slimm609 / checksec.sh Goto Github PK
View Code? Open in Web Editor NEWChecksec.sh
Home Page: https://slimm609.github.io/checksec.sh/
License: Other
checksec.sh's Introduction
checksec.sh's People
Contributors
Stargazers
Watchers
Forkers
n8fear insanitybit dru1d pastcompute kabot ripples-alive bmoar acutebridge angel1111111 jasonhe89 boos besser82 philippedeswert supervirus olivierlemoal m4z3n security-geeks artoria2e5 tmacychen 0xbadca7 glensc seacoastboy zaolin arno01 diggold decept1c0n bactis cor3sm4sh3r 0x13337 mogaika dangilkerson fatenocaster jamesshew guoyunliang 0xbugspray spnow rflaperuta idkwim traxes atimorin boh josh200501 catherinetcai lovebair2022 r2s4x neux7z jmo3 jhong3842 sttscc jogoo carlcj nimdakey kirit1193 timzhang926 jesonfang shuixi2013 rako9000 ch4p34un0ir doduytrung tpruzina bysshe chubbymaggie wdv4758h m00zh33 watermelonmilk leocodefocus konsole512 hardware-forest-utopia iolop fuzzamos bilportistivraboti dbeecham dmilith acidburn0zzz f0829 nefuddos seclib vanhauser-thc chenlilong84 introspelliam genghanqiang rednixon rc-matthew-l-weber jsrj naveenselvan waynebear 5hadowblad3 adf2007 sinkmanu f3real dlat modulexcite cheese philipturnbull mrmugiwara matthew-l-weber 36huo pharazone freegit9527 xabrouckchecksec.sh's Issues
Add the variable for harden_tty in grsec sysctl.
New option with grsecurity-3.1-4.4.2-201602182048.patch, on line 902 you can add:
harden_tty
feature request: add fortified / fortify-able function to --file output
It would be nice to add
- Number of fortified functions in the executable
- Number of FORTIFY-able functions in the executable
in the output of checksec.sh --file , in that way when we will use checksec.sh --file we will have full control of current security measures applied to the binary.
[QUESTION] read -r -d '' PUBKEY appears to result in non-zero exit code.
https://github.com/slimm609/checksec.sh/blob/master/checksec#L91 seems to error out when calling checksec using /bin/bash -xe checksec. Using the -e flag, this is most likely due to a non-zero exit code being returned from this line. If I have time, I will investigate further.
both test scripts fail in 1.7.4
json-checks.sh has a trivial typo (/dev/bull instead of /dev/null).
xml-checks.sh fails for a more serious reason: It seems that a spurious ":" is output near the beginning:
output.xml:2: parser error : Start tag expected, '<' not found
: <proc name='init' pid='1' relro="full" canary="yes" seccomp="no" pax="y
^
Use sysctl to test the settings of grsecurity
Hi,
Actually you use /proc/config.gz for testing grsecurity but the kernel options can be disabled by the user via a sysctl file in "/etc/sysctl.d/".
It would be best to test what is really active on the system.
Thanks, best regards
Here is the list of variables.
sysctl_options_for_grsecurity.txt
[[: readelf: expression recursion level exceeded (error token is "readelf")
Version 1.9 introduced another error:
/usr/bin/checksec: line 342: [[: readelf: expression recursion level exceeded (error token is "readelf")
It happens occasionally with -f and -d options.
Permission denied while running checksec
omt ~ # ./checksec --proc-all
* System-wide ASLR (kernel.randomize_va_space): Full (Setting: 2)
Description - Make the addresses of mmap base, heap, stack and VDSO page randomized.
This, among other things, implies that shared libraries will be loaded to random
addresses. Also for PIE-linked binaries, the location of code start is randomized.
See the kernel file 'Documentation/sysctl/kernel.txt' for more details.
* Does the CPU support NX: Yes
COMMAND PID RELRO STACK CANARY NX/PaX PIE FORTIFY
init 1 Permission denied (please run as root)
omt ~ # whoami
root
Works partially on HardenedBSD
./checksec --fortify-proc 1
./checksec: line 1503: cd: /proc: No such file or directory
(procstat under HardenedBSD and forks)
also throws:
Error: libc not found.
