inxi: add to essentials
[julm/julm-nix.git] / nixos / profiles / security.nix
index f5a6c543ded3b1d4005a1129c9f2199a6ab683cb..1113d6963c390ea2a53775570dce027230052e55 100644 (file)
-{ pkgs, lib, ... }:
+{ pkgs, lib, config, ... }:
 with lib;
 {
-  boot.kernelPackages = mkDefault pkgs.linuxPackages;
-  #boot.kernelPackages = pkgs.linuxPackages_latest;
-  #boot.kernelPackages = pkgs.linuxPackages_hardened;
-  #boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
-  #environment.memoryAllocator.provider = "libc";
-  nix.settings.allowed-users = [ "@users" ];
-  /*
-    nix.settings.substituters = [
-    "https://nix-community.cachix.org"
-    ];
-    nix.settings.trusted-public-keys = [
-    "nix-community.cachix.org:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-    ];
-  */
-  nix.settings.trusted-users = [
-    "root"
-    "@wheel"
-  ];
-  networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
-  security.allowSimultaneousMultithreading = false;
-  security.apparmor.enable = mkDefault true;
-  security.forcePageTableIsolation = true;
-  security.lockKernelModules = mkDefault true;
-  security.protectKernelImage = true;
-  security.virtualisation.flushL1DataCache = "always";
-  # Only allow members of the wheel group to execute sudo by setting
-  # the executable’s permissions accordingly.
-  # This prevents users that are not members of wheel
-  # from exploiting vulnerabilities in sudo such as CVE-2021-3156.
-  security.sudo.execWheelOnly = true;
-  boot.blacklistedKernelModules = [
-    # Obscure network protocols
-    "ax25"
-    "netrom"
-    "rose"
-
-    # Old or rare or insufficiently audited filesystems
-    "adfs"
-    "affs"
-    "bfs"
-    "befs"
-    "cramfs"
-    "efs"
-    "erofs"
-    "exofs"
-    "freevxfs"
-    "f2fs"
-    "hfs"
-    "hpfs"
-    "jfs"
-    "minix"
-    "nilfs2"
-    "ntfs"
-    "omfs"
-    "qnx4"
-    "qnx6"
-    "sysv"
-    "ufs"
-  ];
-  boot.kernel.sysctl = {
-    # Mitigate kernel pointer leaks
-    "kernel.kptr_restrict" = 2;
-    # Restricts the kernel log to the CAP_SYSLOG capability
-    "kernel.dmesg_restrict" = 1;
-    # Prevent information leaks
-    #kernel.printk = "3 3 3 3";
-    # Restrict eBPF to the CAP_BPF capability
-    # and enable JIT hardening techniques
-    # such as constant blinding.
-    "kernel.unprivileged_bpf_disabled" = 1;
-    "net.core.bpf_jit_harden" = 2;
-    # Restricts loading TTY line disciplines
-    # to the CAP_SYS_MODULE capability to prevent
-    # unprivileged attackers from loading vulnerable
-    # line disciplines with the TIOCSETD ioctl
-    "dev.tty.ldisc_autoload" = 0;
-    # The userfaultfd() syscall is often abused to exploit
-    # use-after-free flaws.
-    # Due to this, this sysctl is used to restrict
-    # this syscall to the CAP_SYS_PTRACE capability.
-    "vm.unprivileged_userfaultfd" = 0;
-    # kexec is a system call that is used
-    # to boot another kernel during runtime.
-    "kernel.kexec_load_disabled" = 1;
-    # User namespaces are a feature in the kernel which aim to
-    # improve sandboxing and make it easily accessible for
-    # unprivileged users however, this feature exposes
-    # significant kernel attack surface for privilege
-    # escalation so this sysctl restricts the usage of user
-    # namespaces to the CAP_SYS_ADMIN capability.
-    "kernel.unprivileged_userns_clone" = 0;
-    # Restricts all usage of performance events to the
-    # CAP_PERFMON capability
-    "kernel.perf_event_paranoid" = 3;
-    # Helps protect against SYN flood attacks
-    "net.ipv4.tcp_syncookies" = 1;
-    # Protects against time-wait assassination
-    # by dropping RST packets for sockets
-    # in the time-wait state.
-    "net.ipv4.tcp_rfc1337" = 1;
-    # Disable ICMP redirect acceptance and sending to prevent
-    # man-in-the-middle attacks and minimize information disclosure.
