NAME¶

kernel-hardening-checker - tool for checking the security hardening options of the Linux kernel

SYNOPSIS¶

kernel-hardening-checker [OPTIONS]

DESCRIPTION¶

kernel-hardening-checker is a tool for checking the security hardening options of the Linux kernel. It can analyze Kconfig options (compile-time), kernel command line arguments (boot-time), and sysctl parameters (runtime) for the following architectures: X86_64, X86_32, ARM64, ARM, RISC-V.

Please note that changing the Linux kernel security parameters may also affect system performance and functionality of userspace software. Therefore, when setting these parameters, consider the threat model of your Linux-based information system and thoroughly test its typical workload.

OPTIONS¶

-h, --help: Show the help message and exit.
--version: Show program's version number and exit.
-m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}: Select a special output mode instead of the default one:

verbose: Provide additional information: print the configuration options without a corresponding check and show the internals of complex checks.
json: Report in JSON format.
show_ok: Show only successful checks.
show_fail: Show only failed checks.

-a, --autodetect: Autodetect and check the security hardening options of the running kernel.
-c CONFIG, --config CONFIG: Check the security hardening options in a Kconfig file (also supports *.gz files).
-v KERNEL_VERSION, --kernel-version KERNEL_VERSION: Extract the kernel version from a version file (such as /proc/version) instead of using a Kconfig file.
-l CMDLINE, --cmdline CMDLINE: Check the security hardening options in a kernel command line file (such as /proc/cmdline).
-s SYSCTL, --sysctl SYSCTL: Check the security hardening options in a sysctl output file (the result of "sudo sysctl -a > file").
-p {X86_64,X86_32,ARM64,ARM,RISCV}, --print {X86_64,X86_32,ARM64,ARM,RISCV}: Print security hardening recommendations for the selected architecture.
-g {X86_64,X86_32,ARM64,ARM,RISCV}, --generate {X86_64,X86_32,ARM64,ARM,RISCV}: Generate a Kconfig fragment containing the security hardening options for the selected architecture.

AUTHOR¶

Written by Alexander Popov with help from the contributors.

REPORTING BUGS¶

Report bugs at: <https://github.com/a13xp0p0v/kernel-hardening-checker/issues>

COPYRIGHT¶

July 2025

kernel-hardening-checker

Source file:	kernel-hardening-checker.1.en.gz (from kernel-hardening-checker 0.6.17.1-1)
Source last updated:	2025-11-07T17:23:28Z
Converted to HTML:	2025-11-08T03:11:08Z