From 2b2c15d774c8c4bdb7480708dcf79a5e7bf77023 Mon Sep 17 00:00:00 2001 From: Jörg Sommer Date: Mon, 6 Jan 2025 10:54:17 +0100 Subject: kernel-hardening-checker: New recipe to check security options MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jörg Sommer Signed-off-by: Khem Raj --- .../kernel-hardening-checker_0.6.10.bb | 33 ++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 meta-oe/recipes-security/kernel-hardening-checker/kernel-hardening-checker_0.6.10.bb diff --git a/meta-oe/recipes-security/kernel-hardening-checker/kernel-hardening-checker_0.6.10.bb b/meta-oe/recipes-security/kernel-hardening-checker/kernel-hardening-checker_0.6.10.bb new file mode 100644 index 0000000000..1daf5d8c70 --- /dev/null +++ b/meta-oe/recipes-security/kernel-hardening-checker/kernel-hardening-checker_0.6.10.bb @@ -0,0 +1,33 @@ +SUMMARY = "A tool for checking the security hardening options of the Linux kernel" +DESCRIPTION = "\ + There are plenty of security hardening options for the Linux kernel; Kconfig \ + options (compile-time); Kernel cmdline arguments (boot-time); Sysctl \ + parameters (runtime). A lot of them have to be enabled manually to make the \ + system more secure which is difficult to track. This tool helps with this \ + task by checking and reporting about the settings compared to a list of \ + recommendation. \ +" +HOMEPAGE = "https://github.com/a13xp0p0v/kernel-hardening-checker" +BUGTRACKER = "https://github.com/a13xp0p0v/kernel-hardening-checker/issues" +LICENSE = "GPL-3.0-only" +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=d32239bcb673463ab874e80d47fae504" + +SRC_URI = "git://github.com/a13xp0p0v/kernel-hardening-checker;protocol=https;branch=master" +SRCREV = "f4dbe258ff3d37489962ea9cf210192ae7ff9280" + +S = "${UNPACKDIR}/git" + +RDEPENDS:${PN} = "\ + python3-json \ +" + +# /boot/config is required for the analysis +RRECOMMENDS:${PN}:class-target = "\ + kernel-dev \ +" + +inherit setuptools3 + +# allow to run on build host, if you don't want it in the image +# oe-run-native kernel-hardening-checker-native kernel-hardening-checker ... +BBCLASSEXTEND = "native" -- cgit v1.2.3-54-g00ecf