Linux kernel hardening options

Linux kernel hardening options

Hardening is a process of securing the system by reducing the surface of vulnerabilities (removing unused or unsafe options and modules, for example), setting up defaults considered safe, and enabling additional checks. The goal of hardening is to make the attack harder or reduce its impact.

There are benefits from those options to the developers and users apart from the security standpoint is that they can detect bugs earlier, so increase the software quality in general. On the other hand, the additional tests come with an additional computing costs and may reduce performance. We have checked our options with the research from a benchmark and verified that we do not enable the most costly options and expect the performance loss to be around 5 percent at most.

This document describes the Linux kernel hardening options of All Scenarios OS. The options are defined in configuration files in meta-ohos-core/recipes-kernel/linux/linux/

Here we document the decisions that has been made for different categories of options. Descriptions come from the Kconfig.

Memory allocator
The hardening options of memory allocation protect against issues like leaking data freed from memory, accessing wrong memory zones.

Source files: meta-ohos-core/recipes-kernel/linux/linux/hardening_allocator.cfg and meta-ohos-core/recipes-kernel/linux/linux/hardening_allocator_perf.cfg

-----------------------------------------------
| Config option                   | Our setup |
-----------------------------------------------
| CONFIG_SLAB_FREELIST_RANDOM     | On        |
| CONFIG_SLAB_FREELIST_HARDENED   | On        |
| CONFIG_SHUFFLE_PAGE_ALLOCATOR   | On        |
| CONFIG_PAGE_POISONING           | On        |
| CONFIG_PAGE_POISONING_NO_SANITY | On        |
| CONFIG_PAGE_POISONING_ZERO      | On        |
| CONFIG_INIT_ON_ALLOC_DEFAULT_ON | On        |
-----------------------------------------------

CONFIG_SLAB_FREELIST_RANDOM=y
Description: Randomizes the freelist order used on creating new pages. This security feature reduces the predictability of the kernel slab allocator against heap overflows.
Status: applied
Recommendation source: KSPP

CONFIG_SLAB_FREELIST_HARDENED=y
Description: Many kernel heap attacks try to target slab cache metadata and other infrastructure. This options makes minor performance sacrifices to harden the kernel slab allocator against common freelist exploit methods. Some slab implementations have more sanity-checking than others. This option is most effective with SLUB.
Status: applied
Recommendation source: KSPP

CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
Description: Randomization of the page allocator improves the average utilization of a direct-mapped memory-side-cache. See section 5.2.27 Heterogeneous Memory Attribute Table (HMAT) in the ACPI 6.2a specification for an example of how a platform advertises the presence of a memory-side-cache. There are also incidental security benefits as it reduces the predictability of page allocations to compliment SLAB_FREELIST_RANDOM, but the default granularity of shuffling on the “MAX_ORDER - 1” i.e, 10th order of pages is selected based on cache utilization benefits on x86.

While the randomization improves cache utilization it may negatively impact workloads on platforms without a cache. For this reason, by default, the randomization is enabled only after runtime detection of a direct-mapped memory-side-cache. Otherwise, the randomization may be force enabled with the ‘page_alloc.shuffle’ kernel command line parameter.
Status: applied
Recommendation source: KSPP

CONFIG_PAGE_POISONING=y
Description: Fill the pages with poison patterns after free_pages() and verify the patterns before alloc_pages. The filling of the memory helps reduce the risk of information leaks from freed data. This does have a potential performance impact if enabled with the “page_poison=1” kernel boot option.

Note that “poison” here is not the same thing as the “HWPoison” for MEMORY_FAILURE. This is software poisoning only.
Status: applied
Recommendation source: KSPP

CONFIG_PAGE_POISONING_NO_SANITY=y
Description: Skip the sanity checking on alloc, only fill the pages with poison on free. This reduces some of the overhead of the poisoning feature.

Status: applied
Recommendation source: KSPP

CONFIG_PAGE_POISONING_ZERO=y
Description: Instead of using the existing poison value, fill the pages with zeros. This makes it harder to detect when errors are occurring due to sanitization but the zeroing at free means that it is no longer necessary to write zeros when GFP_ZERO is used on allocation.