-    "net.ipv4.conf.all.accept_redirects" = 0;
-    "net.ipv4.conf.default.accept_redirects" = 0;
-    "net.ipv4.conf.all.secure_redirects" = 0;
-    "net.ipv4.conf.default.secure_redirects" = 0;
-    "net.ipv6.conf.all.accept_redirects" = 0;
-    "net.ipv6.conf.default.accept_redirects" = 0;
-    "net.ipv4.conf.all.send_redirects" = 0;
-    "net.ipv4.conf.default.send_redirects" = 0;
-    # Disable source routing, a mechanism
-    # that allows users to redirect network traffic.
-    "net.ipv4.conf.all.accept_source_route" = 0;
-    "net.ipv4.conf.default.accept_source_route" = 0;
-    "net.ipv6.conf.all.accept_source_route" = 0;
-    "net.ipv6.conf.default.accept_source_route" = 0;
+  options = {
+    security.kernel.mitigations = mkOption {
+      type = types.str;
+      default = "auto,nosmt";
+      example = "off";
+      description = ''
+        Control optional mitigations for CPU vulnerabilities.  This is a set of
+        curated, arch-independent options, each of which is an aggregation of
+        existing arch-specific options.
+      '';
+    };
+  };
+  config = {
+    boot.kernelPackages = mkDefault pkgs.linuxPackages;
+    #boot.kernelPackages = pkgs.linuxPackages_latest;
+    #boot.kernelPackages = pkgs.linuxPackages_hardened;
+    #boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
+    #environment.memoryAllocator.provider = "libc";
+    nix.settings.allowed-users = [ "@users" ];
     /*
-      # Disable TCP SACK, which is commonly exploited
-      # and unnecessary for many circumstances.
-      # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
-      "net.ipv4.tcp_sack" = 0;
-      "net.ipv4.tcp_dsack" = 0;
-      "net.ipv4.tcp_fack" = 0;
+      nix.settings.substituters = [
+      "https://nix-community.cachix.org"
+      ];
+      nix.settings.trusted-public-keys = [
+      "nix-community.cachix.org:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
     */
-    # Generate a random IPv6 address
-    "net.ipv6.conf.all.use_tempaddr" = mkForce 2;
-    "net.ipv6.conf.default.use_tempaddr" = mkForce 2;
-    # Restricts usage of ptrace to only processes
-    # with the CAP_SYS_PTRACE capability
-    "kernel.yama.ptrace_scope" = 2;
-    # Do source validation by confirming reverse path
-    "net.ipv4.conf.all.rp_filter" = 1;
-    "net.ipv4.conf.default.rp_filter" = 1;
-  };
-  boot.kernelParams = [
-    "slab_nomerge"
-    "slub_debug=FZ"
-    #"init_on_alloc=1"
-    #"init_on_free=1"
-    "page_alloc.shuffle=1"
-    "pti=on"
-    "vsyscall=none"
-    "debugfs=off"
-    "oops=panic"
-    # Disabled because zfs and wireguard modules are not signed
-    "module.sig_enforce=0"
-    "lockdown=confidentiality"
-    "mce=0"
-    #"quiet"
-    #"loglevel=0"
-  ];
-  services.journald.extraConfig = ''
-    Compress=true
-    MaxRetentionSec=1month
-    Storage=persistent
-    SystemMaxUse=100M
-  '';
-  systemd.coredump = {
-    enable = mkDefault false;
-    extraConfig = ''
+    nix.settings.trusted-users = [
+      "root"
+      "@wheel"
+    ];
+    networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5";
+    security.allowSimultaneousMultithreading = false;
+    security.apparmor.enable = mkDefault true;
+    security.forcePageTableIsolation = true;
+    security.lockKernelModules = mkDefault true;
+    security.protectKernelImage = true;
+    security.virtualisation.flushL1DataCache = "always";
+    # Only allow members of the wheel group to execute sudo by setting
+    # the executable’s permissions accordingly.
+    # This prevents users that are not members of wheel
+    # from exploiting vulnerabilities in sudo such as CVE-2021-3156.
