From patchwork Mon Jan 6 09:54:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?J=C3=B6rg_Sommer?= X-Patchwork-Id: 55047 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C39DDE77188 for ; Mon, 6 Jan 2025 09:54:30 +0000 (UTC) Received: from EUR05-VI1-obe.outbound.protection.outlook.com (EUR05-VI1-obe.outbound.protection.outlook.com [40.107.21.127]) by mx.groups.io with SMTP id smtpd.web11.56184.1736157266896413669 for ; Mon, 06 Jan 2025 01:54:27 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@navimatix.de header.s=selector1 header.b=EvzxtxAr; spf=pass (domain: navimatix.de, ip: 40.107.21.127, mailfrom: joerg.sommer@navimatix.de) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=SWVOYY3dbMjRpZUPiAYEW19VzQfbVlQMg5IeRJY4PWuXSB64ZFv40o/MrimUiwDu94dXe8aSY56GwydIlOZBxW7O392uUym8FljbF6MiolKwHBW3MZ406hQQ/VF8D+r/86detyLffMgNJ5W6udUcGVsi2/DuF9czFkXMzJO6p9BII06n3vHAjPilxahwvA7GZl3jpk0AchQRpHd8kQZUyFLmaONHL2z81wkEAkSEtCv0pe0lOZWiABVU8eVrVScN64ond0BEQkD9rxN+l8gLHUGUO7u9o1qcD6pdbP/JVHOZV8ECPztrfJLU9ahJUgCtKJv4QMKRRjNxDUUASdOiFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rRGI0eehtYkHo4t3B1Ok2c+bxDyyle3lO3BxTAe7z1s=; b=JSUec06tdUR0TJNxYzZpOzwPMg5hc2sc6tG9qMDWLVh6luMkn/KquCLd3mQ8bUnOC6or/bqFjs66FhOW/kbfrsWEI08TBzBYhl3dCc1XkuE1b2G1eIOfYr+dMXTh4oiBM799hAb0yfNdv/t+cvOWSny7cHCuN8nQia4KXrEMUP3Oozh4oqR6Ocw9xJd3jhMxNzr2YU34FCX13WZjUmb0+5trqAXeHBvOuY2dyqm+/q+lIVQOygD7wwcWZKabheqiyXeU8F9pYTCnH3PHtxtUfqPMQ1ZJC1f18oZchwcizulI+jwfYI8+0PL8PDFjNwLVJfv2sYUr9OrdbQV1vM7i2w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=navimatix.de; dmarc=pass action=none header.from=navimatix.de; dkim=pass header.d=navimatix.de; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=navimatix.de; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rRGI0eehtYkHo4t3B1Ok2c+bxDyyle3lO3BxTAe7z1s=; b=EvzxtxArhCmrl20gOR7uYnzhyX0Vn9N1+msKt5GWsZ0RD7kQwt66ITB1qQKTfF/tckh0F6xBCZY3oMZXr4wUninkxOu72G/g8MX91Jh/LsMUAVeqmU1faK2yDL4bsf9h/5AAhkVJzXGCwJoj5caLmC7zdzIO44TTG20f/eTwszY= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=navimatix.de; Received: from DU2PR01MB8293.eurprd01.prod.exchangelabs.com (2603:10a6:10:2d4::5) by AM9PR01MB7314.eurprd01.prod.exchangelabs.com (2603:10a6:20b:2ca::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8314.17; Mon, 6 Jan 2025 09:54:19 +0000 Received: from DU2PR01MB8293.eurprd01.prod.exchangelabs.com ([fe80::d520:1b9e:a30e:69a7]) by DU2PR01MB8293.eurprd01.prod.exchangelabs.com ([fe80::d520:1b9e:a30e:69a7%3]) with mapi id 15.20.8314.015; Mon, 6 Jan 2025 09:54:19 +0000 Date: Mon, 6 Jan 2025 10:54:17 +0100 From: =?utf-8?b?SsO2cmc=?= Sommer To: openembedded-devel@lists.openembedded.org, joerg.sommer@navimatix.de CC: =?utf-8?b?SsO2cmc=?