(which is a lie, it's just /lib/libc.so.7 not .6 will fix and make pull request soon for this one)
and one more:
Partial RELRO
it's full RELRO but not detected correctly by script on hbsd
also why RUNPATH/ RPATH is considered a feature option? It's very important value for custom PREFIX used by custom built software for example.
--kernel could scan kernel config in non-standard path
I have one virtual machine where i build some types of kernel.
I'd like to have something like
./checksec --kernel $KERNEL_CONFIG_PATH
If $KERNEL_CONFIG_PATH is empty, then it scan for /usr/src/linux/.config
sysctl not found with an unprivileged user
Hi,
In Debian Jessie sysctl not found with an unprivileged user because /sbin/ is not present for a normal user's $PATHs.
Also remove the condition test for curl because he not integrated by default in some distributions. Use this only if Wget is not present.
Thanks, best regards
Here is the patch:
patch.txt
use official arch docker image
Hi,
I have noticed you are using base/archlinux which is an unofficial user built image. Could you consider using the officially maintained and published variant archlinux/base instead? Yeah the clash of those two names sucks ๐ผ
PS: Please also use pacman -Syu --noconfirm instead of just -Sy as that only updates the database. If you then just install packages with -S without upgrading you technically do a partial upgrade which is not supported by Arch Linux and may result in incompatibilities and failed soname linkage and therefor major breakage.
possible false-positives?
On Debian unstable I am getting some warnings.
Are these false positives and if yes, is there a way to fix them without introducing false-negatives?
no canary in bzip2recover
./checksec --output xml -f /bin/bzip2recover
<?xml version="1.0" encoding="UTF-8"?>
<file relro="partial" canary="no" nx="yes" pie="yes" rpath="no" runpath="no" fortify_source="yes" fortified="5" fortify-able="5" filename='/bin/bzip2recover'/>
claimed false-positive at https://bugs.archlinux.org/task/43231
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: DYN (Shared object file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x1660
Start of program headers: 64 (bytes into file)
Start of section headers: 12808 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 9
Size of section headers: 64 (bytes)
Number of section headers: 29
Section header string table index: 28
Section Headers:
[Nr] Name Type Address Offset
Size EntSize Flags Link Info Align
[ 0] NULL 0000000000000000 00000000
0000000000000000 0000000000000000 0 0 0
[ 1] .interp PROGBITS 0000000000000238 00000238
000000000000001c 0000000000000000 A 0 0 1
[ 2] .note.ABI-tag NOTE 0000000000000254 00000254
0000000000000020 0000000000000000 A 0 0 4
[ 3] .note.gnu.build-i NOTE 0000000000000274 00000274
0000000000000024 0000000000000000 A 0 0 4
[ 4] .gnu.hash GNU_HASH 0000000000000298 00000298
0000000000000024 0000000000000000 A 5 0 8
[ 5] .dynsym DYNSYM 00000000000002c0 000002c0
00000000000002b8 0000000000000018 A 6 1 8
[ 6] .dynstr STRTAB 0000000000000578 00000578
0000000000000155 0000000000000000 A 0 0 1
[ 7] .gnu.version VERSYM 00000000000006ce 000006ce
000000000000003a 0000000000000002 A 5 0 2
[ 8] .gnu.version_r VERNEED 0000000000000708 00000708
0000000000000030 0000000000000000 A 6 1 8
[ 9] .rela.dyn RELA 0000000000000738 00000738
00000000000000f0 0000000000000018 A 5 0 8
[10] .rela.plt RELA 0000000000000828 00000828
