slimm609 / checksec.sh Goto Github PK
View Code? Open in Web Editor NEWChecksec.sh
Home Page: https://slimm609.github.io/checksec.sh/
License: Other
Checksec.sh
Home Page: https://slimm609.github.io/checksec.sh/
License: Other
New option with grsecurity-3.1-4.4.2-201602182048.patch, on line 902 you can add:
harden_tty
It would be nice to add
in the output of checksec.sh --file , in that way when we will use checksec.sh --file we will have full control of current security measures applied to the binary.
https://github.com/slimm609/checksec.sh/blob/master/checksec#L91 seems to error out when calling checksec using /bin/bash -xe checksec
. Using the -e
flag, this is most likely due to a non-zero exit code being returned from this line. If I have time, I will investigate further.
json-checks.sh has a trivial typo (/dev/bull instead of /dev/null).
xml-checks.sh fails for a more serious reason: It seems that a spurious ":" is output near the beginning:
output.xml:2: parser error : Start tag expected, '<' not found
: <proc name='init' pid='1' relro="full" canary="yes" seccomp="no" pax="y
^
Hi,
Actually you use /proc/config.gz for testing grsecurity but the kernel options can be disabled by the user via a sysctl file in "/etc/sysctl.d/".
It would be best to test what is really active on the system.
Thanks, best regards
Here is the list of variables.
sysctl_options_for_grsecurity.txt
Version 1.9 introduced another error:
/usr/bin/checksec: line 342: [[: readelf: expression recursion level exceeded (error token is "readelf")
It happens occasionally with -f
and -d
options.
omt ~ # ./checksec --proc-all
* System-wide ASLR (kernel.randomize_va_space): Full (Setting: 2)
Description - Make the addresses of mmap base, heap, stack and VDSO page randomized.
This, among other things, implies that shared libraries will be loaded to random
addresses. Also for PIE-linked binaries, the location of code start is randomized.
See the kernel file 'Documentation/sysctl/kernel.txt' for more details.
* Does the CPU support NX: Yes
COMMAND PID RELRO STACK CANARY NX/PaX PIE FORTIFY
init 1 Permission denied (please run as root)
omt ~ # whoami
root
./checksec --fortify-proc 1
./checksec: line 1503: cd: /proc: No such file or directory
(procstat under HardenedBSD and forks)
also throws:
Error: libc not found.
(which is a lie, it's just /lib/libc.so.7 not .6 will fix and make pull request soon for this one)
and one more:
Partial RELRO
it's full RELRO but not detected correctly by script on hbsd
also why RUNPATH/ RPATH is considered a feature option? It's very important value for custom PREFIX used by custom built software for example.
I have one virtual machine where i build some types of kernel.
I'd like to have something like
./checksec --kernel $KERNEL_CONFIG_PATH
If $KERNEL_CONFIG_PATH is empty, then it scan for /usr/src/linux/.config
Hi,
In Debian Jessie sysctl not found with an unprivileged user because /sbin/ is not present for a normal user's $PATHs.
Also remove the condition test for curl because he not integrated by default in some distributions. Use this only if Wget is not present.
Thanks, best regards
Here is the patch:
patch.txt
Hi,
I have noticed you are using base/archlinux
which is an unofficial user built image. Could you consider using the officially maintained and published variant archlinux/base
instead? Yeah the clash of those two names sucks ๐ผ
PS: Please also use pacman -Syu --noconfirm
instead of just -Sy
as that only updates the database. If you then just install packages with -S
without upgrading you technically do a partial upgrade which is not supported by Arch Linux and may result in incompatibilities and failed soname linkage and therefor major breakage.
On Debian unstable I am getting some warnings.
Are these false positives and if yes, is there a way to fix them without introducing false-negatives?
./checksec --output xml -f /bin/bzip2recover
<?xml version="1.0" encoding="UTF-8"?>
<file relro="partial" canary="no" nx="yes" pie="yes" rpath="no" runpath="no" fortify_source="yes" fortified="5" fortify-able="5" filename='/bin/bzip2recover'/>
claimed false-positive at https://bugs.archlinux.org/task/43231
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: DYN (Shared object file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x1660
Start of program headers: 64 (bytes into file)
Start of section headers: 12808 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 9
Size of section headers: 64 (bytes)
Number of section headers: 29
Section header string table index: 28
Section Headers:
[Nr] Name Type Address Offset
Size EntSize Flags Link Info Align
[ 0] NULL 0000000000000000 00000000
0000000000000000 0000000000000000 0 0 0
[ 1] .interp PROGBITS 0000000000000238 00000238
000000000000001c 0000000000000000 A 0 0 1
[ 2] .note.ABI-tag NOTE 0000000000000254 00000254
0000000000000020 0000000000000000 A 0 0 4
[ 3] .note.gnu.build-i NOTE 0000000000000274 00000274
0000000000000024 0000000000000000 A 0 0 4
[ 4] .gnu.hash GNU_HASH 0000000000000298 00000298
0000000000000024 0000000000000000 A 5 0 8
[ 5] .dynsym DYNSYM 00000000000002c0 000002c0
00000000000002b8 0000000000000018 A 6 1 8
[ 6] .dynstr STRTAB 0000000000000578 00000578
0000000000000155 0000000000000000 A 0 0 1
[ 7] .gnu.version VERSYM 00000000000006ce 000006ce
000000000000003a 0000000000000002 A 5 0 2
[ 8] .gnu.version_r VERNEED 0000000000000708 00000708
0000000000000030 0000000000000000 A 6 1 8
[ 9] .rela.dyn RELA 0000000000000738 00000738
00000000000000f0 0000000000000018 A 5 0 8
[10] .rela.plt RELA 0000000000000828 00000828
00000000000001f8 0000000000000018 AI 5 24 8
[11] .init PROGBITS 0000000000000a20 00000a20
0000000000000017 0000000000000000 AX 0 0 4
[12] .plt PROGBITS 0000000000000a40 00000a40
0000000000000160 0000000000000010 AX 0 0 16
[13] .plt.got PROGBITS 0000000000000ba0 00000ba0
0000000000000008 0000000000000000 AX 0 0 8
[14] .text PROGBITS 0000000000000bb0 00000bb0
0000000000000ea2 0000000000000000 AX 0 0 16
[15] .fini PROGBITS 0000000000001a54 00001a54
0000000000000009 0000000000000000 AX 0 0 4
[16] .rodata PROGBITS 0000000000001a60 00001a60
000000000000037e 0000000000000000 A 0 0 8
[17] .eh_frame_hdr PROGBITS 0000000000001de0 00001de0
0000000000000074 0000000000000000 A 0 0 4
[18] .eh_frame PROGBITS 0000000000001e58 00001e58
0000000000000234 0000000000000000 A 0 0 8
[19] .init_array INIT_ARRAY 0000000000202dd8 00002dd8
0000000000000008 0000000000000008 WA 0 0 8
[20] .fini_array FINI_ARRAY 0000000000202de0 00002de0
0000000000000008 0000000000000008 WA 0 0 8
[21] .jcr PROGBITS 0000000000202de8 00002de8
0000000000000008 0000000000000000 WA 0 0 8
[22] .dynamic DYNAMIC 0000000000202df0 00002df0
00000000000001e0 0000000000000010 WA 6 0 8
[23] .got PROGBITS 0000000000202fd0 00002fd0
0000000000000030 0000000000000008 WA 0 0 8
[24] .got.plt PROGBITS 0000000000203000 00003000
00000000000000c0 0000000000000008 WA 0 0 8
[25] .data PROGBITS 00000000002030c0 000030c0
0000000000000010 0000000000000000 WA 0 0 8
[26] .bss NOBITS 00000000002030e0 000030d0
00000000001881c0 0000000000000000 WA 0 0 32
[27] .gnu_debuglink PROGBITS 0000000000000000 000030d0
0000000000000034 0000000000000000 0 0 1
[28] .shstrtab STRTAB 0000000000000000 00003104
0000000000000102 0000000000000000 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
L (link order), O (extra OS processing required), G (group), T (TLS),
C (compressed), x (unknown), o (OS specific), E (exclude),
l (large), p (processor specific)
There are no section groups in this file.