Status: applied
Recommendation source: KSPP

CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
Description: This has the effect of setting “init_on_alloc=1” on the kernel command line. This can be disabled with “init_on_alloc=0”. When “init_on_alloc” is enabled, all page allocator and slab allocator memory will be zeroed when allocated, eliminating many kinds of “uninitialized heap memory” flaws, especially heap content exposures. The performance impact varies by workload, but most cases see <1% impact. Some synthetic workloads have measured as high as 7%.

Status: applied
Recommendation source: KSPP

Reducing attack surface
Those options remove some obsolete or uneeded features, which could make attacks easier.

-----------------------------------------------
| Config option                   | Our setup |
-----------------------------------------------
| CONFIG_COMPAT_BRK               | Off       |
| CONFIG_PROC_KCORE               | Off       |
| CONFIG_BINFMT_MISC              | Off       |
-----------------------------------------------

Option: CONFIG_COMPAT_BRK is not set
Description: Randomizing heap placement makes heap exploits harder, but it also breaks ancient binaries (including anything libc5 based). This option changes the bootup default to heap randomization disabled, and can be overridden at runtime by setting /proc/sys/kernel/randomize_va_space to 2.

Status: applied
Recommendation source: KSPP

Option: CONFIG_PROC_KCORE is not set
Description: Provides a virtual ELF core file of the live kernel. This can be read with gdb and other ELF tools. No modifications can be made using this mechanism.

Status: applied
Recommendation source: KSPP

Option: CONFIG_BINFMT_MISC is not set
Description: If you say Y here, it will be possible to plug wrapper-driven binary formats into the kernel. You will like this especially when you use programs that need an interpreter to run like Java, Python, .NET or Emacs-Lisp. It’s also useful if you often run DOS executables under the Linux DOS emulator DOSEMU (read the DOSEMU-HOWTO, available from http://www.tldp.org/docs.html#howto). Once you have registered such a binary class with the kernel, you can start one of those programs simply by typing in its name at a shell prompt; Linux will automatically feed it to the correct interpreter.

Status: applied
Recommendation source: KSPP

Dmesg
Those options are related to the kernel log in dmesg.

-----------------------------------------------
| Config option                   | Our setup |
-----------------------------------------------
| CONFIG_SECURITY_DMESG_RESTRICT  | On        |
-----------------------------------------------

Source files: meta-ohos-core/recipes-kernel/linux/linux/hardening_dmesg.cfg

CONFIG_SECURITY_DMESG_RESTRICT=y
Description: This enforces restrictions on unprivileged users reading the kernel syslog via dmesg(8).

If this option is not selected, no restrictions will be enforced unless the dmesg_restrict sysctl is explicitly set to (1).

Status: applied
Recommendation source: KSPP

Compiler-level hardening
Those options enable checks done by the compiler.

-----------------------------------------------
| Config option                   | Our setup |
-----------------------------------------------
| CONFIG_FORTIFY_SOURCE           | On        |
-----------------------------------------------

Source files: meta-ohos-core/recipes-kernel/linux/linux/hardening_fortify_source.cfg

CONFIG_FORTIFY_SOURCE=y
Description: Detect overflows of buffers in common string and memory functions where the compiler can determine and validate the buffer sizes.

Status: applied
Recommendation source: KSPP

Memory accesses
With those options we disable the complete physical memory access and detect unsafe memory permissions.

---------------------------------------------
| Config option                 | Our setup |
---------------------------------------------
| CONFIG_DEBUG_WX               | On        |
| CONFIG_DEVMEM                 | Off       |
---------------------------------------------

Source files: meta-ohos-core/recipes-kernel/linux/linux/hardening_memory.cfg

CONFIG_DEBUG_WX=y
Description: Generate a warning if any W+X mappings are found at boot.

This is useful for discovering cases where the kernel is leaving W+X mappings after applying NX, as such mappings are a security risk.

Look for a message in dmesg output like this:

/mm: Checked W+X mappings: passed, no W+X pages found.

or like this, if the check failed:

/mm: Checked W+X mappings: failed, W+X pages found.

Note that even if the check fails, your kernel is possibly still fine, as W+X mappings are not a security hole in themselves, what they do is that they make the exploitation of other unfixed kernel bugs easier.

Status: applied
Recommendation source: KSPP

CONFIG_DEVMEM is not set
Reason: Disabling access to the whole memory mapping
Description: Say Y here if you want to support the /dev/mem device. The /dev/mem device is used to access areas of physical memory.

Status: applied
Recommendation source: KSPP

Copying from userspace
Those options add verification when copying potentially malicious data from the user space.

