adelorenzo/kubesolo-os
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity
Files
a6c5d56ade2d03cbcdc7c336b4dcef5bcd7fa24f
kubesolo-os/build/config/kernel-audit.sh
Adolfo Delorenzo efc7f80b65
Some checks failed
CI / Go Tests (push) Has been cancelled
Details
CI / Build Go Binaries (amd64, linux, linux-amd64) (push) Has been cancelled
Details
CI / Build Go Binaries (arm64, linux, linux-arm64) (push) Has been cancelled
Details
CI / Shellcheck (push) Has been cancelled
Details
feat: add security hardening, AppArmor, and ARM64 Raspberry Pi support (Phase 6) 
Security hardening: bind kubeconfig server to localhost, mount hardening
(noexec/nosuid/nodev on tmpfs), sysctl network hardening, kernel module
loading lock after boot, SHA256 checksum verification for downloads,
kernel AppArmor + Audit support, complain-mode AppArmor profiles for
containerd and kubelet, and security integration test.

ARM64 Raspberry Pi support: piCore64 base extraction, RPi kernel build
from raspberrypi/linux fork, RPi firmware fetch, SD card image with 4-
partition GPT and tryboot A/B mechanism, BootEnv Go interface abstracting
GRUB vs RPi boot environments, architecture-aware build scripts, QEMU
aarch64 dev VM and boot test.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-12 13:08:17 -06:00

175 lines
6.5 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# kernel-audit.sh — Verify kernel config has all required features for KubeSolo
# Usage: ./kernel-audit.sh [/path/to/kernel/.config]
# If no path given, attempts to read from /proc/config.gz or boot config
set -euo pipefail
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# --- Locate kernel config ---
find_kernel_config() {
if [[ -n "${1:-}" ]] && [[ -f "$1" ]]; then
echo "$1"
return 0
fi
# Try /proc/config.gz (if CONFIG_IKCONFIG_PROC=y)
if [[ -f /proc/config.gz ]]; then
local tmp
tmp=$(mktemp)
zcat /proc/config.gz > "$tmp"
echo "$tmp"
return 0
fi
# Try /boot/config-$(uname -r)
local boot_config="/boot/config-$(uname -r)"
if [[ -f "$boot_config" ]]; then
echo "$boot_config"
return 0
fi
echo ""
return 1
}
CONFIG_FILE=$(find_kernel_config "${1:-}") || {
echo -e "${RED}ERROR: Cannot find kernel config.${NC}"
echo "Provide path as argument, or ensure /proc/config.gz or /boot/config-\$(uname -r) exists."
exit 1
}
echo "==> Auditing kernel config: $CONFIG_FILE"
echo ""
PASS=0
FAIL=0
WARN=0
check_config() {
local option="$1"
local required="$2" # "mandatory" or "recommended"
local description="$3"
local value
value=$(grep -E "^${option}=" "$CONFIG_FILE" 2>/dev/null || true)
if [[ -n "$value" ]]; then
local setting="${value#*=}"
echo -e " ${GREEN}${NC} ${option}=${setting}${description}"
((PASS++))
elif grep -qE "^# ${option} is not set" "$CONFIG_FILE" 2>/dev/null; then
if [[ "$required" == "mandatory" ]]; then
echo -e " ${RED}${NC} ${option} is NOT SET — ${description} [REQUIRED]"
((FAIL++))
else
echo -e " ${YELLOW}${NC} ${option} is NOT SET — ${description} [recommended]"
((WARN++))
fi
else
if [[ "$required" == "mandatory" ]]; then
echo -e " ${RED}?${NC} ${option} not found in config — ${description} [REQUIRED]"
((FAIL++))
else
echo -e " ${YELLOW}?${NC} ${option} not found in config — ${description} [recommended]"
((WARN++))
fi
fi
}
# --- cgroup v2 ---
echo "cgroup v2:"
check_config CONFIG_CGROUPS mandatory "Control groups support"
check_config CONFIG_CGROUP_CPUACCT mandatory "CPU accounting"
check_config CONFIG_CGROUP_DEVICE mandatory "Device controller"
check_config CONFIG_CGROUP_FREEZER mandatory "Freezer controller"