00000000000001f8 0000000000000018 AI 5 24 8
[11] .init PROGBITS 0000000000000a20 00000a20
0000000000000017 0000000000000000 AX 0 0 4
[12] .plt PROGBITS 0000000000000a40 00000a40
0000000000000160 0000000000000010 AX 0 0 16
[13] .plt.got PROGBITS 0000000000000ba0 00000ba0
0000000000000008 0000000000000000 AX 0 0 8
[14] .text PROGBITS 0000000000000bb0 00000bb0
0000000000000ea2 0000000000000000 AX 0 0 16
[15] .fini PROGBITS 0000000000001a54 00001a54
0000000000000009 0000000000000000 AX 0 0 4
[16] .rodata PROGBITS 0000000000001a60 00001a60
000000000000037e 0000000000000000 A 0 0 8
[17] .eh_frame_hdr PROGBITS 0000000000001de0 00001de0
0000000000000074 0000000000000000 A 0 0 4
[18] .eh_frame PROGBITS 0000000000001e58 00001e58
0000000000000234 0000000000000000 A 0 0 8
[19] .init_array INIT_ARRAY 0000000000202dd8 00002dd8
0000000000000008 0000000000000008 WA 0 0 8
[20] .fini_array FINI_ARRAY 0000000000202de0 00002de0
0000000000000008 0000000000000008 WA 0 0 8
[21] .jcr PROGBITS 0000000000202de8 00002de8
0000000000000008 0000000000000000 WA 0 0 8
[22] .dynamic DYNAMIC 0000000000202df0 00002df0
00000000000001e0 0000000000000010 WA 6 0 8
[23] .got PROGBITS 0000000000202fd0 00002fd0
0000000000000030 0000000000000008 WA 0 0 8
[24] .got.plt PROGBITS 0000000000203000 00003000
00000000000000c0 0000000000000008 WA 0 0 8
[25] .data PROGBITS 00000000002030c0 000030c0
0000000000000010 0000000000000000 WA 0 0 8
[26] .bss NOBITS 00000000002030e0 000030d0
00000000001881c0 0000000000000000 WA 0 0 32
[27] .gnu_debuglink PROGBITS 0000000000000000 000030d0
0000000000000034 0000000000000000 0 0 1
[28] .shstrtab STRTAB 0000000000000000 00003104
0000000000000102 0000000000000000 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
L (link order), O (extra OS processing required), G (group), T (TLS),
C (compressed), x (unknown), o (OS specific), E (exclude),
l (large), p (processor specific)
There are no section groups in this file.
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040
0x00000000000001f8 0x00000000000001f8 R E 0x8
INTERP 0x0000000000000238 0x0000000000000238 0x0000000000000238
0x000000000000001c 0x000000000000001c R 0x1
[Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x000000000000208c 0x000000000000208c R E 0x200000
LOAD 0x0000000000002dd8 0x0000000000202dd8 0x0000000000202dd8
0x00000000000002f8 0x00000000001884c8 RW 0x200000
DYNAMIC 0x0000000000002df0 0x0000000000202df0 0x0000000000202df0
0x00000000000001e0 0x00000000000001e0 RW 0x8
NOTE 0x0000000000000254 0x0000000000000254 0x0000000000000254
0x0000000000000044 0x0000000000000044 R 0x4
GNU_EH_FRAME 0x0000000000001de0 0x0000000000001de0 0x0000000000001de0
0x0000000000000074 0x0000000000000074 R 0x4
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RW 0x10
GNU_RELRO 0x0000000000002dd8 0x0000000000202dd8 0x0000000000202dd8
0x0000000000000228 0x0000000000000228 R 0x1
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame
03 .init_array .fini_array .jcr .dynamic .got .got.plt .data .bss
04 .dynamic
05 .note.ABI-tag .note.gnu.build-id
06 .eh_frame_hdr
07
08 .init_array .fini_array .jcr .dynamic .got
Dynamic section at offset 0x2df0 contains 26 entries:
Tag Type Name/Value
0x0000000000000001 (NEEDED) Shared library: [libc.so.6]
0x000000000000000c (INIT) 0xa20
0x000000000000000d (FINI) 0x1a54
0x0000000000000019 (INIT_ARRAY) 0x202dd8
0x000000000000001b (INIT_ARRAYSZ) 8 (bytes)
0x000000000000001a (FINI_ARRAY) 0x202de0