-------------------------------------------------
| Config option                     | Our setup |
-------------------------------------------------
| CONFIG_HARDENED_USERCOPY          | On        |
| CONFIG_HARDENED_USERCOPY_FALLBACK | Off       |
-------------------------------------------------

File: meta-ohos-core/recipes-kernel/linux/linux/hardening_usercopy.cfg

Reason: Perform boundary checks on memory when copying to/from the kernel. Also disable whitelisting with this check

CONFIG_HARDENED_USERCOPY=y
Description: This option checks for obviously wrong memory regions when
copying memory to/from the kernel (via copy_to_user() and
copy_from_user() functions) by rejecting memory ranges that
are larger than the specified heap object, span multiple
separately allocated pages, are not on the process stack,
or are part of the kernel text. This kills entire classes
of heap overflow exploits and similar kernel memory exposures.

Status: applied
Recommendation source: KSPP

CONFIG_HARDENED_USERCOPY_FALLBACK is not set
Reason: Do not enable the whitelisting for usercopy checks
Description: This is a temporary option that allows missing usercopy whitelists
to be discovered via a WARN() to the kernel log, instead of
rejecting the copy, falling back to non-whitelisted hardened
usercopy that checks the slab allocation size instead of the
whitelist size. This option will be removed once it seems like
all missing usercopy whitelists have been identified and fixed.
Booting with “slab_common.usercopy_fallback=Y/N” can change
this setting.

Status: applied
Recommendation source: KSPP

Data validation
With those options we add verification of the internal kernel data structures.

-----------------------------------------------
| Config option                   | Our setup |
-----------------------------------------------
| CONFIG_DEBUG_NOTIFIERS          | On        |
| CONFIG_DEBUG_LIST               | On        |
| CONFIG_DEBUG_SG                 | On        |
| CONFIG_BUG_ON_DATA_CORRUPTION   | On        |
| CONFIG_SCHED_STACK_END_CHECK    | On        |
-----------------------------------------------

File: meta-ohos-core/recipes-kernel/linux/linux/hardening_validation_checks.cfg

CONFIG_DEBUG_KERNEL=y
Reason: Needed for CONFIG_SCHED_STACK_END_CHECK
Description: Say Y here if you are developing drivers or trying to debug and identify kernel problems.

Status: applied
Recommendation source: KSPP

CONFIG_DEBUG_NOTIFIERS=y
Reason: Perform additional checks for the notifier call chains
Description: Enable this to turn on sanity checking for notifier call chains. This is most useful for kernel developers to make sure that modules properly unregister themselves from notifier chains. This is a relatively cheap check but if you care about maximum performance say N.

Status: applied
Recommendation source: KSPP

CONFIG_DEBUG_LIST=y
Reason: Perform additional checks for the lists
Description: Enable this to turn on extended checks in the linked-list walking routines.

Status: applied
Recommendation source: KSPP

CONFIG_DEBUG_SG=y
Reason: Perform additional checks for scatter-gather lists
Description: Enable this to turn on checks on scatter-gather tables. This can help find problems with drivers that do not properly initialize their sg tables.

Status: applied
Recommendation source: KSPP

CONFIG_BUG_ON_DATA_CORRUPTION=y
Reason: Detect data corruptions early
Description: Select this option if the kernel should BUG when it encounters data corruption in kernel memory structures when they get checked for validity.

Status: applied
Recommendation source: KSPP

CONFIG_SCHED_STACK_END_CHECK=y
Reason: Check stack overflow when calling schedule()
Description: This option checks for a stack overrun on calls to schedule(). If the stack end location is found to be over written always panic as the content of the corrupted region can no longer be trusted. This is to ensure no erroneous behaviour occurs which could result in data corruption or a sporadic crash at a later stage once the region is examined. The runtime overhead introduced is minimal.

Status: applied
Recommendation source: KSPP

Options not applied (yet)
GCC plugins
GCC plugins offer ways to additionally harden the code at the compiler level. We’re looking into applying them in the future.

IOMMU
IOMMU is not enabled yet

Panic on Oops
File: Source files: hardening_fortify_source.cfg

KSPP recomends setting up the following:
CONFIG_PANIC_ON_OOPS=y
CONFIG_PANIC_TIMEOUT=-1

Thy cause the kernel to reboot on an Oops. This might happen during development and result in a reboot loop, so we decideed not to enable this options in the development phase.