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040
0x00000000000001f8 0x00000000000001f8 R E 0x8
INTERP 0x0000000000000238 0x0000000000000238 0x0000000000000238
0x000000000000001c 0x000000000000001c R 0x1
[Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x000000000000208c 0x000000000000208c R E 0x200000
LOAD 0x0000000000002dd8 0x0000000000202dd8 0x0000000000202dd8
0x00000000000002f8 0x00000000001884c8 RW 0x200000
DYNAMIC 0x0000000000002df0 0x0000000000202df0 0x0000000000202df0
0x00000000000001e0 0x00000000000001e0 RW 0x8
NOTE 0x0000000000000254 0x0000000000000254 0x0000000000000254
0x0000000000000044 0x0000000000000044 R 0x4
GNU_EH_FRAME 0x0000000000001de0 0x0000000000001de0 0x0000000000001de0
0x0000000000000074 0x0000000000000074 R 0x4
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RW 0x10
GNU_RELRO 0x0000000000002dd8 0x0000000000202dd8 0x0000000000202dd8
0x0000000000000228 0x0000000000000228 R 0x1
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame
03 .init_array .fini_array .jcr .dynamic .got .got.plt .data .bss
04 .dynamic
05 .note.ABI-tag .note.gnu.build-id
06 .eh_frame_hdr
07
08 .init_array .fini_array .jcr .dynamic .got
Dynamic section at offset 0x2df0 contains 26 entries:
Tag Type Name/Value
0x0000000000000001 (NEEDED) Shared library: [libc.so.6]
0x000000000000000c (INIT) 0xa20
0x000000000000000d (FINI) 0x1a54
0x0000000000000019 (INIT_ARRAY) 0x202dd8
0x000000000000001b (INIT_ARRAYSZ) 8 (bytes)
0x000000000000001a (FINI_ARRAY) 0x202de0
0x000000000000001c (FINI_ARRAYSZ) 8 (bytes)
0x000000006ffffef5 (GNU_HASH) 0x298
0x0000000000000005 (STRTAB) 0x578
0x0000000000000006 (SYMTAB) 0x2c0
0x000000000000000a (STRSZ) 341 (bytes)
0x000000000000000b (SYMENT) 24 (bytes)
0x0000000000000015 (DEBUG) 0x0
0x0000000000000003 (PLTGOT) 0x203000
0x0000000000000002 (PLTRELSZ) 504 (bytes)
0x0000000000000014 (PLTREL) RELA
0x0000000000000017 (JMPREL) 0x828
0x0000000000000007 (RELA) 0x738
0x0000000000000008 (RELASZ) 240 (bytes)
0x0000000000000009 (RELAENT) 24 (bytes)
0x000000006ffffffb (FLAGS_1) Flags: PIE
0x000000006ffffffe (VERNEED) 0x708
0x000000006fffffff (VERNEEDNUM) 1
0x000000006ffffff0 (VERSYM) 0x6ce
0x000000006ffffff9 (RELACOUNT) 3
0x0000000000000000 (NULL) 0x0
Relocation section '.rela.dyn' at offset 0x738 contains 10 entries:
Offset Info Type Sym. Value Sym. Name + Addend
000000202dd8 000000000008 R_X86_64_RELATIVE 1760
000000202de0 000000000008 R_X86_64_RELATIVE 1720
0000002030c8 000000000008 R_X86_64_RELATIVE 2030c8
000000202fd0 000300000006 R_X86_64_GLOB_DAT 0000000000000000 _ITM_deregisterTMClone + 0
000000202fd8 000900000006 R_X86_64_GLOB_DAT 0000000000000000 __libc_start_main@GLIBC_2.2.5 + 0
000000202fe0 000b00000006 R_X86_64_GLOB_DAT 0000000000000000 __gmon_start__ + 0
000000202fe8 001500000006 R_X86_64_GLOB_DAT 0000000000000000 _Jv_RegisterClasses + 0
000000202ff0 001900000006 R_X86_64_GLOB_DAT 0000000000000000 _ITM_registerTMCloneTa + 0
000000202ff8 001a00000006 R_X86_64_GLOB_DAT 0000000000000000 __cxa_finalize@GLIBC_2.2.5 + 0
0000002030e0 001c00000005 R_X86_64_COPY 00000000002030e0 stderr@GLIBC_2.2.5 + 0
Relocation section '.rela.plt' at offset 0x828 contains 21 entries:
Offset Info Type Sym. Value Sym. Name + Addend
000000203018 000100000007 R_X86_64_JUMP_SLO 0000000000000000 free@GLIBC_2.2.5 + 0
000000203020 000200000007 R_X86_64_JUMP_SLO 0000000000000000 __errno_location@GLIBC_2.2.5 + 0
000000203028 000400000007 R_X86_64_JUMP_SLO 0000000000000000 fclose@GLIBC_2.2.5 + 0
000000203030 000500000007 R_X86_64_JUMP_SLO 0000000000000000 strlen@GLIBC_2.2.5 + 0
000000203038 000600000007 R_X86_64_JUMP_SLO 0000000000000000 _IO_putc@GLIBC_2.2.5 + 0
000000203040 000700000007 R_X86_64_JUMP_SLO 0000000000000000 strrchr@GLIBC_2.2.5 + 0
000000203048 000800000007 R_X86_64_JUMP_SLO 0000000000000000 close@GLIBC_2.2.5 + 0
000000203050 000a00000007 R_X86_64_JUMP_SLO 0000000000000000 __memcpy_chk@GLIBC_2.3.4 + 0
000000203058 000c00000007 R_X86_64_JUMP_SLO 0000000000000000 fopen64@GLIBC_2.2.5 + 0
000000203060 000d00000007 R_X86_64_JUMP_SLO 0000000000000000 __stpcpy_chk@GLIBC_2.3.4 + 0
000000203068 000e00000007 R_X86_64_JUMP_SLO 0000000000000000 malloc@GLIBC_2.2.5 + 0
000000203070 000f00000007 R_X86_64_JUMP_SLO 0000000000000000 fflush@GLIBC_2.2.5 + 0
000000203078 001000000007 R_X86_64_JUMP_SLO 0000000000000000 _IO_getc@GLIBC_2.2.5 + 0
000000203080 001100000007 R_X86_64_JUMP_SLO 0000000000000000 __strcpy_chk@GLIBC_2.3.4 + 0
000000203088 001200000007 R_X86_64_JUMP_SLO 0000000000000000 fdopen@GLIBC_2.2.5 + 0
000000203090 001300000007 R_X86_64_JUMP_SLO 0000000000000000 open64@GLIBC_2.2.5 + 0
000000203098 001400000007 R_X86_64_JUMP_SLO 0000000000000000 perror@GLIBC_2.2.5 + 0
0000002030a0 001600000007 R_X86_64_JUMP_SLO 0000000000000000 exit@GLIBC_2.2.5 + 0
0000002030a8 001700000007 R_X86_64_JUMP_SLO 0000000000000000 fwrite@GLIBC_2.2.5 + 0
0000002030b0 001800000007 R_X86_64_JUMP_SLO 0000000000000000 __fprintf_chk@GLIBC_2.3.4 + 0
0000002030b8 001b00000007 R_X86_64_JUMP_SLO 0000000000000000 __sprintf_chk@GLIBC_2.3.4 + 0
The decoding of unwind sections for machine type Advanced Micro Devices X86-64 is not currently supported.