+    security.sudo.execWheelOnly = true;
+    boot.blacklistedKernelModules = [
+      # Obscure network protocols
+      "ax25"
+      "netrom"
+      "rose"
+
+      # Old or rare or insufficiently audited filesystems
+      "adfs"
+      "affs"
+      "bfs"
+      "befs"
+      "cramfs"
+      "efs"
+      "erofs"
+      "exofs"
+      "freevxfs"
+      "f2fs"
+      "hfs"
+      "hpfs"
+      "jfs"
+      "minix"
+      "nilfs2"
+      "ntfs"
+      "omfs"
+      "qnx4"
+      "qnx6"
+      "sysv"
+      "ufs"
+    ];
+    # kernel-hardening-checker -c /proc/config.gz -l /proc/cmdline -s <(sudo sysctl -a) -m show_fail
+    boot.kernel.sysctl = {
+      # Mitigate kernel pointer leaks
+      "kernel.kptr_restrict" = 2;
+      # Restricts the kernel log to the CAP_SYSLOG capability
+      "kernel.dmesg_restrict" = 1;
+      # Prevent information leaks
+      #kernel.printk = "3 3 3 3";
+      # Restrict eBPF to the CAP_BPF capability
+      # and enable JIT hardening techniques
+      # such as constant blinding.
+      "kernel.unprivileged_bpf_disabled" = 1;
+      "net.core.bpf_jit_harden" = 2;
+      # Restricts loading TTY line disciplines
+      # to the CAP_SYS_MODULE capability to prevent
+      # unprivileged attackers from loading vulnerable
+      # line disciplines with the TIOCSETD ioctl
+      "dev.tty.ldisc_autoload" = 0;
+      # The userfaultfd() syscall is often abused to exploit
+      # use-after-free flaws.
+      # Due to this, this sysctl is used to restrict
+      # this syscall to the CAP_SYS_PTRACE capability.
+      "vm.unprivileged_userfaultfd" = 0;
+      # kexec is a system call that is used
+      # to boot another kernel during runtime.
+      "kernel.kexec_load_disabled" = 1;
+      # User namespaces are a feature in the kernel which aim to
+      # improve sandboxing and make it easily accessible for
+      # unprivileged users however, this feature exposes
+      # significant kernel attack surface for privilege
+      # escalation so this sysctl restricts the usage of user
+      # namespaces to the CAP_SYS_ADMIN capability.
+      "kernel.unprivileged_userns_clone" = 0;
+      # Restricts all usage of performance events to the
+      # CAP_PERFMON capability
+      "kernel.perf_event_paranoid" = 3;
+      # Helps protect against SYN flood attacks
+      "net.ipv4.tcp_syncookies" = 1;
+      # Protects against time-wait assassination
+      # by dropping RST packets for sockets
+      # in the time-wait state.
+      "net.ipv4.tcp_rfc1337" = 1;
+      # Disable ICMP redirect acceptance and sending to prevent
+      # man-in-the-middle attacks and minimize information disclosure.
+      "net.ipv4.conf.all.accept_redirects" = 0;
+      "net.ipv4.conf.default.accept_redirects" = 0;
+      "net.ipv4.conf.all.secure_redirects" = 0;
+      "net.ipv4.conf.default.secure_redirects" = 0;
+      "net.ipv6.conf.all.accept_redirects" = 0;
+      "net.ipv6.conf.default.accept_redirects" = 0;
+      "net.ipv4.conf.all.send_redirects" = 0;
+      "net.ipv4.conf.default.send_redirects" = 0;
+      # Disable source routing, a mechanism
+      # that allows users to redirect network traffic.
+      "net.ipv4.conf.all.accept_source_route" = 0;
+      "net.ipv4.conf.default.accept_source_route" = 0;
+      "net.ipv6.conf.all.accept_source_route" = 0;
+      "net.ipv6.conf.default.accept_source_route" = 0;
+      /*
+        # Disable TCP SACK, which is commonly exploited
+        # and unnecessary for many circumstances.
+        # https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off
+        "net.ipv4.tcp_sack" = 0;
+        "net.ipv4.tcp_dsack" = 0;
+        "net.ipv4.tcp_fack" = 0;
+      */
+      # Generate a random IPv6 address
+      "net.ipv6.conf.all.use_tempaddr" = mkForce 2;
+      "net.ipv6.conf.default.use_tempaddr" = mkForce 2;
+      # Restricts usage of ptrace to only processes
+      # with the CAP_SYS_PTRACE capability
+      "kernel.yama.ptrace_scope" = 2;
+      # Do source validation by confirming reverse path
+      "net.ipv4.conf.all.rp_filter" = 1;
+      "net.ipv4.conf.default.rp_filter" = 1;
+      # Any process which has changed privilege levels or is execute only will not be dumped.