check_config CONFIG_CGROUP_SCHED mandatory "CPU scheduler controller"
check_config CONFIG_CGROUP_PIDS mandatory "PIDs controller"
check_config CONFIG_MEMCG mandatory "Memory controller"
check_config CONFIG_CGROUP_BPF recommended "BPF controller"
echo ""
# --- Namespaces ---
echo "Namespaces:"
check_config CONFIG_NAMESPACES mandatory "Namespace support"
check_config CONFIG_NET_NS mandatory "Network namespaces"
check_config CONFIG_PID_NS mandatory "PID namespaces"
check_config CONFIG_USER_NS mandatory "User namespaces"
check_config CONFIG_UTS_NS mandatory "UTS namespaces"
check_config CONFIG_IPC_NS mandatory "IPC namespaces"
echo ""
# --- Filesystem ---
echo "Filesystem:"
check_config CONFIG_OVERLAY_FS mandatory "OverlayFS (containerd)"
check_config CONFIG_SQUASHFS mandatory "SquashFS (Tiny Core root)"
check_config CONFIG_BLK_DEV_LOOP mandatory "Loop device (SquashFS mount)"
check_config CONFIG_EXT4_FS mandatory "ext4 (persistent partition)"
echo ""
# --- Networking ---
echo "Networking:"
check_config CONFIG_BRIDGE mandatory "Bridge (K8s pod networking)"
check_config CONFIG_NETFILTER mandatory "Netfilter framework"
check_config CONFIG_NF_NAT mandatory "NAT support"
check_config CONFIG_NF_CONNTRACK mandatory "Connection tracking"
check_config CONFIG_IP_NF_IPTABLES mandatory "iptables"
check_config CONFIG_IP_NF_NAT mandatory "iptables NAT"
check_config CONFIG_IP_NF_FILTER mandatory "iptables filter"
check_config CONFIG_VETH mandatory "Virtual ethernet pairs"
check_config CONFIG_VXLAN mandatory "VXLAN (overlay networking)"
check_config CONFIG_NET_SCH_HTB recommended "HTB qdisc (bandwidth limiting)"
echo ""
# --- Security ---
echo "Security:"
check_config CONFIG_SECCOMP recommended "Seccomp (container security)"
check_config CONFIG_SECCOMP_FILTER recommended "Seccomp BPF filter"
check_config CONFIG_BPF_SYSCALL recommended "BPF syscall"
check_config CONFIG_AUDIT mandatory "Audit framework"
check_config CONFIG_AUDITSYSCALL mandatory "Audit system call events"
check_config CONFIG_SECURITY mandatory "Security framework"
check_config CONFIG_SECURITYFS mandatory "Security filesystem"
check_config CONFIG_SECURITY_APPARMOR mandatory "AppArmor LSM"
check_config CONFIG_SECURITY_NETWORK recommended "Network security hooks"
echo ""
# --- Crypto ---
echo "Crypto:"
check_config CONFIG_CRYPTO_SHA256 recommended "SHA-256 (image verification)"
echo ""
# --- IPVS (optional, for kube-proxy IPVS mode) ---
echo "IPVS (optional, kube-proxy IPVS mode):"
check_config CONFIG_IP_VS recommended "IPVS core"
check_config CONFIG_IP_VS_RR recommended "IPVS round-robin"
check_config CONFIG_IP_VS_WRR recommended "IPVS weighted round-robin"
check_config CONFIG_IP_VS_SH recommended "IPVS source hashing"
echo ""
# --- Summary ---
echo "========================================"
echo -e " ${GREEN}Passed:${NC} $PASS"
echo -e " ${RED}Failed:${NC} $FAIL"
echo -e " ${YELLOW}Warnings:${NC} $WARN"
echo "========================================"
if [[ $FAIL -gt 0 ]]; then
echo ""
echo -e "${RED}FAIL: $FAIL mandatory kernel config(s) missing.${NC}"
echo "Options:"
echo " 1. Check if missing features are available as loadable modules (=m)"
echo " 2. Recompile the kernel with missing options enabled"
echo " 3. Use a different kernel (e.g., Alpine Linux kernel)"
exit 1
else
echo ""
echo -e "${GREEN}PASS: All mandatory kernel configs present.${NC}"
if [[ $WARN -gt 0 ]]; then
echo -e "${YELLOW}Note: $WARN recommended configs missing (non-blocking).${NC}"
fi
exit 0
fi
Reference in New Issue View Git Blame Copy Permalink