Symbol table '.dynsym' contains 29 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000000000000 0 FUNC GLOBAL DEFAULT UND free@GLIBC_2.2.5 (2)
2: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __errno_location@GLIBC_2.2.5 (2)
3: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_deregisterTMCloneTab
4: 0000000000000000 0 FUNC GLOBAL DEFAULT UND fclose@GLIBC_2.2.5 (2)
5: 0000000000000000 0 FUNC GLOBAL DEFAULT UND strlen@GLIBC_2.2.5 (2)
6: 0000000000000000 0 FUNC GLOBAL DEFAULT UND _IO_putc@GLIBC_2.2.5 (2)
7: 0000000000000000 0 FUNC GLOBAL DEFAULT UND strrchr@GLIBC_2.2.5 (2)
8: 0000000000000000 0 FUNC GLOBAL DEFAULT UND close@GLIBC_2.2.5 (2)
9: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __libc_start_main@GLIBC_2.2.5 (2)
10: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __memcpy_chk@GLIBC_2.3.4 (3)
11: 0000000000000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__
12: 0000000000000000 0 FUNC GLOBAL DEFAULT UND fopen64@GLIBC_2.2.5 (2)
13: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __stpcpy_chk@GLIBC_2.3.4 (3)
14: 0000000000000000 0 FUNC GLOBAL DEFAULT UND malloc@GLIBC_2.2.5 (2)
15: 0000000000000000 0 FUNC GLOBAL DEFAULT UND fflush@GLIBC_2.2.5 (2)
16: 0000000000000000 0 FUNC GLOBAL DEFAULT UND _IO_getc@GLIBC_2.2.5 (2)
17: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __strcpy_chk@GLIBC_2.3.4 (3)
18: 0000000000000000 0 FUNC GLOBAL DEFAULT UND fdopen@GLIBC_2.2.5 (2)
19: 0000000000000000 0 FUNC GLOBAL DEFAULT UND open64@GLIBC_2.2.5 (2)
20: 0000000000000000 0 FUNC GLOBAL DEFAULT UND perror@GLIBC_2.2.5 (2)
21: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _Jv_RegisterClasses
22: 0000000000000000 0 FUNC GLOBAL DEFAULT UND exit@GLIBC_2.2.5 (2)
23: 0000000000000000 0 FUNC GLOBAL DEFAULT UND fwrite@GLIBC_2.2.5 (2)
24: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __fprintf_chk@GLIBC_2.3.4 (3)
25: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_registerTMCloneTable
26: 0000000000000000 0 FUNC WEAK DEFAULT UND __cxa_finalize@GLIBC_2.2.5 (2)
27: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __sprintf_chk@GLIBC_2.3.4 (3)
28: 00000000002030e0 8 OBJECT GLOBAL DEFAULT 26 stderr@GLIBC_2.2.5 (2)
Histogram for `.gnu.hash' bucket list length (total of 2 buckets):
Length Number % of total Coverage
0 1 ( 50.0%)
1 1 ( 50.0%) 100.0%
Version symbols section '.gnu.version' contains 29 entries:
Addr: 00000000000006ce Offset: 0x0006ce Link: 5 (.dynsym)
000: 0 (*local*) 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5) 0 (*local*)
004: 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5)
008: 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5) 3 (GLIBC_2.3.4) 0 (*local*)
00c: 2 (GLIBC_2.2.5) 3 (GLIBC_2.3.4) 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5)
010: 2 (GLIBC_2.2.5) 3 (GLIBC_2.3.4) 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5)
014: 2 (GLIBC_2.2.5) 0 (*local*) 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5)
018: 3 (GLIBC_2.3.4) 0 (*local*) 2 (GLIBC_2.2.5) 3 (GLIBC_2.3.4)
01c: 2 (GLIBC_2.2.5)
Version needs section '.gnu.version_r' contains 1 entries:
Addr: 0x0000000000000708 Offset: 0x000708 Link: 6 (.dynstr)
000000: Version: 1 File: libc.so.6 Cnt: 2
0x0010: Name: GLIBC_2.3.4 Flags: none Version: 3
0x0020: Name: GLIBC_2.2.5 Flags: none Version: 2
Displaying notes found in: .note.ABI-tag
Owner Data size Description
GNU 0x00000010 NT_GNU_ABI_TAG (ABI version tag)
OS: Linux, ABI: 2.6.32
Displaying notes found in: .note.gnu.build-id
Owner Data size Description
GNU 0x00000014 NT_GNU_BUILD_ID (unique build ID bitstring)
Build ID: cc3eccbeb2dd5548956f36b7403598d6e22824e5
When checking a common process, e.g. cron, some libc libraries (e.g. libnsl-2.24.so) are missing a canary and are not fortified, but some are (e.g. libc-2.24.so):
<?xml version="1.0" encoding="UTF-8"?>
<proc name='cron' pid='582' relro="partial" canary="yes" seccomp="no" pax="yes" pie="yes" fortify_source='yes'>
<file relro="partial" canary="no" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="no" fortified="0" fortify-able="0" filename='/lib/x86_64-linux-gnu/ld-2.24.so' />
<file relro="full" canary="yes" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="yes" fortified="10" fortify-able="21" filename='/lib/x86_64-linux-gnu/libaudit.so.1.0.0' />
<file relro="partial" canary="yes" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="yes" fortified="78" fortify-able="167" filename='/lib/x86_64-linux-gnu/libc-2.24.so' />
<file relro="partial" canary="yes" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="yes" fortified="4" fortify-able="7" filename='/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0' />
<file relro="partial" canary="no" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="no" fortified="0" fortify-able="2" filename='/lib/x86_64-linux-gnu/libdl-2.24.so' />
<file relro="partial" canary="no" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="no" fortified="0" fortify-able="16" filename='/lib/x86_64-linux-gnu/libnsl-2.24.so' />
<file relro="partial" canary="no" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="no" fortified="0" fortify-able="4" filename='/lib/x86_64-linux-gnu/libnss_compat-2.24.so' />
<file relro="partial" canary="no" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="no" fortified="0" fortify-able="5" filename='/lib/x86_64-linux-gnu/libnss_files-2.24.so' />
<file relro="partial" canary="no" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="no" fortified="0" fortify-able="8" filename='/lib/x86_64-linux-gnu/libnss_nis-2.24.so' />
<file relro="partial" canary="yes" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="yes" fortified="5" fortify-able="12" filename='/lib/x86_64-linux-gnu/libpam.so.0.83.1' />
<file relro="full" canary="yes" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="yes" fortified="1" fortify-able="4" filename='/lib/x86_64-linux-gnu/libpcre.so.3.13.3' />
<file relro="partial" canary="no" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="no" fortified="0" fortify-able="27" filename='/lib/x86_64-linux-gnu/libpthread-2.24.so' />
<file relro="partial" canary="yes" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="yes" fortified="9" fortify-able="22" filename='/lib/x86_64-linux-gnu/libselinux.so.1' />
<file relro="partial" canary="yes" nx="yes" pie="yes" rpath="no" runpath="no" fortify_source="yes" fortified="5" fortify-able="10" filename='/usr/sbin/cron' />
</proc>
Fedora man page check failed: https://bugzilla.redhat.com/show_bug.cgi?id=1611199
Section 1 is for man pages for commands. It is better for checksec.
Hello,
In README it says that it should work on macOS by installing "binutils", but binutils does not install readelf, which is required by checksec, therefore I get the error "readelf not found! It's required for most checks".
Should it work on macOS?
Thanks
--- to check executable properties like (PIE, RELRO, PaX, Canaries, ASLR, Fortify Source)
+++ to check properties of executables (e.g. ASLR/PIE, RELRO, PaX, Canaries, Fortify Source)
The man page states:
-d or --dir
Recursively checks all executable files in the directory for security features compiled
into the executables
I'm not sure what's meant exactly by this statement, as in my tests, checksec does not check subdirectories recursively. It only checks executables in the directory given. Is this intended behaviour? My expectation was that it would recursively check subdirectories.
I noticed that checksec's canary detection does not work on my system (Gentoo with testing packages and gcc 6.3.0). I assume that gcc 6 creates the stack protection code different and thus the detection no longer works.
E.g.:
gcc -fstack-protector-strong test.c -o test1
gcc -fstack-protector test.c -o test2
checksec gives for both test1 and test2 this output:
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH No 0 0 test1
I run checksec -f
on the exact same binary on two different systems. One has readelf, the other has eu-readelf. The one with readelf says PIE enabled, and the one with eu-readelf says DSO. This seems to be because it's running $readelf -d
and looking for '(DEBUG)', but eu-readelf doesn't use parentheses, so it would need to look for 'DEBUG' instead.
I also see the function counts from the fortify check (-ff) are doubled for unstripped executables, but that's probably unrelated to eu-readelf.
Package maintainers rely on the git tag for recognizing release points. The Arch version is now out of date because this update wasn't tagged.