= Sommer Subject: [PATCH] kernel-hardening-checker: New recipe to check security options Message-ID: <8a7e342f75d3437817436be02500418da215ffed.1736157256.git.joerg.sommer@navimatix.de> X-Mailer: git-send-email 2.45.2 Content-Disposition: inline X-ClientProxiedBy: BE1P281CA0034.DEUP281.PROD.OUTLOOK.COM (2603:10a6:b10:22::16) To DU2PR01MB8293.eurprd01.prod.exchangelabs.com (2603:10a6:10:2d4::5) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU2PR01MB8293:EE_|AM9PR01MB7314:EE_ X-MS-Office365-Filtering-Correlation-Id: 8e89263f-8647-4510-9461-08dd2e38168f X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|376014|1800799024; X-Microsoft-Antispam-Message-Info: RhK/RTO9Nn90NKTOjHUPejV/UWfzuD8jVhRKMKIY1qNhLqEpx42j7cum5J0FV6+rj0HnYZo49FeE+f9QI5YKrocgR5T31LfdYp+9oHMkkBqc2xULCE9Y10dftFNRO2JpZipgEwZmQ2I+prrW8wo7p19NXdv3r+QNRK156zRC3ZEiputby2eSvfS/5dF1nAeQbAfE7jkWpETprPqGQD6e5zONRcvSPlASXZP6Y1rRvhTDuY22351pVT+4vO3wAKbUk1UKRa3/PaP/4LhAlFDwv5QmG/6qkrneStM5oOgSqHL0/iS2Mh2nKq23XG2V49FtK/64Ikdbuyo7a2UNUFkT8BheX9pK7Vp1iQ1gaz6cYeFvW46HlIcGaYUvU2HY4MjZvUm5p+TMnXhSP74x1GLODsaQasMCWaX5GiwAKZqCYLwovgrt1QeZQAlHeM8joW7+HZvNpRvgwJhsYSapti55v8/PyrVoN9/+aJL2Vp1AYUpViK/3Vx/j54aI8o4v3DTSL7Veus9r6l7MiCkJy9LqyDva8kWn5yrf15rIaiVuLszm5sfhhbZG6UJnkbQPSCClZL2wYG/zM2u/KURuCYhfFSuK6uPH4xa8RGd0BCNH7VdH0mq5lSm4aACHlyObpEkEuu8E7pmJ1mo2JJ+dQs3teLyOiPBD33NyAihAt6zkSU3/uLz7O/jnXYwikQykxj180tvRqfOJ3loVODeBMGLk5f2g4sxtGU+I4tMflyCUVbAmY0Uezcvo1c829RuS+sOkuriGpGIjvmfFeHl7Y4Fw5OxYeybYMuCMZzGCMImRq/44eB5ygMx6qSQq5Hb0Uj5Z1+stE8bmYcg/SyYFz7tp6FUIGJJxUwh+JAbdlHGgySaxRQfZhrh+iDs4jVgBy7arNJMndYrz0G4HUPiklSqVRMQ1bIjFRD4dAkNowaFyGPvvgwWafEenjyTXB7h1tPmxXb6wTjjuJ/JrPR3IuzRFEWE/pKNXgKTmBS+/FT0Z2X2Yt5voPgZDdcJCPRP1XGxsOLOWQibFjxJfWuH/+CLz2kY8KpIpEhl51S40IPAov8x97YGPi3vAZ+/KUCiZ11H6Pl8DhkQ0qyMcWFyw6NfH8PI2JMXaox31lFj0/x/oldSB6T1t55yePCH7n5IbMFfr8upge3VME/OOOEvA8MDxeRDvoe5iGPpYz5DqJV9bg0AiA34DZz5uAeq8oZYRZVInsVMAwo6AeFDWryc0Xgweef4Uo0/+fAiQK8tC1iG4jNYMmmC5IsUvEu/6z8jv+toMf4Uov3+Gba0RgYjMf3F2UQa0dJYeyYjCk3f+YkLXXsBHDdzUT5IH+kr56ZJgBfZsPp6r5DSqfajb2z/UtC/858QIWL/zNXTSWpyDWX2n0uqu/3vvrqxku67b0CNnmPfW X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU2PR01MB8293.eurprd01.prod.exchangelabs.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(1800799024);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: VZ23b2H6swQXI8u7gaxwwLnhw/Fm9cjWE410gCplr3c7IJp4keiXQtWba2QWlD4MTd5bDofoLzPUWL9QFanb/I/n+sxIzcTzmrDERZZzU6KXw6sXUJC+Lg/72ENAGrxWswhJp5rgBCg8Pojbs8J6GES202TkgxtKaZdU5fRBo2wXL2iKwlDFDfTM0Rh3DUh9tEh83fbLkBZwbktiQPoLNURYy2CkJuioZfraY+mY8TPe9XRYmk19RNnoOkZ6Yibda3NojkYP70YINxgNb2ftHQStLNleMFQFQV3X/8ZP1VF9UyoaxkSwhE8chn3ZHuqONGt41tb4MoUSPCH3Zs0ZmjAM6M0/m728SrI0L6kgqIjEE2xsS4NxUofk680AQ/nHWq9xey2ApWwoFJ3oSar7HYZEJbjt2SoSAJ0rNu9+OL0Z77EjJlBod+El9OySRGb9WRDaykRAUm+S/Xh9et6PSiISeqQ2Vi97OmurLmnUc0a59c2oWm6YnGpgg11vn+J5nV9c5nntSbtdsyklDLFk8Yzxm0THqCiDabOt/nFtF3NwzTrfotC7ROSN/IOOeqwfwNWqbSWQV/ba5VcYpx2wPuEXLiyRoQTFieKSZZIzkExH1fKN7NvisKOuJFzEgEvzqBHJM6Cm1caPnkILtIIRu7KWz6VEmtlAC4xTjK8NwoHZSc8g2IGl7yqbxv75y9+9AR7zMM2v19kO9Zief8Qa/9amCMlttYtVLGLh/Kv1UkqlXugS9S7EJIymJCSrpOsLFoZFwhX0D2ooF3OqdqkFrAa1rokc+V3xP1HEgaOw3YHZ8SGfpE5NbPuXPQoFH96oU5YsRF+WyKxfeKLBzak/iC6FEz4VxAOKmYtMSUZQaI9pkCShiv7XXomf9sTb0y2bNzyEevkFzVu40zRFMETvO5wm1Tzn5Q0iRTrTRBOIMMATE42lHZ9wnfbRjD1/cgBFOrdA67LLNPyAx+qC3a6qP2e8Pe+kCkOm+dSxDOPJXa+5x+6fYigZcjqNLgcAzLkBw6Jkn3fJHlhX/ZSzith+dxyxzrG+mFM1KvTsENM62PTTIqWmK0cuyGBz53ZKXdFOsbgHC4sXpA21oRLdIA9M2Z5eTtlTjbLOfSPWyrgILEPcpG4PrNXX/e5prejYYhHk0eyDksCUkR3rqPYGcGdFCjbpmIsUepMVFuLq945poTecwrGpSozgXXKxKVXFWPk7YriQsl0cLADDzlJDfQXZEZ363JIsNZsfGJRndjfQqdgNgGz5S0ocjPxdJHtBuBR5pajx3d+sL0ECBdSWlGskt98WKb/vwAoMJO4aWxDiKy1G6wzB/E3il68/q9WdzBn158PsTC5nZOcXHRNZQ1LScWXz0/l/hVkq/1A2mQ5+SGsZnS1M29qnDiG1oiW4C1wkTCmnxBmrCdIyuUJwMb4v+8Se3mCDlLKdCRIcG02wZv+vcBELYw347UIHmJvv3oyAeztj5UYRNjWlMcHrpEbFyQBhy7sY8Ekhl9YEVOp+XMQHGNJ9RYpKjxSS4pU4MIpdOmywAmIEVdbNlFrj/EoUK0/UqdjwNlOkbdBj6h5BISdenAdPIKsafWqSwZBDygkRHZMCSK6NZm7YmDJ4PncbOQ== X-OriginatorOrg: navimatix.de X-MS-Exchange-CrossTenant-Network-Message-Id: 8e89263f-8647-4510-9461-08dd2e38168f X-MS-Exchange-CrossTenant-AuthSource: DU2PR01MB8293.eurprd01.prod.exchangelabs.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Jan 2025 09:54:18.9965 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: c87b4f54-b992-4813-8f3f-4a876324197f X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: dNt1oystw9XFK5QO07zSRnyCoiOqgsPsma2jwAwkJJje5rjufjAxPUZmTu0Uh9E0CiaODgu6ijF1dfkgakodSxZAsR0LtQMxkQ2XBEp3ClQ= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR01MB7314 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 Jan 2025 09:54:30 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/114660 From: Jörg Sommer Signed-off-by: Jörg Sommer --- .../kernel-hardening-checker_0.6.10.bb | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 meta-oe/recipes-security/kernel-hardening-checker/kernel-hardening-checker_0.6.10.bb diff --git a/meta-oe/recipes-security/kernel-hardening-checker/kernel-hardening-checker_0.6.10.bb b/meta-oe/recipes-security/kernel-hardening-checker/kernel-hardening-checker_0.6.10.bb new file mode 100644 index 0000000000..1daf5d8c70 --- /dev/null +++ b/meta-oe/recipes-security/kernel-hardening-checker/kernel-hardening-checker_0.6.10.bb @@ -0,0 +1,33 @@ +SUMMARY = "A tool for checking the security hardening options of the Linux kernel" +DESCRIPTION = "\ + There are plenty of security hardening options for the Linux kernel; Kconfig \ + options (compile-time); Kernel cmdline arguments (boot-time); Sysctl \ + parameters (runtime). A lot of them have to be enabled manually to make the \ + system more secure which is difficult to track. This tool helps with this \ + task by checking and reporting about the settings compared to a list of \ + recommendation. \ +" +HOMEPAGE = "https://github.com/a13xp0p0v/kernel-hardening-checker" +BUGTRACKER = "https://github.com/a13xp0p0v/kernel-hardening-checker/issues" +LICENSE = "GPL-3.0-only" +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=d32239bcb673463ab874e80d47fae504" + +SRC_URI = "git://github.com/a13xp0p0v/kernel-hardening-checker;protocol=https;branch=master" +SRCREV = "f4dbe258ff3d37489962ea9cf210192ae7ff9280" + +S = "${UNPACKDIR}/git" + +RDEPENDS:${PN} = "\ + python3-json \ +" + +# /boot/config is required for the analysis +RRECOMMENDS:${PN}:class-target = "\ + kernel-dev \ +" + +inherit setuptools3 + +# allow to run on build host, if you don't want it in the image +# oe-run-native kernel-hardening-checker-native kernel-hardening-checker ... +BBCLASSEXTEND = "native"