0x000000000000001c (FINI_ARRAYSZ) 8 (bytes)
0x000000006ffffef5 (GNU_HASH) 0x298
0x0000000000000005 (STRTAB) 0x578
0x0000000000000006 (SYMTAB) 0x2c0
0x000000000000000a (STRSZ) 341 (bytes)
0x000000000000000b (SYMENT) 24 (bytes)
0x0000000000000015 (DEBUG) 0x0
0x0000000000000003 (PLTGOT) 0x203000
0x0000000000000002 (PLTRELSZ) 504 (bytes)
0x0000000000000014 (PLTREL) RELA
0x0000000000000017 (JMPREL) 0x828
0x0000000000000007 (RELA) 0x738
0x0000000000000008 (RELASZ) 240 (bytes)
0x0000000000000009 (RELAENT) 24 (bytes)
0x000000006ffffffb (FLAGS_1) Flags: PIE
0x000000006ffffffe (VERNEED) 0x708
0x000000006fffffff (VERNEEDNUM) 1
0x000000006ffffff0 (VERSYM) 0x6ce
0x000000006ffffff9 (RELACOUNT) 3
0x0000000000000000 (NULL) 0x0
Relocation section '.rela.dyn' at offset 0x738 contains 10 entries:
Offset Info Type Sym. Value Sym. Name + Addend
000000202dd8 000000000008 R_X86_64_RELATIVE 1760
000000202de0 000000000008 R_X86_64_RELATIVE 1720
0000002030c8 000000000008 R_X86_64_RELATIVE 2030c8
000000202fd0 000300000006 R_X86_64_GLOB_DAT 0000000000000000 _ITM_deregisterTMClone + 0
000000202fd8 000900000006 R_X86_64_GLOB_DAT 0000000000000000 __libc_start_main@GLIBC_2.2.5 + 0
000000202fe0 000b00000006 R_X86_64_GLOB_DAT 0000000000000000 __gmon_start__ + 0
000000202fe8 001500000006 R_X86_64_GLOB_DAT 0000000000000000 _Jv_RegisterClasses + 0
000000202ff0 001900000006 R_X86_64_GLOB_DAT 0000000000000000 _ITM_registerTMCloneTa + 0
000000202ff8 001a00000006 R_X86_64_GLOB_DAT 0000000000000000 __cxa_finalize@GLIBC_2.2.5 + 0
0000002030e0 001c00000005 R_X86_64_COPY 00000000002030e0 stderr@GLIBC_2.2.5 + 0
Relocation section '.rela.plt' at offset 0x828 contains 21 entries:
Offset Info Type Sym. Value Sym. Name + Addend
000000203018 000100000007 R_X86_64_JUMP_SLO 0000000000000000 free@GLIBC_2.2.5 + 0
000000203020 000200000007 R_X86_64_JUMP_SLO 0000000000000000 __errno_location@GLIBC_2.2.5 + 0
000000203028 000400000007 R_X86_64_JUMP_SLO 0000000000000000 fclose@GLIBC_2.2.5 + 0
000000203030 000500000007 R_X86_64_JUMP_SLO 0000000000000000 strlen@GLIBC_2.2.5 + 0
000000203038 000600000007 R_X86_64_JUMP_SLO 0000000000000000 _IO_putc@GLIBC_2.2.5 + 0
000000203040 000700000007 R_X86_64_JUMP_SLO 0000000000000000 strrchr@GLIBC_2.2.5 + 0
000000203048 000800000007 R_X86_64_JUMP_SLO 0000000000000000 close@GLIBC_2.2.5 + 0
000000203050 000a00000007 R_X86_64_JUMP_SLO 0000000000000000 __memcpy_chk@GLIBC_2.3.4 + 0
000000203058 000c00000007 R_X86_64_JUMP_SLO 0000000000000000 fopen64@GLIBC_2.2.5 + 0
000000203060 000d00000007 R_X86_64_JUMP_SLO 0000000000000000 __stpcpy_chk@GLIBC_2.3.4 + 0
000000203068 000e00000007 R_X86_64_JUMP_SLO 0000000000000000 malloc@GLIBC_2.2.5 + 0
000000203070 000f00000007 R_X86_64_JUMP_SLO 0000000000000000 fflush@GLIBC_2.2.5 + 0
000000203078 001000000007 R_X86_64_JUMP_SLO 0000000000000000 _IO_getc@GLIBC_2.2.5 + 0
000000203080 001100000007 R_X86_64_JUMP_SLO 0000000000000000 __strcpy_chk@GLIBC_2.3.4 + 0
000000203088 001200000007 R_X86_64_JUMP_SLO 0000000000000000 fdopen@GLIBC_2.2.5 + 0
000000203090 001300000007 R_X86_64_JUMP_SLO 0000000000000000 open64@GLIBC_2.2.5 + 0
000000203098 001400000007 R_X86_64_JUMP_SLO 0000000000000000 perror@GLIBC_2.2.5 + 0
0000002030a0 001600000007 R_X86_64_JUMP_SLO 0000000000000000 exit@GLIBC_2.2.5 + 0
0000002030a8 001700000007 R_X86_64_JUMP_SLO 0000000000000000 fwrite@GLIBC_2.2.5 + 0
0000002030b0 001800000007 R_X86_64_JUMP_SLO 0000000000000000 __fprintf_chk@GLIBC_2.3.4 + 0
0000002030b8 001b00000007 R_X86_64_JUMP_SLO 0000000000000000 __sprintf_chk@GLIBC_2.3.4 + 0
The decoding of unwind sections for machine type Advanced Micro Devices X86-64 is not currently supported.
Symbol table '.dynsym' contains 29 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000000000000 0 FUNC GLOBAL DEFAULT UND free@GLIBC_2.2.5 (2)
2: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __errno_location@GLIBC_2.2.5 (2)
3: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_deregisterTMCloneTab
4: 0000000000000000 0 FUNC GLOBAL DEFAULT UND fclose@GLIBC_2.2.5 (2)
5: 0000000000000000 0 FUNC GLOBAL DEFAULT UND strlen@GLIBC_2.2.5 (2)
6: 0000000000000000 0 FUNC GLOBAL DEFAULT UND _IO_putc@GLIBC_2.2.5 (2)
7: 0000000000000000 0 FUNC GLOBAL DEFAULT UND strrchr@GLIBC_2.2.5 (2)
8: 0000000000000000 0 FUNC GLOBAL DEFAULT UND close@GLIBC_2.2.5 (2)
9: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __libc_start_main@GLIBC_2.2.5 (2)
10: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __memcpy_chk@GLIBC_2.3.4 (3)
11: 0000000000000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__
12: 0000000000000000 0 FUNC GLOBAL DEFAULT UND fopen64@GLIBC_2.2.5 (2)
13: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __stpcpy_chk@GLIBC_2.3.4 (3)
14: 0000000000000000 0 FUNC GLOBAL DEFAULT UND malloc@GLIBC_2.2.5 (2)
15: 0000000000000000 0 FUNC GLOBAL DEFAULT UND fflush@GLIBC_2.2.5 (2)
16: 0000000000000000 0 FUNC GLOBAL DEFAULT UND _IO_getc@GLIBC_2.2.5 (2)
17: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __strcpy_chk@GLIBC_2.3.4 (3)
18: 0000000000000000 0 FUNC GLOBAL DEFAULT UND fdopen@GLIBC_2.2.5 (2)
19: 0000000000000000 0 FUNC GLOBAL DEFAULT UND open64@GLIBC_2.2.5 (2)
20: 0000000000000000 0 FUNC GLOBAL DEFAULT UND perror@GLIBC_2.2.5 (2)
21: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _Jv_RegisterClasses
22: 0000000000000000 0 FUNC GLOBAL DEFAULT UND exit@GLIBC_2.2.5 (2)
23: 0000000000000000 0 FUNC GLOBAL DEFAULT UND fwrite@GLIBC_2.2.5 (2)
24: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __fprintf_chk@GLIBC_2.3.4 (3)
25: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_registerTMCloneTable
26: 0000000000000000 0 FUNC WEAK DEFAULT UND __cxa_finalize@GLIBC_2.2.5 (2)
27: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __sprintf_chk@GLIBC_2.3.4 (3)
28: 00000000002030e0 8 OBJECT GLOBAL DEFAULT 26 stderr@GLIBC_2.2.5 (2)
Histogram for `.gnu.hash' bucket list length (total of 2 buckets):
Length Number % of total Coverage
0 1 ( 50.0%)
1 1 ( 50.0%) 100.0%
Version symbols section '.gnu.version' contains 29 entries:
Addr: 00000000000006ce Offset: 0x0006ce Link: 5 (.dynsym)
000: 0 (*local*) 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5) 0 (*local*)
004: 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5)
008: 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5) 3 (GLIBC_2.3.4) 0 (*local*)
00c: 2 (GLIBC_2.2.5) 3 (GLIBC_2.3.4) 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5)
010: 2 (GLIBC_2.2.5) 3 (GLIBC_2.3.4) 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5)
014: 2 (GLIBC_2.2.5) 0 (*local*) 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5)
018: 3 (GLIBC_2.3.4) 0 (*local*) 2 (GLIBC_2.2.5) 3 (GLIBC_2.3.4)
01c: 2 (GLIBC_2.2.5)
Version needs section '.gnu.version_r' contains 1 entries:
Addr: 0x0000000000000708 Offset: 0x000708 Link: 6 (.dynstr)
000000: Version: 1 File: libc.so.6 Cnt: 2
0x0010: Name: GLIBC_2.3.4 Flags: none Version: 3