+      "fs.suid_dumpable" = 0;
+      "fs.protected_fifos" = 2;
+      "fs.protected_regular" = 2;
+      # TIOCSTI is a dangerous legacy operation that can be disabled on most systems.
+      "dev.tty.legacy_tiocsti" = 0;
+      # User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.
+      #"user.max_user_namespaces" = mkDefault 0;
+    };
+    # DOC: https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
+    boot.kernelParams = [
+      "oops=panic"
+      #"quiet"
+      #"loglevel=0"
+      # Disable merging of slabs with similar size. May be necessary if there is
+      # some reason to distinguish allocs to different slabs, especially in
+      # hardened environments where the risk of heap overflows and layout control
+      # by attackers can usually be frustrated by disabling merging. This will
+      # reduce most of the exposure of a heap attack to a single cache (risks via
+      # metadata attacks are mostly unchanged). Debug options disable merging on
+      # their own.
+      "slab_nomerge"
+      # See slub_debug
+      # https://gitlab.tails.boum.org/tails/tails/-/issues/19613#note_215741
+      "slub_debug=FZ"
+      # Control whether the page allocator should randomize its free lists.
+      "page_alloc.shuffle=1"
+      # Kernel detects whether your CPU model is vulnerable to issues that PTI mitigates
+      # Disabling this feature removes hardening, but improves performance of system calls and interrupts.
+      "pti=auto"
+      # Controls the behavior of vsyscalls
+      # (i.e. calls to fixed addresses of 0xffffffffff600x00 from legacy code).
+      # Most statically-linked binaries and older versions of glibc use these calls.
+      # With none, vsyscalls don't work at all.
+      # This makes them quite hard to use for exploits but might break your system.
+      "vsyscall=none"
+      # Filesystem is not registered and clients get a -EPERM as result
+      # when trying to register files or directories within debugfs.
+      "debugfs=off"
+      # Disabled because the wireguard module is not signed
+      "module.sig_enforce=0"
+      # Disable kernel features that allow userland to modify the running kernel
+      # or to extract confidential information from the kernel.
+      "lockdown=confidentiality"
+      # https://www.kernel.org/doc/Documentation/x86/x86_64/boot-options.rst
+      "mce=bootlog"
+      "mitigations=${config.security.kernel.mitigations}" #    kspp   | self_protection
+      #"spectre_v2=on" # defconfig | self_protection
+      #"spectre_v2_user=on" # defconfig | self_protection
+      #"spec_store_bypass_disable=on" # defconfig | self_protection
+      #"l1tf=on" # defconfig | self_protection
+      #"mds=on" # defconfig | self_protection
+      #"tsx_async_abort=on" # defconfig | self_protection
+      #"srbds=on" # defconfig | self_protection
+      #"mmio_stale_data=on" # defconfig | self_protection
+      #"retbleed=on" # defconfig | self_protection
+      #"spec_rstack_overflow=on" # defconfig | self_protection
+      # Disable AVX to mitigate systems without microcode mitigation. No effect if the microcode mitigation is present. Known to cause crashes in userspace with buggy AVX enumeration.
+      #"gather_data_sampling=force" # defconfig | self_protection
+      # https://www.phoronix.com/news/randomize_kstack_offset-perf
+      "randomize_kstack_offset=1" #    kspp   | self_protection
+      # See https://unix.stackexchange.com/questions/592538/what-are-the-implication-of-using-iommu-force-in-the-boot-kernel-options
+      "iommu=force" #   clipos  | self_protection
+      # DMA unmap operations invalidate IOMMU hardware TLBs synchronously.