Thanks for the continued hard work and great project. --Cheers
More a question than a issue.
I'm using checksec.sh to evaluate quickly which grsec/pax options are turned on and I'm wondering about which options are checked ?
In other words, is the tool checking all the kernel configuration available with the latest grsecurity/pax patch ?
When running checksec through strace, I can see 80 forks/calls to GNU seq. These forks could be saved by moving to Bash brace expansion. I could imagine a noticeable speed-up. What do you think?
Best, Sebastian
$ ls /usr/bin/755
"/usr/bin/755": No such file or directory (os error 2)
$ checksec -d /usr/bin/
...
/usr/local/sbin/checksec: line 291: 755: Permission denied
...
$ sudo checksec -d /usr/bin/
...
$ ls /usr/bin/755
755
I have binutils-2.28 and checksec-1.7.5, I suppose that the check for the FORTIFY, generates some warnings. You may want to hide it in some way, to restore the better output of checksec.
$ checksec --proc-all
* System-wide ASLR (kernel.randomize_va_space): Full (Setting: 2)
Description - Make the addresses of mmap base, heap, stack and VDSO page randomized.
This, among other things, implies that shared libraries will be loaded to random
addresses. Also for PIE-linked binaries, the location of code start is randomized.
See the kernel file 'Documentation/sysctl/kernel.txt' for more details.
* Does the CPU support NX: Yes
COMMAND PID RELRO STACK CANARY SECCOMP NX/PaX PIE FORTIFY
at-spi-bus-laun 11865 Partial RELRO No canary found No Seccomp NX enabled No PIE No
dbus-daemon 11870 Partial RELRO No canary found No Seccomp NX enabled No PIE Yes
at-spi2-registr 11872 Partial RELRO No canary found No Seccomp NX enabled No PIE Yes
ksysguardd 16408 Partial RELRO No canary found No Seccomp NX enabled No PIE Yes
chrome 16516 Full RELRO Canary found Seccomp-bpf NX enabled PIE enabled readelf: Warning: local symbol 3 found at index >= .dynsym's sh_info value of 3
readelf: Warning: local symbol 4 found at index >= .dynsym's sh_info value of 3
When building and testing a filesystem of a embedded system offline, it would be nice to provide a prefix so the script understands to look in a specific folder at a specific libc, etc. I'm not sure of the full impact of adding this option and which checksec options can't be assumed to work offline. Maybe a offline mode with prefix option ? Thoughts? I can definitely create a pull request to support adding the prefix but thought a offline filesystem option might be something else to debate as some features assume you're running this on the executing system.
Hi,
Is there any support of existing checksec to bins/procs compiled using go-lang. So the flags may not be reflecting in Makefile similar to what gcc uses.
Any suggestions?
When checksec is invoked on a PID with the --proc-libs
option, libraries are nested improperly.
As an example,
{
"proc": {
"name": "rpcbind",
"pid": "948",
"relro": "full",
"canary": "yes",
"seccomp": "no",
"nx": "yes",
"pie": "yes",
"fortify_source": "yes"
}
"file": {
"relro": "partial",
"canary": "no",
"nx": "yes",
"pie": "dso",
"rpath": "no",
"runpath": "no",
"symtables": "no",
"fortify_source": "no",
"fortified": "0",
"fortify-able": "0"
"filename" = "/lib/x86_64-linux-gnu/ld-2.27.so"
"file": {
"relro": "partial",
"canary": "yes",
"nx": "yes",
"pie": "dso",
"rpath": "no",
"runpath": "no",
"symtables": "no",
"fortify_source": "yes",
"fortified": "79",
"fortify-able": "170"
"filename" = "/lib/x86_64-linux-gnu/libc-2.27.so"
"file": {
"relro": "full",
"canary": "yes",
"nx": "yes",
"pie": "dso",
"rpath": "no",
"runpath": "no",
"symtables": "no",
"fortify_source": "yes",
"fortified": "3",
"fortify-able": "4"
"filename" = "/lib/x86_64-linux-gnu/libcom_err.so.2.1"
"file": {
"relro": "partial",
"canary": "yes",
"nx": "yes",
"pie": "dso",
"rpath": "no",
"runpath": "no",
"symtables": "no",
"fortify_source": "yes",
"fortified": "0",
"fortify-able": "2"
"filename" = "/lib/x86_64-linux-gnu/libdl-2.27.so"
"file": {
...
***** Checksec debug *****
uid=0(root) gid=0(root) groups=0(root),127(kvm)
Linux xxx 4.15.0-43-generic #46-Ubuntu SMP Thu Dec 6 14:45:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
checksec version: 1.11.0 -- 2018122701
OS=Ubuntu
VER=18.04
-rwxr-xr-x 1 root root 35064 Jan 18 2018 /bin/cat
/bin/cat: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=747e524bc20d33ce25ed4aea108e3025e5c3b78f, stripped
lrwxrwxrwx 1 root root 21 Sep 30 16:56 /usr/bin/awk -> /etc/alternatives/awk
-rwxr-xr-x 1 root root 658072 Feb 11 2018 /usr/bin/gawk
/usr/bin/gawk: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=c8501e8e996c37ed412a87269b6395bc6afbbebb, stripped
-rwxr-xr-x 1 root root 22600 May 14 2018 /sbin/sysctl
/sbin/sysctl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=dc85edfc927eaa77ea0fd0bdc558f687326c55e2, stripped
-rwxr-xr-x 1 root root 35032 Jan 18 2018 /bin/uname
/bin/uname: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=2b4b6989bb8cf1061951e98ab1cc8e6130f6aa5c, stripped
-rwxr-xr-x 1 root root 43192 Jan 18 2018 /bin/mktemp
/bin/mktemp: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=8258387eab419d6c48de0e1f6d6518eac46dac36, stripped
-rwxr-xr-x 1 root root 650296 Dec 5 10:59 /usr/bin/openssl
/usr/bin/openssl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=06754a7652ec38716fc41ec6f074654ec3b2ed27, stripped
-rwxr-xr-x 1 root root 219528 Jul 12 2017 /bin/grep
/bin/grep: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8fce2b8087b2c31aa35b499f249b01658e5c218b, stripped
-rwxr-xr-x 1 root root 80088 Jan 18 2018 /usr/bin/stat
/usr/bin/stat: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=a8ada86d60f0d5361c99eb114227dea0b8b133b4, stripped
-rwxr-xr-x 1 root root 22792 Jun 13 2018 /usr/bin/file
/usr/bin/file: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=ba74252751fddf2ef1b1d3bd2098c95550eee976, stripped
-rwxr-xr-x 1 root root 238080 Nov 5 2017 /usr/bin/find
/usr/bin/find: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=b920f53e0c67a31d8ef07b84b1344f87a0e82d71, stripped
-rwxr-xr-x 1 root root 43224 Jan 18 2018 /usr/bin/head
/usr/bin/head: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=f53353500249659d3b82d732445de676de95b24a, stripped
-rwxr-xr-x 1 root root 133432 May 14 2018 /bin/ps
/bin/ps: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=63f6aa9139f4ce7b58275597fcc43babf0146a7a, stripped
-rwxr-xr-x 1 root root 43192 Jan 18 2018 /bin/readlink
/bin/readlink: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=427b7c5d8766a0185381c7ad75855d4758030fb2, stripped
-rwxr-xr-x 1 root root 35000 Jan 18 2018 /usr/bin/basename
/usr/bin/basename: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=cb1bb6b3247280ca512b0443ab48fdcf87e32aef, stripped
-rwxr-xr-x 1 root root 43224 Jan 18 2018 /usr/bin/id
/usr/bin/id: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=cba786491810c0767b2a66ab876bcb7783955cad, stripped
lrwxrwxrwx 1 root root 10 Sep 30 16:56 /usr/bin/which -> /bin/which
-rwxr-xr-x 1 root root 946 Dec 30 2017 /bin/which
/bin/which: POSIX shell script, ASCII text executable
-rwxr-xr-x 1 root root 499264 May 8 2018 /usr/bin/wget
/usr/bin/wget: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=a163624cff1591ed5a6a6f4d77b289ba76e4b61e, stripped
-rwxr-xr-x 1 root root 223304 Oct 29 08:10 /usr/bin/curl
/usr/bin/curl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=08ef94c44332a736ebe03f2064729d6ae8e8559a, stripped
lrwxrwxrwx 1 root root 24 Sep 12 11:38 /usr/bin/readelf -> x86_64-linux-gnu-readelf
-rwxr-xr-x 1 root root 596440 Sep 12 11:38 /usr/bin/x86_64-linux-gnu-readelf
/usr/bin/x86_64-linux-gnu-readelf: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=7dce75907448d6ad1af092c8ee1a3873c04ef494, stripped
*** can not find command eu-readelf
/checksec --output json --proc-libs <pid>
Ubuntu 18.04, 4.15.0-43-generic #46-Ubuntu SMP Thu Dec 6 14:45:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Hello,
Small idea to improve this script, as for selinux, apparmor should be part of the checksec -k
add xml procs group to not fail xml validation.
