Merge branch 'man'

a13xp0p0v · a13xp0p0v · commit 503c1a434f3e · 2025-07-02T16:02:49.000+03:00
Refers to #195.
diff --git a/README.md b/README.md
@@ -34,7 +34,7 @@ License: GPL-3.0.
 `kernel-hardening-checker` supports checking:
 
   - Kconfig options (compile-time)
-  - Kernel cmdline arguments (boot-time)
+  - Kernel command line arguments (boot-time)
   - Sysctl parameters (runtime)
 
 Supported architectures:
@@ -60,10 +60,9 @@ or exploitation techniques.
 
 ## Attention!
 
-Changing Linux kernel security parameters may also affect system performance
-and functionality of userspace software. So for choosing these parameters, consider
-the threat model of your Linux-based information system and perform thorough testing
-of its typical workload.
+Please note that changing the Linux kernel security parameters may also affect system performance
+and functionality of userspace software. Therefore, when setting these parameters, consider
+the threat model of your Linux-based information system and thoroughly test its typical workload.
 
 ## Installation
 
@@ -82,9 +81,11 @@ There are multiple options:
 ## Usage
 ```
 $ ./bin/kernel-hardening-checker -h
-usage: kernel-hardening-checker [-h] [--version] [-m {verbose,json,show_ok,show_fail}]
-                                [-a] [-c CONFIG] [-v KERNEL_VERSION] [-l CMDLINE]
-                                [-s SYSCTL] [-p {X86_64,X86_32,ARM64,ARM,RISCV}]
+usage: kernel-hardening-checker [-h] [--version]
+                                [-m {verbose,json,show_ok,show_fail}] [-a]
+                                [-c CONFIG] [-v KERNEL_VERSION] [-l CMDLINE]
+                                [-s SYSCTL]
+                                [-p {X86_64,X86_32,ARM64,ARM,RISCV}]
                                 [-g {X86_64,X86_32,ARM64,ARM,RISCV}]
 
 A tool for checking the security hardening options of the Linux kernel
@@ -93,43 +94,44 @@ options:
   -h, --help            show this help message and exit
   --version             show program's version number and exit
   -m, --mode {verbose,json,show_ok,show_fail}
-                        choose the report mode
-  -a, --autodetect      autodetect and check the security hardening options of the
-                        running kernel
-  -c, --config CONFIG   check the security hardening options in the Kconfig file (also
-                        supports *.gz files)
+                        select a special output mode instead of the default
+                        one
+  -a, --autodetect      autodetect and check the security hardening options of
+                        the running kernel
+  -c, --config CONFIG   check the security hardening options in a Kconfig file
+                        (also supports *.gz files)
   -v, --kernel-version KERNEL_VERSION
-                        extract version from the kernel version file (contents of
-                        /proc/version) instead of Kconfig file
+                        extract the kernel version from a version file (such
+                        as /proc/version) instead of using a Kconfig file
   -l, --cmdline CMDLINE
-                        check the security hardening options in the kernel cmdline file
-                        (contents of /proc/cmdline)
-  -s, --sysctl SYSCTL   check the security hardening options in the sysctl output file
-                        (`sudo sysctl -a > file`)
+                        check the security hardening options in a kernel
+                        command line file (such as /proc/cmdline)
+  -s, --sysctl SYSCTL   check the security hardening options in a sysctl
+                        output file (the result of "sudo sysctl -a > file")
   -p, --print {X86_64,X86_32,ARM64,ARM,RISCV}
-                        print the security hardening recommendations for the selected
-                        architecture
+                        print security hardening recommendations for the
+                        selected architecture
   -g, --generate {X86_64,X86_32,ARM64,ARM,RISCV}
-                        generate a Kconfig fragment with the security hardening options
-                        for the selected architecture
+                        generate a Kconfig fragment containing the security
+                        hardening options for the selected architecture
 ```
 