+      "iommu.strict=1" #    kspp   | self_protection
+      "kfence.sample_interval=100" # a13xp0p0v | self_protection
+      "kfence.deferrable=1"
+      # Unconditionally disables IA32 emulation
+      "ia32_emulation=0" # a13xp0p0v |cut_attack_surface
+      # A bit too much
+      # https://patchwork.kernel.org/project/linux-security-module/patch/20190626121943.131390-2-glider@google.com/#22731857
+      #"init_on_alloc=1" #    kspp   | self_protection
+      #"init_on_free=1" #    kspp   | self_protection
+    ];
+    services.journald.extraConfig = ''
       Compress=true
-      MaxUse=1024M
-      Storage=external
+      MaxRetentionSec=1month
+      Storage=persistent
+      SystemMaxUse=100M
     '';
-  };
-  services.openssh = {
-    # Avoid TOFU MITM by providing well known public keys here.
-    knownHosts = {
-      "git.sr.ht".hostNames = [ "git.sr.ht" ];
-      "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
+    systemd.coredump = {
+      enable = mkDefault false;
+      extraConfig = ''
+        Compress=true
+        MaxUse=1024M
+        Storage=external
+      '';
+    };
+    services.openssh = {
+      # Avoid TOFU MITM by providing well known public keys here.
+      knownHosts = {
+        "git.sr.ht".hostNames = [ "git.sr.ht" ];
+        "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
 
-      "github.com".hostNames = [ "github.com" ];
-      "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+        "github.com".hostNames = [ "github.com" ];
+        "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
 
-      "gitlab.com".hostNames = [ "gitlab.com" ];
-      "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
-    };
-    openFirewall = mkDefault false;
-    settings = {
-      Ciphers = [
-        # Not hardware accelerated, but fast enough and somehow more secure
-        # (packet sizes are encrypted and less vulnerable to timing attacks).
-        "chacha20-poly1305@openssh.com"
-        # A bit more throughput.
-        "aes128-gcm@openssh.com"
-        "aes256-gcm@openssh.com"
-      ];
-      KbdInteractiveAuthentication = mkDefault false;
-      # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
-      KexAlgorithms = [
-        "curve25519-sha256"
-        "curve25519-sha256@libssh.org"
-        "diffie-hellman-group16-sha512"
-        "diffie-hellman-group18-sha512"
-        "sntrup761x25519-sha512@openssh.com"
-      ];
-      PasswordAuthentication = false;
-      # Remove any remote gpg-agent's socket.
-      StreamLocalBindUnlink = true;
-      UseDns = mkDefault false;
-      X11Forwarding = mkDefault false;
+        "gitlab.com".hostNames = [ "gitlab.com" ];
+        "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
+      };
+      openFirewall = mkDefault false;
+      settings = {
+        Ciphers = [
+          # Not hardware accelerated, but fast enough and somehow more secure
+          # (packet sizes are encrypted and less vulnerable to timing attacks).
+          "chacha20-poly1305@openssh.com"
+          # A bit more throughput.
+          "aes128-gcm@openssh.com"
+          "aes256-gcm@openssh.com"
+        ];
+        KbdInteractiveAuthentication = mkDefault false;
+        # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
+        KexAlgorithms = [
+          "curve25519-sha256"
+          "curve25519-sha256@libssh.org"
+          "diffie-hellman-group16-sha512"
+          "diffie-hellman-group18-sha512"
+          "sntrup761x25519-sha512@openssh.com"
+        ];
+        PasswordAuthentication = false;
+        # Remove any remote gpg-agent's socket.