Known issues

CONFIG_DEBUG_CREDENTIALS=y is causing a kernel crash (see: Kernel NULL pointer dereference when enabling CONFIG_DEBUG_CREDENTIALS with the qemu target (#60) · Issues · OSTC / OHOS / meta-ohos · GitLab)

Module signing
Module signing is not disabled yet, we need the key infrastructure set up.

Report from kconfig-hardened-check

This is for reference, no distribution enables all those options.

[+] Config file to check: ../../code/kernel/_build_config
[+] Detected architecture: X86_64
[+] Detected kernel version: 5.10
=========================================================================================================================
             option name                 | desired val | decision |       reason       |   check result
=========================================================================================================================
CONFIG_BUG                                   |      y      |defconfig |  self_protection   |   OK
CONFIG_SLUB_DEBUG                            |      y      |defconfig |  self_protection   |   OK
CONFIG_GCC_PLUGINS                           |      y      |defconfig |  self_protection   |   FAIL: not found
CONFIG_STACKPROTECTOR_STRONG                 |      y      |defconfig |  self_protection   |   OK
CONFIG_STRICT_KERNEL_RWX                     |      y      |defconfig |    self_protection   |   OK
CONFIG_STRICT_MODULE_RWX                     |      y      |defconfig |  self_protection   |   OK
CONFIG_REFCOUNT_FULL                         |      y      |defconfig |  self_protection   |   OK: version >= 5.5
CONFIG_IOMMU_SUPPORT                         |      y      |defconfig |  self_protection   |   OK
CONFIG_MICROCODE                             |      y      |defconfig |  self_protection   |   OK
CONFIG_RETPOLINE                             |      y      |defconfig |  self_protection   |   OK
CONFIG_X86_SMAP                              |      y      |defconfig |  self_protection   |   OK
CONFIG_SYN_COOKIES                           |      y      |defconfig |  self_protection   |   OK
CONFIG_X86_UMIP                              |      y      |defconfig |  self_protection   |   OK
CONFIG_PAGE_TABLE_ISOLATION                  |      y      |defconfig |  self_protection   |   OK
CONFIG_RANDOMIZE_MEMORY                      |      y      |defconfig |  self_protection   |   OK
CONFIG_INTEL_IOMMU                           |      y      |defconfig |  self_protection   |   FAIL: "is not set"
CONFIG_AMD_IOMMU                             |      y      |defconfig |  self_protection   |   FAIL: "is not set"
CONFIG_VMAP_STACK                            |      y      |defconfig |  self_protection   |   OK
CONFIG_RANDOMIZE_BASE                        |      y      |defconfig |  self_protection   |   OK
CONFIG_THREAD_INFO_IN_TASK                   |      y      |defconfig |  self_protection   |   OK
CONFIG_BUG_ON_DATA_CORRUPTION                |      y      |   kspp   |  self_protection   |   OK
CONFIG_DEBUG_WX                              |      y      |   kspp   |  self_protection   |   OK
CONFIG_SCHED_STACK_END_CHECK                 |      y      |   kspp   |  self_protection   |   OK
CONFIG_SLAB_FREELIST_HARDENED                |      y      |   kspp   |  self_protection   |   OK
CONFIG_SLAB_FREELIST_RANDOM                  |      y      |   kspp   |  self_protection   |   OK
CONFIG_SHUFFLE_PAGE_ALLOCATOR                |      y      |   kspp   |  self_protection   |   OK
CONFIG_FORTIFY_SOURCE                        |      y      |   kspp   |  self_protection   |   OK
CONFIG_DEBUG_LIST                            |      y      |   kspp   |  self_protection   |   OK
CONFIG_DEBUG_SG                              |      y      |   kspp   |  self_protection   |   OK
CONFIG_DEBUG_CREDENTIALS                     |      y      |   kspp   |  self_protection   |   OK
CONFIG_DEBUG_NOTIFIERS                       |      y      |   kspp   |  self_protection   |   OK