Commit Fix RW-RPATH and RW-RUNPATH logic causes warnings each time when RPATH/RUNPATH doesn't exist in system. Reverting this commit fixes this issue. @lraugusto
***** Checksec debug *****
uid=1000(user) gid=100(users) groups=100(users)
Linux host 4.19.7 #1 SMP PREEMPT
checksec version: 1.10.0 -- 2018120601
OS=Arch Linux
VER=rolling
-rwxr-xr-x 1 root root 38912 Aug 19 11:54 /usr/bin/cat
/usr/bin/cat: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=abd59e639d7d2c3e5cea7e89be055917fe906044, stripped
lrwxrwxrwx 1 root root 4 Feb 27 2018 /usr/bin/awk -> gawk
-rwxr-xr-x 2 root root 671584 Feb 27 2018 /usr/bin/gawk
/usr/bin/gawk: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=31bc8afd09c9fa30929c72876dea5756442eca2e, stripped
-rwxr-xr-x 1 root root 22360 Jun 1 2018 /usr/bin/sysctl
/usr/bin/sysctl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=2a9b00728f1458714f686bb4dd52e57f832d9780, stripped
-rwxr-xr-x 1 root root 38880 Aug 19 11:54 /usr/bin/uname
/usr/bin/uname: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=bca476f9f043fadbce5ca6446649ee98e779719a, stripped
-rwxr-xr-x 1 root root 42944 Aug 19 11:54 /usr/bin/mktemp
/usr/bin/mktemp: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=90842803a95b5bb6f8d2e4a03dfd309255328368, stripped
-rwxr-xr-x 1 root root 719768 Nov 20 18:41 /usr/bin/openssl
/usr/bin/openssl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=b2df1fa550731d843bff86e468d1e25205f4d5ec, stripped
-rwxr-xr-x 1 root root 170064 Nov 4 03:10 /usr/bin/grep
/usr/bin/grep: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=af4bdaddff69380e14c744f4ddc809473e79aad0, stripped
-rwxr-xr-x 1 root root 79840 Aug 19 11:54 /usr/bin/stat
/usr/bin/stat: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=1d3dab87848cd1d570375465daf8cdf3cd74a18e, stripped
-rwxr-xr-x 1 root root 26704 Oct 20 16:09 /usr/bin/file
/usr/bin/file: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=6b7d6a773c767cff63447f3602c3f4923bfa55e4, stripped
-rwxr-xr-x 1 root root 216400 Nov 3 23:36 /usr/bin/find
/usr/bin/find: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=8b1b8e2dd522bd895bd1f184c944e6050d7d2d42, stripped
-rwxr-xr-x 1 root root 47072 Aug 19 11:54 /usr/bin/head
/usr/bin/head: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=62e272c1b443f2dbdf9cfdffa55193a9e417fded, stripped
-rwxr-xr-x 1 root root 129088 Jun 1 2018 /usr/bin/ps
/usr/bin/ps: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=864dd7723b4bd8a0cc9d5cac70694312691b4970, stripped
-rwxr-xr-x 1 root root 47040 Aug 19 11:54 /usr/bin/readlink
/usr/bin/readlink: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=d57b38e892707a648324b93f321c3fc5533fe36e, stripped
-rwxr-xr-x 1 root root 38848 Aug 19 11:54 /usr/bin/basename
/usr/bin/basename: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=f8df7effb62236a819813ef0764886772213339d, stripped
-rwxr-xr-x 1 root root 42976 Aug 19 11:54 /usr/bin/id
/usr/bin/id: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=c96bab36239547a627047bbaa64a422ae89e48cd, stripped
-rwxr-xr-x 1 root root 31288 Nov 3 17:33 /usr/bin/which
/usr/bin/which: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=02c822d2f01f85aa78a5ff80c65cb3b505d1c6b6, stripped
-rwxr-xr-x 1 root root 174008 Oct 31 08:22 /usr/bin/curl
/usr/bin/curl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=78924b334b3475e2ad76df2476237e1cb65c3ee6, stripped
-rwxr-xr-x 1 root root 608440 Aug 11 17:02 /usr/bin/readelf
/usr/bin/readelf: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=4cb860d9d620096232b6d7064f8cb94f625cee0f, stripped
-rwxr-xr-x 1 root root 256160 Sep 25 22:12 /usr/bin/eu-readelf
/usr/bin/eu-readelf: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=d5115e2d82dddc9fbd48af519c8348aca3f704ea, stripped
$ sudo pacman -Syu nss
$ checksec --output csv -f /usr/bin/modutil
Full RELRO,Canary found,NX enabled,PIE enabled,stat: cannot stat '$ORIGIN/lib/': No such file or directory
RPATH,No RUNPATH,No SYMTABLES,Yes,7,12,/usr/bin/modutil
OS: Arch Linux
KERNEL: Linux 4.19.7
$ checksec --debug --output csv -f /usr/bin/modutil
***function filecheck
***function filecheck->RELRO
Full RELRO,
***function filecheck->canary
Canary found,
***function filecheck->nx
NX enabled,
***function filecheck->pie
PIE enabled,
***function filecheck->rpath
stat: cannot stat '$ORIGIN/lib/': No such file or directory
RPATH,
***function filecheck->runpath
No RUNPATH,No SYMTABLES,***function filecheck->fortify
Yes,7,12,/usr/bin/modutil
Hi! I noticed that the man page at
https://github.com/slimm609/checksec.sh/blob/master/extras/man/checksec.7.gz
is compressed in Git. I can think of quite a few downsides of that (..) but only a single upside with size of a direct download. On a side note, Linux distros like and do take care of man page compression themselves. Unless I am missing something, I would ask to store the man page uncompressed (and ideally even to have it be generated from AsciiDoc or something).
Thanks and best, S
Title says it all, DEBUG_RODATA
was renamed/split to STRICT_KERNEL_RWX
and STRICT_MODULE_RWX
.
torvalds/linux@7bb0338
CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
got removed as it's not needed.
torvalds/linux@0d025d2
In other news, HARDENED_USERCOPY
and HARDENED_USERCOPY_PAGESPAN
were added and I do believe they are roughly equivalent to PAXes PAX_USERCOPY
.
torvalds/linux@f5509cc
Do you mind updating your shellscript to reflect these?
Running checksec -d
on a directory which contains filenames with spaces fails on them as they are treated as separate files.
