kernel-hardening-checker - tool for checking the security hardening options of the Linux kernel
NAME SYNOPSIS DESCRIPTION OPTIONS AUTHOR REPORTING BUGS COPYRIGHTNAME
kernel-hardening-checker − tool for checking the security hardening options of the Linux kernel
SYNOPSIS
kernel-hardening-checker [OPTIONS]
DESCRIPTION
kernel-hardening-checker is a tool for checking the security hardening options of the Linux kernel. It can analyze Kconfig options (compile-time), kernel command line arguments (boot-time), and sysctl parameters (runtime) for the following architectures: X86_64, X86_32, ARM64, ARM, RISC-V.
Please note that changing the Linux kernel security parameters may also affect system performance and functionality of userspace software. Therefore, when setting these parameters, consider the threat model of your Linux-based information system and thoroughly test its typical workload.
OPTIONS
−h, −−help
Show the help message and exit.
−−version
Show program’s version number and exit.
−m
{verbose,json,show_ok,show_fail}, −−mode
{verbose,json,show_ok,show_fail}
Select a special output mode
instead of the default one:
verbose
Provide additional information: print the configuration options without a corresponding check and show the internals of complex checks.
|
json |
Report in JSON format. |
show_ok
Show only successful checks.
show_fail
Show only failed checks.
−a, −−autodetect
Autodetect and check the security hardening options of the running kernel.
−c CONFIG, −−config CONFIG
Check the security hardening options in a Kconfig file (also supports *.gz files).
−v KERNEL_VERSION, −−kernel−version KERNEL_VERSION
Extract the kernel version from a version file (such as /proc/version) instead of using a Kconfig file.
−l CMDLINE, −−cmdline CMDLINE
Check the security hardening options in a kernel command line file (such as /proc/cmdline).
−s SYSCTL, −−sysctl SYSCTL
Check the security hardening options in a sysctl output file (the result of "sudo sysctl -a > file").
−p
{X86_64,X86_32,ARM64,ARM,RISCV}, −−print
{X86_64,X86_32,ARM64,ARM,RISCV}
Print security hardening recommendations for the selected architecture.
−g
{X86_64,X86_32,ARM64,ARM,RISCV},
−−generate
{X86_64,X86_32,ARM64,ARM,RISCV}
Generate a Kconfig fragment containing the security hardening options for the selected architecture.
AUTHOR
Written by Alexander Popov with help from the contributors.
REPORTING BUGS
Report bugs at: <https://github.com/a13xp0p0v/kernel-hardening-checker/issues>
COPYRIGHT
Copyright:
2018-2025, Alexander Popov <[email protected]>
License: GPL-3.0