CONFIG_INIT_ON_ALLOC_DEFAULT_ON              |      y      |   kspp   |  self_protection   |   OK
CONFIG_GCC_PLUGIN_LATENT_ENTROPY             |      y      |   kspp   |  self_protection   |   FAIL: not found
CONFIG_GCC_PLUGIN_RANDSTRUCT                 |      y      |   kspp   |  self_protection   |   FAIL: not found
CONFIG_HARDENED_USERCOPY                     |      y      |   kspp   |  self_protection   |   OK
CONFIG_HARDENED_USERCOPY_FALLBACK            | is not set  |   kspp   |  self_protection   |   OK
CONFIG_MODULE_SIG                            |      y      |   kspp   |  self_protection   |   FAIL: "is not set"
CONFIG_MODULE_SIG_ALL                        |      y      |   kspp   |  self_protection   |   FAIL: not found
CONFIG_MODULE_SIG_SHA512                     |      y      |   kspp   |  self_protection   |   FAIL: not found
CONFIG_MODULE_SIG_FORCE                      |      y      |   kspp   |  self_protection   |   FAIL: not found
CONFIG_INIT_STACK_ALL_ZERO                   |      y      |   kspp   |  self_protection   |   FAIL: not found
CONFIG_INIT_ON_FREE_DEFAULT_ON               |      y      |   kspp   |  self_protection   |   OK
CONFIG_GCC_PLUGIN_STACKLEAK                  |      y      |   kspp   |  self_protection   |   FAIL: not found
CONFIG_DEFAULT_MMAP_MIN_ADDR                 |    65536    |   kspp   |  self_protection   |   FAIL: "4096"
CONFIG_SECURITY_DMESG_RESTRICT               |      y      |  clipos  |  self_protection   |   OK
CONFIG_DEBUG_VIRTUAL                         |      y      |  clipos  |  self_protection   |   FAIL: "is not set"
CONFIG_STATIC_USERMODEHELPER                 |      y      |  clipos  |  self_protection   |   FAIL: "is not set"
CONFIG_EFI_DISABLE_PCI_DMA                   |      y      |  clipos  |  self_protection   |   FAIL: "is not set"
CONFIG_SLAB_MERGE_DEFAULT                    | is not set  |  clipos  |  self_protection   |   FAIL: "y"
CONFIG_RANDOM_TRUST_BOOTLOADER               | is not set  |  clipos  |  self_protection   |   OK
CONFIG_RANDOM_TRUST_CPU                      | is not set  |  clipos  |  self_protection   |   OK
CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE     | is not set  |  clipos  |  self_protection   |   FAIL:       CONFIG_GCC_PLUGIN_RANDSTRUCT not "y"
CONFIG_STACKLEAK_METRICS                     | is not set  |  clipos  |  self_protection   |   FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y"
CONFIG_STACKLEAK_RUNTIME_DISABLE             | is not set  |  clipos  |  self_protection   |   FAIL:   CONFIG_GCC_PLUGIN_STACKLEAK not "y"
 CONFIG_INTEL_IOMMU_SVM                       |      y      |  clipos  |  self_protection   |   FAIL: not found
CONFIG_INTEL_IOMMU_DEFAULT_ON                |      y      |  clipos  |  self_protection   |   FAIL: not found
CONFIG_UBSAN_BOUNDS                          |      y      |    my    |  self_protection   |   FAIL: CONFIG_UBSAN_TRAP not "y"
CONFIG_SLUB_DEBUG_ON                         |      y      |    my    |  self_protection   |   FAIL: "is not set"
CONFIG_RESET_ATTACK_MITIGATION               |      y      |    my    |  self_protection   |   FAIL: "is not set"
CONFIG_AMD_IOMMU_V2                          |      y      |    my    |  self_protection   |   FAIL: not found
CONFIG_SECURITY                              |      y      |defconfig |  security_policy   |   OK
CONFIG_SECURITY_YAMA                         |      y      |   kspp   |  security_policy   |   FAIL: "is not set"
CONFIG_SECURITY_WRITABLE_HOOKS               | is not set  |    my    |  security_policy   |   OK: not found
CONFIG_SECURITY_LOCKDOWN_LSM                 |      y      |  clipos  |  security_policy   |   FAIL: "is not set"
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY           |      y      |  clipos  |  security_policy   |   FAIL: not found
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|      y      |  clipos  |  security_policy   |   FAIL: not found
CONFIG_SECURITY_SAFESETID                    |      y      |    my    |  security_policy   |   FAIL: "is not set"