***** Checksec debug *****
uid=1000(user) gid=100(users) groups=100(users)
Linux laptop 4.20.0-1 #1 SMP PREEMPT x86_64 GNU/Linux
checksec version: 1.10.0 -- 2018120601
OS=Arch Linux
VER=
-rwxr-xr-x 1 root root 38912 Aug 19 11:54 /usr/bin/cat
/usr/bin/cat: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=abd59e639d7d2c3e5cea7e89be055917fe906044, stripped
lrwxrwxrwx 1 root root 4 Feb 27 2018 /usr/bin/awk -> gawk
-rwxr-xr-x 2 root root 671584 Feb 27 2018 /usr/bin/gawk
/usr/bin/gawk: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=31bc8afd09c9fa30929c72876dea5756442eca2e, stripped
-rwxr-xr-x 1 root root 22360 Jun 1 2018 /usr/bin/sysctl
/usr/bin/sysctl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=2a9b00728f1458714f686bb4dd52e57f832d9780, stripped
-rwxr-xr-x 1 root root 38880 Aug 19 11:54 /usr/bin/uname
/usr/bin/uname: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=bca476f9f043fadbce5ca6446649ee98e779719a, stripped
-rwxr-xr-x 1 root root 42944 Aug 19 11:54 /usr/bin/mktemp
/usr/bin/mktemp: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=90842803a95b5bb6f8d2e4a03dfd309255328368, stripped
-rwxr-xr-x 1 root root 719768 Nov 20 18:41 /usr/bin/openssl
/usr/bin/openssl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=b2df1fa550731d843bff86e468d1e25205f4d5ec, stripped
-rwxr-xr-x 1 root root 157808 Dec 21 11:14 /usr/bin/grep
/usr/bin/grep: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=efbba1ea6419232c285a239a0bc4cf3608ad7e91, stripped
-rwxr-xr-x 1 root root 79840 Aug 19 11:54 /usr/bin/stat
/usr/bin/stat: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=1d3dab87848cd1d570375465daf8cdf3cd74a18e, stripped
-rwxr-xr-x 1 root root 26704 Oct 20 16:09 /usr/bin/file
/usr/bin/file: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=6b7d6a773c767cff63447f3602c3f4923bfa55e4, stripped
-rwxr-xr-x 1 root root 216400 Nov 3 23:36 /usr/bin/find
/usr/bin/find: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=8b1b8e2dd522bd895bd1f184c944e6050d7d2d42, stripped
-rwxr-xr-x 1 root root 47072 Aug 19 11:54 /usr/bin/head
/usr/bin/head: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=62e272c1b443f2dbdf9cfdffa55193a9e417fded, stripped
-rwxr-xr-x 1 root root 129088 Jun 1 2018 /usr/bin/ps
/usr/bin/ps: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=864dd7723b4bd8a0cc9d5cac70694312691b4970, stripped
-rwxr-xr-x 1 root root 47040 Aug 19 11:54 /usr/bin/readlink
/usr/bin/readlink: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=d57b38e892707a648324b93f321c3fc5533fe36e, stripped
-rwxr-xr-x 1 root root 38848 Aug 19 11:54 /usr/bin/basename
/usr/bin/basename: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=f8df7effb62236a819813ef0764886772213339d, stripped
-rwxr-xr-x 1 root root 42976 Aug 19 11:54 /usr/bin/id
/usr/bin/id: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=c96bab36239547a627047bbaa64a422ae89e48cd, stripped
-rwxr-xr-x 1 root root 31288 Nov 3 17:33 /usr/bin/which
/usr/bin/which: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=02c822d2f01f85aa78a5ff80c65cb3b505d1c6b6, stripped
-rwxr-xr-x 1 root root 174032 Dec 20 10:50 /usr/bin/curl
/usr/bin/curl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=b728c9ed78dd59d865704c062ddedd99c7b31d44, stripped
-rwxr-xr-x 1 root root 608480 Dec 26 16:27 /usr/bin/readelf
/usr/bin/readelf: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=90504b06d572f2c441e0a712562319352273fe74, stripped
-rwxr-xr-x 1 root root 256144 Dec 3 22:48 /usr/bin/eu-readelf
/usr/bin/eu-readelf: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=1656346a6af6c222ab263be36e0ba5d87261cf7c, stripped
$ mkdir test
$ cp /usr/bin/bash test/bash
$ checksec -d test
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable Filename
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH No Symbols Yes 13 33 test/bash
$ mv test/bash "test/ba sh"
$ checksec -d test
Error: No read permissions for 'test/ba' (run as root).
Error: No read permissions for 'sh' (run as root).
OS: Arch Linux
Kernel: 4.20
checksec --debug -d test
Error: No read permissions for 'test/ba' (run as root).
Error: No read permissions for 'sh' (run as root).
Running checksec with --kernel
in my machine generates an invalid JSON, which is as follows:
{
"kernel": {
"KernelConfig": "/boot/config-4.15.0-43-generic",
"randomize_va_space": "full",
"protect_symlinks": "yes",
"protect_hardlinks": "yes",
"ipv4_rpath": "yes",
"ipv6_rpath": "no",
"kernel_heap_randomization": "yes",
"gcc_stack_protector": "yes",
"slab_freelist_randomization": "yes",
"virtually_mapped_stack": "yes",
"restrict_dev_mem_access": "yes",
"restrict_io_dev_mem_access": "no",
"ro_kernel_data": "yes",
"ro_module_data": "yes",
"hardened_usercopy": "yes",
"hardened_usercopy_pagespan": "no",
"fortify_source": "yes",
"restrict_dev_mem_access": "yes",
"restrict_io_dev_mem_access": "no",
"restrict_dev_kmem_access": "yes"
},
"random_address_space_layout": "yes"
}, "selinux": {
"enabled": "no"
}, "grsecurity": {
"grsecurity_config": "no"
}
}
A JSON without multiple root elements would be preferably be produced.
Note: Even the JSON present in the README does not pass validation from JSONLint or JSONFormatter
***** Checksec debug *****
uid=0(root) gid=0(root) groups=0(root),127(kvm)
Linux xxxx 4.15.0-43-generic #46-Ubuntu SMP Thu Dec 6 14:45:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
checksec version: 1.10.0 -- 2018120601
OS=Ubuntu
VER=18.04
-rwxr-xr-x 1 root root 35064 Jan 18 2018 /bin/cat
/bin/cat: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=747e524bc20d33ce25ed4aea108e3025e5c3b78f, stripped
lrwxrwxrwx 1 root root 21 Sep 30 16:56 /usr/bin/awk -> /etc/alternatives/awk
-rwxr-xr-x 1 root root 658072 Feb 11 2018 /usr/bin/gawk
/usr/bin/gawk: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=c8501e8e996c37ed412a87269b6395bc6afbbebb, stripped
-rwxr-xr-x 1 root root 22600 May 14 2018 /sbin/sysctl
/sbin/sysctl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=dc85edfc927eaa77ea0fd0bdc558f687326c55e2, stripped
-rwxr-xr-x 1 root root 35032 Jan 18 2018 /bin/uname
/bin/uname: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=2b4b6989bb8cf1061951e98ab1cc8e6130f6aa5c, stripped
-rwxr-xr-x 1 root root 43192 Jan 18 2018 /bin/mktemp
/bin/mktemp: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=8258387eab419d6c48de0e1f6d6518eac46dac36, stripped
-rwxr-xr-x 1 root root 650296 Dec 5 10:59 /usr/bin/openssl
/usr/bin/openssl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=06754a7652ec38716fc41ec6f074654ec3b2ed27, stripped
-rwxr-xr-x 1 root root 219528 Jul 12 2017 /bin/grep
/bin/grep: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8fce2b8087b2c31aa35b499f249b01658e5c218b, stripped
-rwxr-xr-x 1 root root 80088 Jan 18 2018 /usr/bin/stat
/usr/bin/stat: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=a8ada86d60f0d5361c99eb114227dea0b8b133b4, stripped
-rwxr-xr-x 1 root root 22792 Jun 13 2018 /usr/bin/file
/usr/bin/file: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=ba74252751fddf2ef1b1d3bd2098c95550eee976, stripped
-rwxr-xr-x 1 root root 238080 Nov 5 2017 /usr/bin/find
/usr/bin/find: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=b920f53e0c67a31d8ef07b84b1344f87a0e82d71, stripped
-rwxr-xr-x 1 root root 43224 Jan 18 2018 /usr/bin/head
/usr/bin/head: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=f53353500249659d3b82d732445de676de95b24a, stripped
-rwxr-xr-x 1 root root 133432 May 14 2018 /bin/ps
/bin/ps: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=63f6aa9139f4ce7b58275597fcc43babf0146a7a, stripped
-rwxr-xr-x 1 root root 43192 Jan 18 2018 /bin/readlink
/bin/readlink: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=427b7c5d8766a0185381c7ad75855d4758030fb2, stripped
-rwxr-xr-x 1 root root 35000 Jan 18 2018 /usr/bin/basename
/usr/bin/basename: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=cb1bb6b3247280ca512b0443ab48fdcf87e32aef, stripped
-rwxr-xr-x 1 root root 43224 Jan 18 2018 /usr/bin/id
/usr/bin/id: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=cba786491810c0767b2a66ab876bcb7783955cad, stripped
lrwxrwxrwx 1 root root 10 Sep 30 16:56 /usr/bin/which -> /bin/which
-rwxr-xr-x 1 root root 946 Dec 30 2017 /bin/which
/bin/which: POSIX shell script, ASCII text executable
-rwxr-xr-x 1 root root 499264 May 8 2018 /usr/bin/wget
/usr/bin/wget: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=a163624cff1591ed5a6a6f4d77b289ba76e4b61e, stripped
-rwxr-xr-x 1 root root 223304 Oct 29 08:10 /usr/bin/curl
/usr/bin/curl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=08ef94c44332a736ebe03f2064729d6ae8e8559a, stripped
lrwxrwxrwx 1 root root 24 Sep 12 11:38 /usr/bin/readelf -> x86_64-linux-gnu-readelf
-rwxr-xr-x 1 root root 596440 Sep 12 11:38 /usr/bin/x86_64-linux-gnu-readelf
/usr/bin/x86_64-linux-gnu-readelf: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=7dce75907448d6ad1af092c8ee1a3873c04ef494, stripped
*** can not find command eu-readelf
sudo ./checksec.sh/checksec --output json --kernel
Ubuntu 18.04.1 LTS 4.15.0-43-generic
add json validation tests and fix any json validation errors.
I guess the curl dependency should not be mandatory because I want to use the script but I never want to update.
I am using checksec to ensure that Ruby in Fedora is correctly fortified:
$ checksec -f libruby.so.2.4.1 | grep 'Full RELRO.*Canary found.*NX enabled.*DSO.*No RPATH.*No RUNPATH.*Yes.*\d*.*\d*.*libruby.so.2.4.1'
Unfortunately, with binutils 2.29 this check started to fail and this is the output:
$ checksec -f libruby.so.2.4.1
WARNING: 'openssl' not found! It's required for most checks.
WARNING: Not all necessary commands found. Some tests might not work!
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabled DSO No RPATH No RUNPATH No 0 0 libruby.so.2.4.1
Apparently, the "FORTIFY" used to be "Yes" on all platforms, while it is "No" for PPC64LE ATM.
And this is the analysis from the Fedora bug I opened [1]:
--- Comment 4 Nick Clifton 2017-08-08 17:29:43 CEST
Right, well I have found the cause, but not a solution. The 2.29 linker for PowerPC is setting some extra symbol information, in order to help optimise run-time performance. (This is related to BZ 14756316, but it is not exactly the same problem).
So, when libruby is built with the 2.28 linker the readelf command run by checksec would see output something like this:
138: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __memmove_chk@GLIBC_2.17 (2)
But when it is built with the 2.29 linker the readelf output looks like this:
257: 0000000000000000 0 FUNC GLOBAL DEFAULT [<localentry>: 8] UND __memmove_chk@GLIBC_2.17 (2)
(This is true regardless of which version of readelf is used).
The problem is that checksec uses an awk script to extract the names of symbols, based upon the field in which they appear, and this field is hardcoded to be field number 8. This works for the 2.28 linked libruby, but not the 2.29 libruby. So the checksec script thinks that no *_chk functions are accessed by the library, and hence that it has not been fortified.
Now I do not think that the linker is wrong in adding this extra information. In fact I think that it may be a requirement of the new ABI that IBM are creating. So I would suggest that the real fix is to update checksec to cope with the new information. Maybe by searching for a symbol name suffixed by an @ symbol for example, instead of replying upon field numbers.
I have not changed the component field of this BZ yet however as I want to see if there are any other suggestions.
Cheers
Nick
--- Comment 5 Nick Clifton 2017-08-08 17:34:26 CEST
Addendum: It occurs to me that one thing I could do is to patch readelf so that this "extra" information is printed at the end of the line, rather than in the middle. That way checksec's awk scanner would resume working. Of course this might potentially break other tools that rely upon the latest format of the output...
I have use the latest version of checksec, but it cannot run on macOS
I cannot use completion to complete statements when using checksec
, could you fix it?
If security is of the essence here and you are attempting to check the script against a signed signature, should we also not be disabling TLS verification here: https://github.com/slimm609/checksec.sh/blob/master/checksec#L110-L122
Hi!
My understanding is that yours is the most active successor to the original checksec.sh 1.5.
I believe checksec.sh should go into Linux distributions at some point as a proper package.
To make that smoother I would ask to
.sh
extension, since that looks wierd in a ``$PATH` folderThen updating process may need changes then, which you know best.
If .sh
needs to stay alive to not break updates of existing installations, maybe a simple Automake-based build system installing checksec.sh
as checksec
would be cool.
What do you think?
Hi!
There is a nice tool called Shellcheck to statically analyze shell scripts. I performed simple test and it shows many potential issues. If you are interested you can look at the report or perform test yourself.
https://www.shellcheck.net/
shellecheck_test.txt
when did the suffix vanished?
Hi!
I recently made (Bash tool) porticron run its BATS test suite in Travis CI. I could imagine it is of interest to you with ./tests/test-checksec.sh
as well.
Best, Sebastian
Running checksec with --kernel
on CentOS pollutes the output with errors for missing files:
sudo src/ossec/scripts/checksec.sh/checksec --kernel
* Kernel protection information:
Description - List the status of kernel protection mechanisms. Rather than
inspect kernel mechanisms that may aid in the prevention of exploitation of
userspace processes, this option lists the status of kernel configuration
options that harden the kernel itself against attack.
Kernel config:
/boot/config-2.6.32-754.9.1.el6.x86_64
Warning: The config on disk may not represent running kernel config!
Vanilla Kernel ASLR: Full
Protected symlinks: Disabled
Protected hardlinks: Disabled
Ipv4 reverse path filtering: Enabled
Ipv6 reverse path filtering: Disabled
Kernel heap randomization: Enabled
GCC stack protector support: Enabled
Enforce read-only kernel data: Enabled
Enforce read-only module data: Disabled
Exec Shield: Disabled
Restrict /dev/kmem access: Enabled
* X86 only:
* SELinux: Enforcing
Checkreqprot: cat: /sys/fs/selinux/checkreqprot: No such file or directory
Disabled
Deny Unknown: cat: /sys/fs/selinux/deny_unknown: No such file or directory
Disabled
* grsecurity / PaX: No GRKERNSEC
The grsecurity / PaX patchset is available here:
http://grsecurity.net/
Likewise, the respective JSON is broken:
{ "kernel": { "KernelConfig":"/boot/config-2.6.32-754.9.1.el6.x86_64","randomize_va_space":"full","protect_symlinks":"no","protect_hardlinks":"no","ipv4_rpath":"yes","ipv6_rpath":"no","kernel_heap_randomization":"yes","gcc_stack_protector":"yes","ro_kernel_data":"yes","ro_module_data":"no","restrict_dev_kmem_access":"yes",},"selinux":{ "enabled":"yes", "mode":"enforcing"cat: /sys/fs/selinux/checkreqprot: No such file or direc
tory , "checkreqprot":"no"cat: /sys/fs/selinux/deny_unknown: No such file or directory
, "deny_unknown":"no" },"grsecurity": { "grsecurity_config":"no" } }
***** Checksec debug *****
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Linux xxx 2.6.32-754.9.1.el6.x86_64 #1 SMP Thu Dec 6 08:02:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
checksec version: 1.11.0 -- 2018122701
OS=CentOS release 6.10 (Final)
VER=2.6.32-754.9.1.el6.x86_64
-rwxr-xr-x. 1 root root 48568 Jun 19 2018 /bin/cat
/bin/cat: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
lrwxrwxrwx. 1 root root 4 Dec 10 19:10 /bin/awk -> gawk
-rwxr-xr-x. 1 root root 382752 Nov 10 2015 /bin/gawk
/bin/gawk: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 19376 Jun 1 2018 /sbin/sysctl
/sbin/sysctl: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 27776 Jun 19 2018 /bin/uname
/bin/uname: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 38048 Jun 19 2018 /bin/mktemp
/bin/mktemp: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 548184 Mar 22 2017 /usr/bin/openssl
/usr/bin/openssl: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 167840 Mar 22 2017 /bin/grep
/bin/grep: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 50984 Jun 19 2018 /usr/bin/stat
/usr/bin/stat: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 19784 May 10 2016 /usr/bin/file
/usr/bin/file: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 239000 Mar 1 2016 /bin/find
/bin/find: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 36136 Jun 19 2018 /usr/bin/head
/usr/bin/head: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 89504 Jun 1 2018 /bin/ps
/bin/ps: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 40056 Jun 19 2018 /bin/readlink
/bin/readlink: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 26264 Jun 19 2018 /bin/basename
/bin/basename: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 32720 Jun 19 2018 /usr/bin/id
/usr/bin/id: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 25528 Sep 23 2011 /usr/bin/which
/usr/bin/which: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 366848 Mar 21 2017 /usr/bin/wget
/usr/bin/wget: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 134504 Apr 3 2017 /usr/bin/curl
/usr/bin/curl: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 303440 Jun 19 2018 /usr/bin/readelf
/usr/bin/readelf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 178616 May 10 2016 /usr/bin/eu-readelf
/usr/bin/eu-readelf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
Running checksec --kernel
in Centos6 should suffice.
