...\e[0m" | |
| pip uninstall --yes kcc kconfig-hardened-check |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Related Gentoo Linux forum post:
https://forums.gentoo.org/viewtopic-p-8480264.html#8480264
NOTE:
Although this script was created with Gentoo Linux in mind, it should run perfectly fine on other Linux distributions as well.