CONFIG_SECURITY_LOADPIN                      |      y      |    my    |  security_policy   |   FAIL: "is not set"
CONFIG_SECURITY_LOADPIN_ENFORCE              |      y      |    my    |  security_policy   |   FAIL: CONFIG_SECURITY_LOADPIN not "y"
CONFIG_SECCOMP                               |      y      |defconfig | cut_attack_surface |   OK
CONFIG_SECCOMP_FILTER                        |      y      |defconfig | cut_attack_surface |   OK
CONFIG_STRICT_DEVMEM                         |      y      |defconfig | cut_attack_surface |   OK: CONFIG_DEVMEM "is not set"
CONFIG_ACPI_CUSTOM_METHOD                    | is not set  |   kspp   | cut_attack_surface |   OK
CONFIG_COMPAT_BRK                            | is not set  |   kspp   | cut_attack_surface |   OK
CONFIG_DEVKMEM                               | is not set  |   kspp   | cut_attack_surface |   OK
CONFIG_COMPAT_VDSO                           | is not set  |   kspp   | cut_attack_surface |   OK
CONFIG_BINFMT_MISC                           | is not set  |   kspp   | cut_attack_surface |   OK
CONFIG_INET_DIAG                             | is not set  |   kspp   | cut_attack_surface |   FAIL: "y"
CONFIG_KEXEC                                 | is not set  |   kspp   | cut_attack_surface |   OK
CONFIG_PROC_KCORE                            | is not set  |   kspp   | cut_attack_surface |   OK
CONFIG_LEGACY_PTYS                           | is not set  |   kspp   | cut_attack_surface |   OK
CONFIG_HIBERNATION                           | is not set  |   kspp   | cut_attack_surface |   OK
CONFIG_IA32_EMULATION                        | is not set  |   kspp   | cut_attack_surface |   FAIL: "y"
 CONFIG_X86_X32                               | is not set  |   kspp   | cut_attack_surface |   OK
 CONFIG_MODIFY_LDT_SYSCALL                    | is not set  |   kspp   | cut_attack_surface |   FAIL: "y"
 CONFIG_OABI_COMPAT                           | is not set  |   kspp   | cut_attack_surface |   OK: not found
 CONFIG_MODULES                               | is not set  |   kspp   | cut_attack_surface |   FAIL: "y"
 CONFIG_DEVMEM                                | is not set  |   kspp   | cut_attack_surface |   OK
 CONFIG_IO_STRICT_DEVMEM                      |      y      |   kspp   | cut_attack_surface |   OK: CONFIG_DEVMEM "is not set"
 CONFIG_LEGACY_VSYSCALL_NONE                  |      y      |   kspp   | cut_attack_surface |   FAIL: "is not set"
 CONFIG_ZSMALLOC_STAT                         | is not set  |grsecurity| cut_attack_surface |   OK: not found
 CONFIG_PAGE_OWNER                            | is not set  |grsecurity| cut_attack_surface |   OK
 CONFIG_DEBUG_KMEMLEAK                        | is not set  |grsecurity| cut_attack_surface |   OK
 CONFIG_BINFMT_AOUT                           | is not set  |grsecurity| cut_attack_surface |   OK: not found
 CONFIG_KPROBES                               | is not set  |grsecurity| cut_attack_surface |   FAIL: "y"
 CONFIG_UPROBES                               | is not set  |grsecurity| cut_attack_surface |   FAIL: "y"
 CONFIG_GENERIC_TRACER                        | is not set  |grsecurity| cut_attack_surface |   FAIL: "y"
 CONFIG_PROC_VMCORE                           | is not set  |grsecurity| cut_attack_surface |   OK: not found
 CONFIG_PROC_PAGE_MONITOR                     | is not set  |grsecurity| cut_attack_surface |   FAIL: "y"
 CONFIG_USELIB                                | is not set  |grsecurity| cut_attack_surface |   FAIL: "y"
 CONFIG_CHECKPOINT_RESTORE                    | is not set  |grsecurity| cut_attack_surface |   OK
 CONFIG_USERFAULTFD                           | is not set  |grsecurity| cut_attack_surface |   OK
 CONFIG_HWPOISON_INJECT                       | is not set  |grsecurity| cut_attack_surface |   OK: not found
 CONFIG_MEM_SOFT_DIRTY                        | is not set  |grsecurity| cut_attack_surface |   OK: not found
 CONFIG_DEVPORT                               | is not set  |grsecurity| cut_attack_surface |   FAIL: "y"
