Most people compile their kernel either from defconfig or by copying the distro config and running make oldconfig. In both cases, nobody checks how many security options are left disabled.

There are quite a few.

A typical Debian 13 config passes around 60% of security checks. The upstream defconfig – even less. Options like CONFIG_STACKPROTECTOR_STRONG, CONFIG_INIT_STACK_ALL_ZERO, or CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT are often not enabled because nobody manually searches through thousands of options looking for them.

How to check?

There’s a tool on vmlinuz.pl that does it for you: Kernel Checker.

Upload your kernel’s .config file and within a few seconds you get:

  • a percentage score (how many checks passed)
  • a list of issues grouped by category (self_protection, cut_attack_surface, harden_userspace, security_policy)
  • a full table with every option and its status

Checks are based on recommendations from KSPP (Kernel Self Protection Project), grsecurity, CLIP OS, and CIS Benchmark.

Where to find your config?

On most distros:

ls /boot/config-$(uname -r)

If your kernel has CONFIG_IKCONFIG_PROC built in:

zcat /proc/config.gz > ~/my-kernel.config

And if you compiled from source, .config sits in the source directory.

What to do with the results?

Getting 100% is not the goal. Some options are mutually exclusive, and some affect performance. But if you’re at 45%, it’s worth going through the list and enabling what makes sense for your use case.

A few options that are almost always worth having:

CONFIG_STACKPROTECTOR_STRONG=y
CONFIG_INIT_STACK_ALL_ZERO=y
CONFIG_RANDOMIZE_BASE=y
CONFIG_RANDOMIZE_MEMORY=y
CONFIG_HARDENED_USERCOPY=y
CONFIG_FORTIFY_SOURCE=y
CONFIG_STRICT_KERNEL_RWX=y
CONFIG_STRICT_MODULE_RWX=y
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_FORCE=y

After changing the config:

make oldconfig
make -j$(nproc)
sudo make modules_install install

And reboot.

Privacy

Your config file is not stored anywhere. It’s sent for analysis, the result comes back to your browser, and the file is deleted. Nothing is logged, nothing is kept.