0x0020: Name: GLIBC_2.2.5 Flags: none Version: 2
Displaying notes found in: .note.ABI-tag
Owner Data size Description
GNU 0x00000010 NT_GNU_ABI_TAG (ABI version tag)
OS: Linux, ABI: 2.6.32
Displaying notes found in: .note.gnu.build-id
Owner Data size Description
GNU 0x00000014 NT_GNU_BUILD_ID (unique build ID bitstring)
Build ID: cc3eccbeb2dd5548956f36b7403598d6e22824e5
no canaries and un-fortified libc libraries
When checking a common process, e.g. cron, some libc libraries (e.g. libnsl-2.24.so) are missing a canary and are not fortified, but some are (e.g. libc-2.24.so):
<?xml version="1.0" encoding="UTF-8"?>
<proc name='cron' pid='582' relro="partial" canary="yes" seccomp="no" pax="yes" pie="yes" fortify_source='yes'>
<file relro="partial" canary="no" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="no" fortified="0" fortify-able="0" filename='/lib/x86_64-linux-gnu/ld-2.24.so' />
<file relro="full" canary="yes" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="yes" fortified="10" fortify-able="21" filename='/lib/x86_64-linux-gnu/libaudit.so.1.0.0' />
<file relro="partial" canary="yes" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="yes" fortified="78" fortify-able="167" filename='/lib/x86_64-linux-gnu/libc-2.24.so' />
<file relro="partial" canary="yes" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="yes" fortified="4" fortify-able="7" filename='/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0' />
<file relro="partial" canary="no" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="no" fortified="0" fortify-able="2" filename='/lib/x86_64-linux-gnu/libdl-2.24.so' />
<file relro="partial" canary="no" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="no" fortified="0" fortify-able="16" filename='/lib/x86_64-linux-gnu/libnsl-2.24.so' />
<file relro="partial" canary="no" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="no" fortified="0" fortify-able="4" filename='/lib/x86_64-linux-gnu/libnss_compat-2.24.so' />
<file relro="partial" canary="no" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="no" fortified="0" fortify-able="5" filename='/lib/x86_64-linux-gnu/libnss_files-2.24.so' />
<file relro="partial" canary="no" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="no" fortified="0" fortify-able="8" filename='/lib/x86_64-linux-gnu/libnss_nis-2.24.so' />
<file relro="partial" canary="yes" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="yes" fortified="5" fortify-able="12" filename='/lib/x86_64-linux-gnu/libpam.so.0.83.1' />
<file relro="full" canary="yes" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="yes" fortified="1" fortify-able="4" filename='/lib/x86_64-linux-gnu/libpcre.so.3.13.3' />
<file relro="partial" canary="no" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="no" fortified="0" fortify-able="27" filename='/lib/x86_64-linux-gnu/libpthread-2.24.so' />
<file relro="partial" canary="yes" nx="yes" pie="dso" rpath="no" runpath="no" fortify_source="yes" fortified="9" fortify-able="22" filename='/lib/x86_64-linux-gnu/libselinux.so.1' />
<file relro="partial" canary="yes" nx="yes" pie="yes" rpath="no" runpath="no" fortify_source="yes" fortified="5" fortify-able="10" filename='/usr/sbin/cron' />
</proc>
checksec manpage should be moved to section 1
Fedora man page check failed: https://bugzilla.redhat.com/show_bug.cgi?id=1611199
Section 1 is for man pages for commands. It is better for checksec.
