Most Linux distributions ship a kernel configured as a compromise between compatibility and security. Nobody checks how many security options are left disabled.

There are quite a few.

A typical Debian 13 config passes around 60% of security checks. If you compile the kernel yourself — from defconfig or by copying the distro config and running make oldconfig — the result can be even worse. Options like CONFIG_STACKPROTECTOR_STRONG, CONFIG_INIT_STACK_ALL_ZERO, or CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT are often not enabled because nobody manually searches through thousands of options looking for them.

How to check?

There’s a tool on vmlinuz.pl that does it for you: Kernel Checker.

Upload your kernel’s .config file and within a few seconds you get:

  • a percentage score (how many checks passed)
  • a list of issues grouped by category (self_protection, cut_attack_surface, harden_userspace, security_policy)
  • a full table with every option and its status

Checks are based on recommendations from KSPP (Kernel Self Protection Project), grsecurity, CLIP OS, and CIS Benchmark.

Where to find your config?

On most distros:

ls /boot/config-$(uname -r)

If your kernel has CONFIG_IKCONFIG_PROC built in:

zcat /proc/config.gz > ~/my-kernel.config

And if you compiled from source, .config sits in the source directory.

What to do with the results?

Getting 100% is not the goal. Some options are mutually exclusive, and some affect performance. But if you’re at 45%, it’s worth going through the list and enabling what makes sense for your use case.

A few options that are almost always worth having:

CONFIG_STACKPROTECTOR_STRONG=y
CONFIG_INIT_STACK_ALL_ZERO=y
CONFIG_RANDOMIZE_BASE=y
CONFIG_RANDOMIZE_MEMORY=y
CONFIG_HARDENED_USERCOPY=y
CONFIG_FORTIFY_SOURCE=y
CONFIG_STRICT_KERNEL_RWX=y
CONFIG_STRICT_MODULE_RWX=y
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_FORCE=y

After changing the config:

make oldconfig
make -j$(nproc)
sudo make modules_install install

And reboot.

Update: Kernel Checker now also checks runtime settings and boot parameters: