Довольно сомнительное утверждениеСуществует множество вариантов усиления безопасности ядра Linux. Многие из них не поддерживаются основными дистрибутивами. Мы должны сами включить эти опции, чтобы сделать наши системы более безопасными.
Но никто не любит проверять конфиги вручную. Так что позвольте компьютерам делать свою работу!
pip install git+https://github.com/a13xp0p0v/kernel-hardening-checker
Код: Выделить всё
olej@R420:~$ pip install git+https://github.com/a13xp0p0v/kernel-hardening-checker
Defaulting to user installation because normal site-packages is not writeable
Collecting git+https://github.com/a13xp0p0v/kernel-hardening-checker
Cloning https://github.com/a13xp0p0v/kernel-hardening-checker to /tmp/pip-req-build-h_p6krzm
Running command git clone --filter=blob:none --quiet https://github.com/a13xp0p0v/kernel-hardening-checker /tmp/pip-req-build-h_p6krzm
Resolved https://github.com/a13xp0p0v/kernel-hardening-checker to commit 0cfd2e7b87a1d704e378b1d774163d7954f73cff
Preparing metadata (setup.py) ... done
Building wheels for collected packages: kernel-hardening-checker
Building wheel for kernel-hardening-checker (setup.py) ... done
Created wheel for kernel-hardening-checker: filename=kernel_hardening_checker-0.6.1-py3-none-any.whl size=2945225 sha256=9b4ae29ec359aa4d2adae5e03ec7d1d052f24b38ceac887c3a5ae83efc49fba0
Stored in directory: /tmp/pip-ephem-wheel-cache-0tqxj4oq/wheels/dd/bd/74/96a6f83f5a2f2f434c3a2b63e1bf211140fe3305b4527b5fec
Successfully built kernel-hardening-checker
Installing collected packages: kernel-hardening-checker
Successfully installed kernel-hardening-checker-0.6.1
or simply run ./bin/kernel-hardening-checker from the cloned repository.
Код: Выделить всё
olej@R420:~$ which kernel-hardening-checker
/home/olej/.local/bin/kernel-hardening-checker
Some Linux distributions also provide kernel-hardening-checker as a package.
Код: Выделить всё
olej@R420:~$ aptitude search kernel-hardening-checker
olej@R420:~$
Код: Выделить всё
olej@R420:~$ kernel-hardening-checker
usage: kernel-hardening-checker [-h] [--version] [-m {verbose,json,show_ok,show_fail}] [-c CONFIG] [-l CMDLINE] [-s SYSCTL]
[-p {X86_64,X86_32,ARM64,ARM}] [-g {X86_64,X86_32,ARM64,ARM}]
A tool for checking the security hardening options of the Linux kernel
options:
-h, --help show this help message and exit
--version show program's version number and exit
-m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}
choose the report mode
-c CONFIG, --config CONFIG
check the security hardening options in the kernel Kconfig file (also supports *.gz files)
-l CMDLINE, --cmdline CMDLINE
check the security hardening options in the kernel cmdline file (contents of /proc/cmdline)
-s SYSCTL, --sysctl SYSCTL
check the security hardening options in the sysctl output file (`sudo sysctl -a > file`)
-p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
print the security hardening recommendations for the selected microarchitecture
-g {X86_64,X86_32,ARM64,ARM}, --generate {X86_64,X86_32,ARM64,ARM}
generate a Kconfig fragment with the security hardening options for the selected microarchitecture