Not working on macOS
Hello,
In README it says that it should work on macOS by installing "binutils", but binutils does not install readelf, which is required by checksec, therefore I get the error "readelf not found! It's required for most checks".
Should it work on macOS?
Thanks
Small text patch for readme
--- to check executable properties like (PIE, RELRO, PaX, Canaries, ASLR, Fortify Source)
+++ to check properties of executables (e.g. ASLR/PIE, RELRO, PaX, Canaries, Fortify Source)
STACKLEAK is a security feature developed by Grsecurity/PaX
Man page implies '--dir' option is recursive
The man page states:
-d or --dir
Recursively checks all executable files in the directory for security features compiled
into the executables
I'm not sure what's meant exactly by this statement, as in my tests, checksec does not check subdirectories recursively. It only checks executables in the directory given. Is this intended behaviour? My expectation was that it would recursively check subdirectories.
stack canary detection does not work with newer GCCs (e.g. 6.3.0)
I noticed that checksec's canary detection does not work on my system (Gentoo with testing packages and gcc 6.3.0). I assume that gcc 6 creates the stack protection code different and thus the detection no longer works.
E.g.:
gcc -fstack-protector-strong test.c -o test1
gcc -fstack-protector test.c -o test2
checksec gives for both test1 and test2 this output:
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH No 0 0 test1
eu-readelf support seems a bit off
I run checksec -f on the exact same binary on two different systems. One has readelf, the other has eu-readelf. The one with readelf says PIE enabled, and the one with eu-readelf says DSO. This seems to be because it's running $readelf -d and looking for '(DEBUG)', but eu-readelf doesn't use parentheses, so it would need to look for 'DEBUG' instead.
I also see the function counts from the fortify check (-ff) are doubled for unstripped executables, but that's probably unrelated to eu-readelf.
Rev-2017080801 released without a new version tag
Package maintainers rely on the git tag for recognizing release points. The Arch version is now out of date because this update wasn't tagged.
Thanks for the continued hard work and great project. --Cheers
How updated is the --kernel feature ?
More a question than a issue.
I'm using checksec.sh to evaluate quickly which grsec/pax options are turned on and I'm wondering about which options are checked ?
In other words, is the tool checking all the kernel configuration available with the latest grsecurity/pax patch ?
Resolve use of GNU seq in favor of Bash intrinsics
When running checksec through strace, I can see 80 forks/calls to GNU seq. These forks could be saved by moving to Bash brace expansion. I could imagine a noticeable speed-up. What do you think?
Best, Sebastian
'checksec -d' creates empty file named '755' in chosen dir
$ ls /usr/bin/755
"/usr/bin/755": No such file or directory (os error 2)
$ checksec -d /usr/bin/
...
/usr/local/sbin/checksec: line 291: 755: Permission denied
...
$ sudo checksec -d /usr/bin/
...