+        StreamLocalBindUnlink = true;
+        UseDns = mkDefault false;
+        X11Forwarding = mkDefault false;
+      };
     };
   };
+  /* TODO: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
+    =========================================================================================================================
+                option_name               | type  |desired_val | decision |      reason      | check_result
+    =========================================================================================================================
+    CONFIG_WERROR                           |kconfig|     y      |defconfig | self_protection  | FAIL: "is not set"
+    CONFIG_X86_KERNEL_IBT                   |kconfig|     y      |defconfig | self_protection  | FAIL: "is not set"
+    CONFIG_BUG_ON_DATA_CORRUPTION           |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
+    CONFIG_SHUFFLE_PAGE_ALLOCATOR           |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
+    CONFIG_DEBUG_VIRTUAL                    |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
+    CONFIG_DEBUG_SG                         |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
+    CONFIG_INIT_ON_ALLOC_DEFAULT_ON         |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
+    CONFIG_STATIC_USERMODEHELPER            |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
+    CONFIG_SECURITY_LOCKDOWN_LSM            |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
+    CONFIG_SECURITY_LOCKDOWN_LSM_EARLY      |kconfig|     y      |   kspp   | self_protection  | FAIL: is not found
+    CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|kconfig|     y      |   kspp   | self_protection  | FAIL: is not found
+    CONFIG_DEBUG_CREDENTIALS                |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
+    CONFIG_DEBUG_NOTIFIERS                  |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
+    CONFIG_KFENCE                           |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
+    CONFIG_KFENCE_SAMPLE_INTERVAL           |kconfig| is not off |a13xp0p0v | self_protection  | FAIL: CONFIG_KFENCE is not "y"
+    CONFIG_RANDSTRUCT_FULL                  |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
+    CONFIG_RANDSTRUCT_PERFORMANCE           |kconfig| is not set |   kspp   | self_protection  | FAIL: CONFIG_RANDSTRUCT_FULL is not "y"
+    CONFIG_GCC_PLUGIN_LATENT_ENTROPY        |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
+    CONFIG_MODULE_SIG                       |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
+    CONFIG_MODULE_SIG_ALL                   |kconfig|     y      |   kspp   | self_protection  | FAIL: is not found
+    CONFIG_MODULE_SIG_SHA512                |kconfig|     y      |   kspp   | self_protection  | FAIL: is not found
+    CONFIG_MODULE_SIG_FORCE                 |kconfig|     y      |   kspp   | self_protection  | FAIL: is not found
+    CONFIG_INIT_ON_FREE_DEFAULT_ON          |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
+    CONFIG_EFI_DISABLE_PCI_DMA              |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
+    CONFIG_RESET_ATTACK_MITIGATION          |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
+    CONFIG_UBSAN_BOUNDS                     |kconfig|     y      |   kspp   | self_protection  | FAIL: is not found
+    CONFIG_UBSAN_LOCAL_BOUNDS               |kconfig|     y      |   kspp   | self_protection  | FAIL: is not found
+    CONFIG_UBSAN_TRAP                       |kconfig|     y      |   kspp   | self_protection  | FAIL: CONFIG_UBSAN_BOUNDS is not "y"
+    CONFIG_UBSAN_SANITIZE_ALL               |kconfig|     y      |   kspp   | self_protection  | FAIL: CONFIG_UBSAN_BOUNDS is not "y"
+    CONFIG_GCC_PLUGIN_STACKLEAK             |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
+    CONFIG_STACKLEAK_METRICS                |kconfig| is not set |   kspp   | self_protection  | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is not "y"
+    CONFIG_STACKLEAK_RUNTIME_DISABLE        |kconfig| is not set |   kspp   | self_protection  | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is not "y"
+    CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT  |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
+    CONFIG_CFI_CLANG                        |kconfig|     y      |   kspp   | self_protection  | FAIL: CONFIG_CC_IS_CLANG is not "y"
+    CONFIG_CFI_PERMISSIVE                   |kconfig| is not set |   kspp   | self_protection  | FAIL: CONFIG_CC_IS_CLANG is not "y"
+    CONFIG_DEFAULT_MMAP_MIN_ADDR            |kconfig|   65536    |   kspp   | self_protection  | FAIL: "4096"
+    CONFIG_IOMMU_DEFAULT_DMA_STRICT         |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
+    CONFIG_INTEL_IOMMU_DEFAULT_ON           |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
+    CONFIG_SLS                              |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
+    CONFIG_INTEL_IOMMU_SVM                  |kconfig|     y      |   kspp   | self_protection  | FAIL: "is not set"
+    CONFIG_AMD_IOMMU_V2                     |kconfig|     y      |   kspp   | self_protection  | FAIL: "m"
+    CONFIG_SLAB_MERGE_DEFAULT               |kconfig| is not set |  clipos  | self_protection  | FAIL: "y"
+    CONFIG_LIST_HARDENED                    |kconfig|     y      |a13xp0p0v | self_protection  | FAIL: is not found
+    CONFIG_RANDOM_KMALLOC_CACHES            |kconfig|     y      |a13xp0p0v | self_protection  | FAIL: is not found
+    CONFIG_SECURITY_SELINUX_DISABLE         |kconfig| is not set |   kspp   | security_policy  | FAIL: "y"
+    CONFIG_SECURITY_SELINUX_BOOTPARAM       |kconfig| is not set |   kspp   | security_policy  | FAIL: "y"
+    CONFIG_SECURITY_SELINUX_DEVELOP         |kconfig| is not set |   kspp   | security_policy  | FAIL: "y"
+    CONFIG_SECURITY_WRITABLE_HOOKS          |kconfig| is not set |   kspp   | security_policy  | FAIL: "y"
+    CONFIG_SECURITY_DMESG_RESTRICT          |kconfig|     y      |   kspp   |cut_attack_surface| FAIL: "is not set"
