Motivation

There are plenty of Linux kernel hardening config options. A lot of them are not enabled by the major distros. We have to enable these options ourselves to make our systems more secure.

But nobody likes checking configs manually. So let the computers do their job!

I've created a kconfig-hardened-check.py, which helps me to check the Linux kernel Kconfig option list against my hardening preferences for x86_64, which are based on the KSPP recommended settings and the last public grsecurity patch (options which they disable).

Please don't cry if my Python code looks like C. I'm just a kernel developer.

Script usage

#./kconfig-hardened-check.py
Usage: ./kconfig-hardened-check.py [-p | -c <config_file>]
 -p, --print
	print hardening preferences
 -c <config_file>, --config=<config_file>
	check the config_file against these preferences