 ## Output modes
 
   -  no `-m` argument for the default output mode (see the example below)
   - `-m verbose` for printing additional info:
-    - config options without a corresponding check
-    - internals of complex checks with AND/OR, like this:
-```
--------------------------------------------------------------------------------------------
-    <<< OR >>>                                                                             
-CONFIG_STRICT_DEVMEM                  |kconfig|cut_attack_surface|defconfig |     y      
-CONFIG_DEVMEM                         |kconfig|cut_attack_surface|   kspp   | is not set 
--------------------------------------------------------------------------------------------
-```
-  - `-m show_fail` for showing only the failed checks
-  - `-m show_ok` for showing only the successful checks
+    - the configuration options without a corresponding check
+    - the internals of complex checks with AND/OR, like this:
+      ```
+      -------------------------------------------------------------------------------------------
+          <<< OR >>>                                                                             
+      CONFIG_STRICT_DEVMEM                  |kconfig|cut_attack_surface|defconfig |     y      
+      CONFIG_DEVMEM                         |kconfig|cut_attack_surface|   kspp   | is not set 
+      -------------------------------------------------------------------------------------------
+      ```
   - `-m json` for printing the results in JSON format (for combining `kernel-hardening-checker` with other tools)
+  - `-m show_ok` for showing only successful checks
+  - `-m show_fail` for showing only failed checks
 