 CONFIG_DEBUG_FS                              | is not set  |grsecurity| cut_attack_surface |   FAIL: "y"
 CONFIG_NOTIFIER_ERROR_INJECTION              | is not set  |grsecurity| cut_attack_surface |   OK
 CONFIG_X86_PTDUMP                            | is not set  |grsecurity| cut_attack_surface |   OK: not found
 CONFIG_DRM_LEGACY                            | is not set  |maintainer| cut_attack_surface |   OK
 CONFIG_FB                                    | is not set  |maintainer| cut_attack_surface |   FAIL: "y"
 CONFIG_VT                                    | is not set  |maintainer| cut_attack_surface |   FAIL: "y"
 CONFIG_AIO                                   | is not set  |grapheneos| cut_attack_surface |   FAIL: "y"
 CONFIG_STAGING                               | is not set  |  clipos  | cut_attack_surface |   OK
 CONFIG_KSM                                   | is not set  |  clipos  | cut_attack_surface |   OK
 CONFIG_KALLSYMS                              | is not set  |  clipos  | cut_attack_surface |   FAIL: "y"
 CONFIG_X86_VSYSCALL_EMULATION                | is not set  |  clipos  | cut_attack_surface |   FAIL: "y"
 CONFIG_MAGIC_SYSRQ                           | is not set  |  clipos  | cut_attack_surface |   FAIL: "y"
 CONFIG_KEXEC_FILE                            | is not set  |  clipos  | cut_attack_surface |   OK
 CONFIG_USER_NS                               | is not set  |  clipos  | cut_attack_surface |   FAIL: "y"
 CONFIG_X86_MSR                               | is not set  |  clipos  | cut_attack_surface |   FAIL: "y"
 CONFIG_X86_CPUID                             | is not set  |  clipos  | cut_attack_surface |   FAIL: "y"
 CONFIG_IO_URING                              | is not set  |  clipos  | cut_attack_surface |   FAIL: "y"
 CONFIG_X86_IOPL_IOPERM                       | is not set  |  clipos  | cut_attack_surface |   FAIL: "y"
 CONFIG_ACPI_TABLE_UPGRADE                    | is not set  |  clipos  | cut_attack_surface |   FAIL: "y"
 CONFIG_EFI_CUSTOM_SSDT_OVERLAYS              | is not set  |  clipos  | cut_attack_surface |   FAIL: "y"
 CONFIG_LDISC_AUTOLOAD                        | is not set  |  clipos  | cut_attack_surface |   FAIL: "y"
 CONFIG_X86_INTEL_TSX_MODE_OFF                |      y      |  clipos  | cut_attack_surface |   OK
 CONFIG_EFI_TEST                              | is not set  | lockdown | cut_attack_surface |   OK
 CONFIG_BPF_SYSCALL                           | is not set  | lockdown | cut_attack_surface |   FAIL: "y"
 CONFIG_MMIOTRACE_TEST                        | is not set  | lockdown | cut_attack_surface |   OK: not found
 CONFIG_TRIM_UNUSED_KSYMS                     |      y      |    my    | cut_attack_surface |   FAIL: not found
 CONFIG_MMIOTRACE                             | is not set  |    my    | cut_attack_surface |   OK
 CONFIG_LIVEPATCH                             | is not set  |    my    | cut_attack_surface |   OK: not found
 CONFIG_IP_DCCP                               | is not set  |    my    | cut_attack_surface |   OK
 CONFIG_IP_SCTP                               | is not set  |    my    | cut_attack_surface |   FAIL: "m"
 CONFIG_FTRACE                                | is not set  |    my    | cut_attack_surface |   FAIL: "y"
 CONFIG_VIDEO_VIVID                           | is not set  |    my    | cut_attack_surface |   OK: not found
 CONFIG_INPUT_EVBUG                           | is not set  |    my    | cut_attack_surface |   OK
 CONFIG_INTEGRITY                             |      y      |defconfig |userspace_hardening |   OK
 CONFIG_ARCH_MMAP_RND_BITS                    |     32      |  clipos  |userspace_hardening |   FAIL: "28"

 [+] Config check is finished: 'OK' - 77 / 'FAIL' - 63

Overview of Linux Kernel Hardening
What is it, and why is it essential for the user to configure it?

Categorize Hardening
(User, Network, Firewall, and so on)
Each category description (what and why)
Configuration file path
Table with Parameter Name, Description, Default Value,