centos6 2.6.32-754.9.1.el6.x86_64 #1 SMP Thu Dec 6 08:02:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Same as --kerel output.
checksec uses sysctl
to check the value of /proc/sys/net/ipv6/conf/all/rp_filter
. However, only /proc/sys/net/ipv4/conf/all/rp_filter
exists - there is no such thing as an rp_filter
kernel parameter for IPv6.
See also:
https://cansecwest.com/csw12/conntrack-attack.pdf#page=94
$ ./checksec --debug_report
***** Checksec debug *****
uid=1000(vm) gid=1000(vm) groups=1000(vm),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev)
Linux vm 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u6 (2018-10-08) x86_64 GNU/Linux
checksec version: 1.10.0 -- 2018120601
OS=Debian GNU/Linux
VER=9
-rwxr-xr-x 1 root root 35688 Feb 22 2017 /bin/cat
/bin/cat: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8a5ac6fc8d1a22b34798b7896be48428086d5df1, stripped
lrwxrwxrwx 1 root root 21 Jul 13 13:41 /usr/bin/awk -> /etc/alternatives/awk
-rwxr-xr-x 1 root root 121976 Mar 23 2012 /usr/bin/mawk
/usr/bin/mawk: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=1e84b07571ac879b843266c79c5c2c05626f5e7e, stripped
-rwxr-xr-x 1 root root 22600 May 17 2018 /sbin/sysctl
/sbin/sysctl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=7bd2da33837a4e9520db7316e19bd04c16c3b025, stripped
-rwxr-xr-x 1 root root 35592 Feb 22 2017 /bin/uname
/bin/uname: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=9a7f13d1496fdfba6e01816f91ba2e4bc5eda66a, stripped
-rwxr-xr-x 1 root root 43912 Feb 22 2017 /bin/mktemp
/bin/mktemp: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=cec0dfe524eadbf9dcbb1d0bd8f83b7f8e6ff5ba, stripped
-rwxr-xr-x 1 root root 651880 Mar 29 2018 /usr/bin/openssl
/usr/bin/openssl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=0c4249e27df8296c67806646931c018354f8fc16, stripped
-rwxr-xr-x 1 root root 215360 Jan 23 2017 /bin/grep
/bin/grep: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=0b72a4b88afe6711c7154541e1f002331041c71f, stripped
-rwxr-xr-x 1 root root 85096 Feb 22 2017 /usr/bin/stat
/usr/bin/stat: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=f9db89b81b1505176af32d8c13e34c770ee0b459, stripped
-rwxr-xr-x 1 root root 22792 Jun 11 2018 /usr/bin/file
/usr/bin/file: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=833d99e1b8d7884dc6b1cfb142ba3034b1bf6968, stripped
-rwxr-xr-x 1 root root 221768 Feb 18 2017 /usr/bin/find
/usr/bin/find: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=7079a38abca5fb9d188cc66bb15fbec5e98f0f00, stripped
-rwxr-xr-x 1 root root 43848 Feb 22 2017 /usr/bin/head
/usr/bin/head: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=d37253992564bafb79e0c8af798e0fab5b728066, stripped
-rwxr-xr-x 1 root root 129336 May 17 2018 /bin/ps
/bin/ps: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=91389d6ef35c87b7fd9ac60df95cb1986ae15b71, stripped
-rwxr-xr-x 1 root root 43816 Feb 22 2017 /bin/readlink
/bin/readlink: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=4505da392d1f523c8c73bb9ed0138c0d4d085ab5, stripped
-rwxr-xr-x 1 root root 31464 Feb 22 2017 /usr/bin/basename
/usr/bin/basename: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=f138d7ef0a8acf88bda17dbe4c6583e0e882a08e, stripped
-rwxr-xr-x 1 root root 43944 Feb 22 2017 /usr/bin/id
/usr/bin/id: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=dd8a6756f63270ea0c6a15c47d82c30e30fb8096, stripped
lrwxrwxrwx 1 root root 10 Jul 13 13:41 /usr/bin/which -> /bin/which
-rwxr-xr-x 1 root root 946 Apr 2 2017 /bin/which
/bin/which: POSIX shell script, ASCII text executable
-rwxr-xr-x 1 root root 491072 May 6 2018 /usr/bin/wget
/usr/bin/wget: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=65d641edbbabe10c2b4106acfb0f4b0773b7d570, stripped
-rwxr-xr-x 1 root root 198728 Sep 3 18:50 /usr/bin/curl
/usr/bin/curl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=e61025e23eeccb31ae65b8ccfbbda0fd1de80584, stripped
lrwxrwxrwx 1 root root 24 Dec 14 14:22 /usr/bin/readelf -> x86_64-linux-gnu-readelf
-rwxr-xr-x 1 root root 597056 Dec 14 14:22 /usr/bin/x86_64-linux-gnu-readelf
/usr/bin/x86_64-linux-gnu-readelf: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=b445d8e3982f32ed81603705b5ae31b40767024e, stripped
-rwxr-xr-x 1 root root 204448 May 27 2017 /usr/bin/eu-readelf
/usr/bin/eu-readelf: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=50742cdcf672f1e2de01c4403762e95ba55dbf80, stripped
$ sudo ./checksec --kernel
* Kernel protection information:
Description - List the status of kernel protection mechanisms. Rather than
inspect kernel mechanisms that may aid in the prevention of exploitation of
userspace processes, this option lists the status of kernel configuration
options that harden the kernel itself against attack.
Kernel config:
/boot/config-4.9.0-8-amd64
Warning: The config on disk may not represent running kernel config!
Vanilla Kernel ASLR: Full
Protected symlinks: Enabled
Protected hardlinks: Enabled
Ipv4 reverse path filtering: Enabled
Ipv6 reverse path filtering: Disabled
Linux vm 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u6 (2018-10-08) x86_64 GNU/Linux
$ sudo ./checksec --debug --kernel
* Kernel protection information:
***function kernelcheck
Description - List the status of kernel protection mechanisms. Rather than
inspect kernel mechanisms that may aid in the prevention of exploitation of
userspace processes, this option lists the status of kernel configuration
options that harden the kernel itself against attack.
Kernel config:
/boot/config-4.9.0-8-amd64
Warning: The config on disk may not represent running kernel config!
Vanilla Kernel ASLR: Full
Protected symlinks: Enabled
Protected hardlinks: Enabled
Ipv4 reverse path filtering: Enabled
Ipv6 reverse path filtering: Disabled
Could you add please non-zero exit codes when using --file
if there are missing hardening features? That would be useful for using checksec inside automated test suites.
Hi!
There are three places where sysctl is called via /sbin/sysctl
rather than plain sysctl
in the current code. Would you mind changing those calls to sysctl
?
Thanks and best, Sebastian
I am running checksec with debug_report in a minimal linux environment to test dependencies installed in my environment and noticed that if a required binary is not present, debug_report exists with a normal exit code. I am thinking this should exit with a non-zero exist code.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.