 ## Example output
 ```
diff --git a/kernel_hardening_checker/__init__.py b/kernel_hardening_checker/__init__.py
@@ -290,13 +290,13 @@ def parse_sysctl_file(mode: StrOrNone, parsed_options: Dict[str, str], fname: st
             parsed_options[option] = value
 
     # let's check the presence of some ancient sysctl option
-    # to ensure that we are parsing the output of `sudo sysctl -a > file`
+    # to ensure that we are parsing the output of "sudo sysctl -a > file"
     if 'kernel.printk' not in parsed_options and mode != 'json':
-        print(f'[!] WARNING: ancient sysctl options are not found in {fname}, try checking the output of `sudo sysctl -a`')
+        print(f'[!] WARNING: ancient sysctl options are not found in {fname}, try checking the output of "sudo sysctl -a"')
 
     # let's check the presence of a sysctl option available for root
     if 'kernel.cad_pid' not in parsed_options and mode != 'json':
-        print(f'[!] WARNING: sysctl options available for root are not found in {fname}, try checking the output of `sudo sysctl -a`')
+        print(f'[!] WARNING: sysctl options available for root are not found in {fname}, try checking the output of "sudo sysctl -a"')
 
 
 def refine_check(mode: StrOrNone, checklist: List[ChecklistObjType], parsed_options: Dict[str, str],
@@ -407,26 +407,26 @@ def main() -> None:
     #     - reporting about unknown kernel options in the Kconfig
     #     - verbose printing of ComplexOptCheck items
     #   * json mode for printing the results in JSON format
-    report_modes = ['verbose', 'json', 'show_ok', 'show_fail']
+    output_modes = ['verbose', 'json', 'show_ok', 'show_fail']
     parser = ArgumentParser(prog='kernel-hardening-checker',
                             description='A tool for checking the security hardening options of the Linux kernel')
     parser.add_argument('--version', action='version', version=f'%(prog)s {__version__}')
-    parser.add_argument('-m', '--mode', choices=report_modes,
-                        help='choose the report mode')
+    parser.add_argument('-m', '--mode', choices=output_modes,
+                        help='select a special output mode instead of the default one')
     parser.add_argument('-a', '--autodetect', action='store_true',
                         help='autodetect and check the security hardening options of the running kernel')
     parser.add_argument('-c', '--config',
-                        help='check the security hardening options in the Kconfig file (also supports *.gz files)')
+                        help='check the security hardening options in a Kconfig file (also supports *.gz files)')
     parser.add_argument('-v', '--kernel-version',
-                        help='extract version from the kernel version file (contents of /proc/version) instead of Kconfig file')
+                        help='extract the kernel version from a version file (such as /proc/version) instead of using a Kconfig file')
     parser.add_argument('-l', '--cmdline',
-                        help='check the security hardening options in the kernel cmdline file (contents of /proc/cmdline)')
+                        help='check the security hardening options in a kernel command line file (such as /proc/cmdline)')
     parser.add_argument('-s', '--sysctl',
-                        help='check the security hardening options in the sysctl output file (`sudo sysctl -a > file`)')
+                        help='check the security hardening options in a sysctl output file (the result of "sudo sysctl -a > file")')
     parser.add_argument('-p', '--print', choices=SUPPORTED_ARCHS,
-                        help='print the security hardening recommendations for the selected architecture')
+                        help='print security hardening recommendations for the selected architecture')
     parser.add_argument('-g', '--generate', choices=SUPPORTED_ARCHS,
-                        help='generate a Kconfig fragment with the security hardening options for the selected architecture')
+                        help='generate a Kconfig fragment containing the security hardening options for the selected architecture')
     args = parser.parse_args()
 
     mode = None
diff --git a/man/kernel-hardening-checker.1 b/man/kernel-hardening-checker.1
@@ -0,0 +1,79 @@
+.TH KERNEL-HARDENING-CHECKER "1" "July 2025" "kernel-hardening-checker" "User Commands"
+
+.SH NAME
+kernel-hardening-checker \- tool for checking the security hardening options of the Linux kernel
+
+.SH SYNOPSIS
+\fBkernel-hardening-checker\fR [\fIOPTIONS\fR]
+
+.SH DESCRIPTION
+\fBkernel-hardening-checker\fR is a tool for checking the security hardening options of the Linux kernel.
+It can analyze Kconfig options (compile-time), kernel command line arguments (boot-time), and sysctl parameters (runtime)
+for the following architectures: X86_64, X86_32, ARM64, ARM, RISC-V.
+
+Please note that changing the Linux kernel security parameters may also affect system performance
+and functionality of userspace software. Therefore, when setting these parameters, consider
+the threat model of your Linux-based information system and thoroughly test its typical workload.
+
+.SH OPTIONS
+
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Show the help message and exit.
+
+.TP
+\fB\-\-version\fR
+Show program's version number and exit.
+
+.TP
+\fB\-m\fR {verbose,json,show_ok,show_fail}, \fB\-\-mode\fR {verbose,json,show_ok,show_fail}
+Select a special output mode instead of the default one:
+.RS
+.IP \fBverbose\fR
+Provide additional information: print the configuration options without a corresponding check and show the internals of complex checks.
+.IP \fBjson\fR
+Report in JSON format.
+.IP \fBshow_ok\fR
+Show only successful checks.
+.IP \fBshow_fail\fR
+Show only failed checks.
+.RE
+
+.TP
+\fB\-a\fR, \fB\-\-autodetect\fR
+Autodetect and check the security hardening options of the running kernel.
+
+.TP
+\fB\-c\fR CONFIG, \fB\-\-config\fR CONFIG
+Check the security hardening options in a Kconfig file (also supports *.gz files).
+
+.TP
+\fB\-v\fR KERNEL_VERSION, \fB\-\-kernel\-version\fR KERNEL_VERSION
+Extract the kernel version from a version file (such as /proc/version) instead of using a Kconfig file.
+
+.TP
+\fB\-l\fR CMDLINE, \fB\-\-cmdline\fR CMDLINE
+Check the security hardening options in a kernel command line file (such as /proc/cmdline).
+
+.TP
+\fB\-s\fR SYSCTL, \fB\-\-sysctl\fR SYSCTL
+Check the security hardening options in a sysctl output file (the result of "sudo sysctl -a > file").
+
+.TP
+\fB\-p\fR {X86_64,X86_32,ARM64,ARM,RISCV}, \fB\-\-print\fR {X86_64,X86_32,ARM64,ARM,RISCV}
+Print security hardening recommendations for the selected architecture.
+
+.TP
+\fB\-g\fR {X86_64,X86_32,ARM64,ARM,RISCV}, \fB\-\-generate\fR {X86_64,X86_32,ARM64,ARM,RISCV}
+Generate a Kconfig fragment containing the security hardening options for the selected architecture.
+
+.SH AUTHOR
+Written by Alexander Popov with help from the contributors.
+
+.SH REPORTING BUGS
+Report bugs at: <https://github.com/a13xp0p0v/kernel-hardening-checker/issues>
+
+.SH COPYRIGHT
+Copyright: 2018-2025, Alexander Popov <alex.popov@linux.com>
+.br
+License: GPL-3.0
