Adolfo Delorenzo
efc7f80b65
Security hardening: bind kubeconfig server to localhost, mount hardening (noexec/nosuid/nodev on tmpfs), sysctl network hardening, kernel module loading lock after boot, SHA256 checksum verification for downloads, kernel AppArmor + Audit support, complain-mode AppArmor profiles for containerd and kubelet, and security integration test. ARM64 Raspberry Pi support: piCore64 base extraction, RPi kernel build from raspberrypi/linux fork, RPi firmware fetch, SD card image with 4- partition GPT and tryboot A/B mechanism, BootEnv Go interface abstracting GRUB vs RPi boot environments, architecture-aware build scripts, QEMU aarch64 dev VM and boot test. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
175 lines
6.5 KiB
Bash
Executable File
175 lines
6.5 KiB
Bash
Executable File
#!/bin/bash
|
|
# kernel-audit.sh — Verify kernel config has all required features for KubeSolo
|
|
# Usage: ./kernel-audit.sh [/path/to/kernel/.config]
|
|
# If no path given, attempts to read from /proc/config.gz or boot config
|
|
set -euo pipefail
|
|
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
NC='\033[0m'
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
|
|
# --- Locate kernel config ---
|
|
find_kernel_config() {
|
|
if [[ -n "${1:-}" ]] && [[ -f "$1" ]]; then
|
|
echo "$1"
|
|
return 0
|
|
fi
|
|
# Try /proc/config.gz (if CONFIG_IKCONFIG_PROC=y)
|
|
if [[ -f /proc/config.gz ]]; then
|
|
local tmp
|
|
tmp=$(mktemp)
|
|
zcat /proc/config.gz > "$tmp"
|
|
echo "$tmp"
|
|
return 0
|
|
fi
|
|
# Try /boot/config-$(uname -r)
|
|
local boot_config="/boot/config-$(uname -r)"
|
|
if [[ -f "$boot_config" ]]; then
|
|
echo "$boot_config"
|
|
return 0
|
|
fi
|
|
echo ""
|
|
return 1
|
|
}
|
|
|
|
CONFIG_FILE=$(find_kernel_config "${1:-}") || {
|
|
echo -e "${RED}ERROR: Cannot find kernel config.${NC}"
|
|
echo "Provide path as argument, or ensure /proc/config.gz or /boot/config-\$(uname -r) exists."
|
|
exit 1
|
|
}
|
|
|
|
echo "==> Auditing kernel config: $CONFIG_FILE"
|
|
echo ""
|
|
|
|
PASS=0
|
|
FAIL=0
|
|
WARN=0
|
|
|
|
check_config() {
|
|
local option="$1"
|
|
local required="$2" # "mandatory" or "recommended"
|
|
local description="$3"
|
|
|
|
local value
|
|
value=$(grep -E "^${option}=" "$CONFIG_FILE" 2>/dev/null || true)
|
|
|
|
if [[ -n "$value" ]]; then
|
|
local setting="${value#*=}"
|
|
echo -e " ${GREEN}✓${NC} ${option}=${setting} — ${description}"
|
|
((PASS++))
|
|
elif grep -qE "^# ${option} is not set" "$CONFIG_FILE" 2>/dev/null; then
|
|
if [[ "$required" == "mandatory" ]]; then
|
|
echo -e " ${RED}✗${NC} ${option} is NOT SET — ${description} [REQUIRED]"
|
|
((FAIL++))
|
|
else
|
|
echo -e " ${YELLOW}△${NC} ${option} is NOT SET — ${description} [recommended]"
|
|
((WARN++))
|
|
fi
|
|
else
|
|
if [[ "$required" == "mandatory" ]]; then
|
|
echo -e " ${RED}?${NC} ${option} not found in config — ${description} [REQUIRED]"
|
|
((FAIL++))
|
|
else
|
|
echo -e " ${YELLOW}?${NC} ${option} not found in config — ${description} [recommended]"
|
|
((WARN++))
|
|
fi
|
|
fi
|
|
}
|
|
|
|
# --- cgroup v2 ---
|
|
echo "cgroup v2:"
|
|
check_config CONFIG_CGROUPS mandatory "Control groups support"
|
|
check_config CONFIG_CGROUP_CPUACCT mandatory "CPU accounting"
|
|
check_config CONFIG_CGROUP_DEVICE mandatory "Device controller"
|
|
check_config CONFIG_CGROUP_FREEZER mandatory "Freezer controller"
|
|
check_config CONFIG_CGROUP_SCHED mandatory "CPU scheduler controller"
|
|
check_config CONFIG_CGROUP_PIDS mandatory "PIDs controller"
|
|
check_config CONFIG_MEMCG mandatory "Memory controller"
|
|
check_config CONFIG_CGROUP_BPF recommended "BPF controller"
|
|
echo ""
|
|
|
|
# --- Namespaces ---
|
|
echo "Namespaces:"
|
|
check_config CONFIG_NAMESPACES mandatory "Namespace support"
|
|
check_config CONFIG_NET_NS mandatory "Network namespaces"
|
|
check_config CONFIG_PID_NS mandatory "PID namespaces"
|
|
check_config CONFIG_USER_NS mandatory "User namespaces"
|
|
check_config CONFIG_UTS_NS mandatory "UTS namespaces"
|
|
check_config CONFIG_IPC_NS mandatory "IPC namespaces"
|
|
echo ""
|
|
|
|
# --- Filesystem ---
|
|
echo "Filesystem:"
|
|
check_config CONFIG_OVERLAY_FS mandatory "OverlayFS (containerd)"
|
|
check_config CONFIG_SQUASHFS mandatory "SquashFS (Tiny Core root)"
|
|
check_config CONFIG_BLK_DEV_LOOP mandatory "Loop device (SquashFS mount)"
|
|
check_config CONFIG_EXT4_FS mandatory "ext4 (persistent partition)"
|
|
echo ""
|
|
|
|
# --- Networking ---
|
|
echo "Networking:"
|
|
check_config CONFIG_BRIDGE mandatory "Bridge (K8s pod networking)"
|
|
check_config CONFIG_NETFILTER mandatory "Netfilter framework"
|
|
check_config CONFIG_NF_NAT mandatory "NAT support"
|
|
check_config CONFIG_NF_CONNTRACK mandatory "Connection tracking"
|
|
check_config CONFIG_IP_NF_IPTABLES mandatory "iptables"
|
|
check_config CONFIG_IP_NF_NAT mandatory "iptables NAT"
|
|
check_config CONFIG_IP_NF_FILTER mandatory "iptables filter"
|
|
check_config CONFIG_VETH mandatory "Virtual ethernet pairs"
|
|
check_config CONFIG_VXLAN mandatory "VXLAN (overlay networking)"
|
|
check_config CONFIG_NET_SCH_HTB recommended "HTB qdisc (bandwidth limiting)"
|
|
echo ""
|
|
|
|
# --- Security ---
|
|
echo "Security:"
|
|
check_config CONFIG_SECCOMP recommended "Seccomp (container security)"
|
|
check_config CONFIG_SECCOMP_FILTER recommended "Seccomp BPF filter"
|
|
check_config CONFIG_BPF_SYSCALL recommended "BPF syscall"
|
|
check_config CONFIG_AUDIT mandatory "Audit framework"
|
|
check_config CONFIG_AUDITSYSCALL mandatory "Audit system call events"
|
|
check_config CONFIG_SECURITY mandatory "Security framework"
|
|
check_config CONFIG_SECURITYFS mandatory "Security filesystem"
|
|
check_config CONFIG_SECURITY_APPARMOR mandatory "AppArmor LSM"
|
|
check_config CONFIG_SECURITY_NETWORK recommended "Network security hooks"
|
|
echo ""
|
|
|
|
# --- Crypto ---
|
|
echo "Crypto:"
|
|
check_config CONFIG_CRYPTO_SHA256 recommended "SHA-256 (image verification)"
|
|
echo ""
|
|
|
|
# --- IPVS (optional, for kube-proxy IPVS mode) ---
|
|
echo "IPVS (optional, kube-proxy IPVS mode):"
|
|
check_config CONFIG_IP_VS recommended "IPVS core"
|
|
check_config CONFIG_IP_VS_RR recommended "IPVS round-robin"
|
|
check_config CONFIG_IP_VS_WRR recommended "IPVS weighted round-robin"
|
|
check_config CONFIG_IP_VS_SH recommended "IPVS source hashing"
|
|
echo ""
|
|
|
|
# --- Summary ---
|
|
echo "========================================"
|
|
echo -e " ${GREEN}Passed:${NC} $PASS"
|
|
echo -e " ${RED}Failed:${NC} $FAIL"
|
|
echo -e " ${YELLOW}Warnings:${NC} $WARN"
|
|
echo "========================================"
|
|
|
|
if [[ $FAIL -gt 0 ]]; then
|
|
echo ""
|
|
echo -e "${RED}FAIL: $FAIL mandatory kernel config(s) missing.${NC}"
|
|
echo "Options:"
|
|
echo " 1. Check if missing features are available as loadable modules (=m)"
|
|
echo " 2. Recompile the kernel with missing options enabled"
|
|
echo " 3. Use a different kernel (e.g., Alpine Linux kernel)"
|
|
exit 1
|
|
else
|
|
echo ""
|
|
echo -e "${GREEN}PASS: All mandatory kernel configs present.${NC}"
|
|
if [[ $WARN -gt 0 ]]; then
|
|
echo -e "${YELLOW}Note: $WARN recommended configs missing (non-blocking).${NC}"
|
|
fi
|
|
exit 0
|
|
fi
|