+    CONFIG_ACPI_CUSTOM_METHOD               |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "m"
+    CONFIG_BINFMT_MISC                      |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"
+    CONFIG_INET_DIAG                        |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "m"
+    CONFIG_KEXEC                            |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"
+    CONFIG_PROC_KCORE                       |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"
+    CONFIG_HIBERNATION                      |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"
+    CONFIG_COMPAT                           |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"
+    CONFIG_IA32_EMULATION                   |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"
+    CONFIG_MODIFY_LDT_SYSCALL               |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"
+    CONFIG_X86_MSR                          |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "m"
+    CONFIG_MODULES                          |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"
+    CONFIG_DEVMEM                           |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"
+    CONFIG_LDISC_AUTOLOAD                   |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"
+    CONFIG_X86_VSYSCALL_EMULATION           |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"
+    CONFIG_KPROBE_EVENTS                    |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"
+    CONFIG_UPROBE_EVENTS                    |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"
+    CONFIG_GENERIC_TRACER                   |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"
+    CONFIG_FUNCTION_TRACER                  |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"
+    CONFIG_STACK_TRACER                     |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"
+    CONFIG_BLK_DEV_IO_TRACE                 |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"
+    CONFIG_PROC_PAGE_MONITOR                |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"
+    CONFIG_CHECKPOINT_RESTORE               |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"
+    CONFIG_USERFAULTFD                      |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"
+    CONFIG_DEVPORT                          |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"
+    CONFIG_DEBUG_FS                         |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"
+    CONFIG_PUNIT_ATOM_DEBUG                 |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "m"
+    CONFIG_ACPI_CONFIGFS                    |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "m"
+    CONFIG_MTD_SLRAM                        |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "m"
+    CONFIG_MTD_PHRAM                        |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "m"
+    CONFIG_IO_URING                         |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"
+    CONFIG_KCMP                             |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"
+    CONFIG_RSEQ                             |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"
+    CONFIG_PROVIDE_OHCI1394_DMA_INIT        |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"
+    CONFIG_SUNRPC_DEBUG                     |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"
+    CONFIG_FB                               |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
+    CONFIG_VT                               |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
+    CONFIG_BLK_DEV_FD                       |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "m"
+    CONFIG_STAGING                          |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
+    CONFIG_KSM                              |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
+    CONFIG_KALLSYMS                         |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
+    CONFIG_MAGIC_SYSRQ                      |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
+    CONFIG_KEXEC_FILE                       |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
+    CONFIG_USER_NS                          |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
+    CONFIG_X86_CPUID                        |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "m"
+    CONFIG_X86_IOPL_IOPERM                  |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
+    CONFIG_ACPI_TABLE_UPGRADE               |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
+    CONFIG_EFI_CUSTOM_SSDT_OVERLAYS         |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
+    CONFIG_AIO                              |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
+    CONFIG_KPROBES                          |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
+    CONFIG_BPF_SYSCALL                      |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
+    CONFIG_IP_DCCP                          |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "m"
+    CONFIG_IP_SCTP                          |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "m"
+    CONFIG_FTRACE                           |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "y"
+    CONFIG_INPUT_EVBUG                      |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "m"
+    CONFIG_XFS_SUPPORT_V4                   |kconfig| is not set |a13xp0p0v |cut_attack_surface| FAIL: "y"
+    CONFIG_TRIM_UNUSED_KSYMS                |kconfig|     y      |a13xp0p0v |cut_attack_surface| FAIL: "is not set"
+    CONFIG_COREDUMP                         |kconfig| is not set |  clipos  | harden_userspace | FAIL: "y"
+    CONFIG_ARCH_MMAP_RND_BITS               |kconfig|     32     |a13xp0p0v | harden_userspace | FAIL: "28"
+    CONFIG_X86_USER_SHADOW_STACK            |kconfig|     y      |a13xp0p0v | harden_userspace | FAIL: is not found
+  */
 }