$ ls /usr/bin/755
755
some warnings by readelf-2.28
I have binutils-2.28 and checksec-1.7.5, I suppose that the check for the FORTIFY, generates some warnings. You may want to hide it in some way, to restore the better output of checksec.
$ checksec --proc-all
* System-wide ASLR (kernel.randomize_va_space): Full (Setting: 2)
Description - Make the addresses of mmap base, heap, stack and VDSO page randomized.
This, among other things, implies that shared libraries will be loaded to random
addresses. Also for PIE-linked binaries, the location of code start is randomized.
See the kernel file 'Documentation/sysctl/kernel.txt' for more details.
* Does the CPU support NX: Yes
COMMAND PID RELRO STACK CANARY SECCOMP NX/PaX PIE FORTIFY
at-spi-bus-laun 11865 Partial RELRO No canary found No Seccomp NX enabled No PIE No
dbus-daemon 11870 Partial RELRO No canary found No Seccomp NX enabled No PIE Yes
at-spi2-registr 11872 Partial RELRO No canary found No Seccomp NX enabled No PIE Yes
ksysguardd 16408 Partial RELRO No canary found No Seccomp NX enabled No PIE Yes
chrome 16516 Full RELRO Canary found Seccomp-bpf NX enabled PIE enabled readelf: Warning: local symbol 3 found at index >= .dynsym's sh_info value of 3
readelf: Warning: local symbol 4 found at index >= .dynsym's sh_info value of 3
need a option for prefix when testing offline filesystems?
When building and testing a filesystem of a embedded system offline, it would be nice to provide a prefix so the script understands to look in a specific folder at a specific libc, etc. I'm not sure of the full impact of adding this option and which checksec options can't be assumed to work offline. Maybe a offline mode with prefix option ? Thoughts? I can definitely create a pull request to support adding the prefix but thought a offline filesystem option might be something else to debate as some features assume you're running this on the executing system.
checksec support for go-lang compiler
Hi,
Is there any support of existing checksec to bins/procs compiled using go-lang. So the flags may not be reflecting in Makefile similar to what gcc uses.
Any suggestions?
Incorrect JSON when invoked on a PID with --proc-libs
Issue
When checksec is invoked on a PID with the --proc-libs option, libraries are nested improperly.
As an example,
{
"proc": {
"name": "rpcbind",
"pid": "948",
"relro": "full",
"canary": "yes",
"seccomp": "no",
"nx": "yes",
"pie": "yes",
"fortify_source": "yes"
}
"file": {
"relro": "partial",
"canary": "no",
"nx": "yes",
"pie": "dso",
"rpath": "no",
"runpath": "no",
"symtables": "no",
"fortify_source": "no",
"fortified": "0",
"fortify-able": "0"
"filename" = "/lib/x86_64-linux-gnu/ld-2.27.so"
"file": {
"relro": "partial",
"canary": "yes",
"nx": "yes",
"pie": "dso",
"rpath": "no",
"runpath": "no",
"symtables": "no",
"fortify_source": "yes",
"fortified": "79",
"fortify-able": "170"
"filename" = "/lib/x86_64-linux-gnu/libc-2.27.so"
"file": {
"relro": "full",
"canary": "yes",
"nx": "yes",
"pie": "dso",
"rpath": "no",
"runpath": "no",
"symtables": "no",
"fortify_source": "yes",
"fortified": "3",
"fortify-able": "4"
"filename" = "/lib/x86_64-linux-gnu/libcom_err.so.2.1"
"file": {
"relro": "partial",
"canary": "yes",
"nx": "yes",
"pie": "dso",
"rpath": "no",
"runpath": "no",
"symtables": "no",
"fortify_source": "yes",
"fortified": "0",
"fortify-able": "2"
"filename" = "/lib/x86_64-linux-gnu/libdl-2.27.so"
"file": {
...Debug Report
***** Checksec debug *****
uid=0(root) gid=0(root) groups=0(root),127(kvm)
Linux xxx 4.15.0-43-generic #46-Ubuntu SMP Thu Dec 6 14:45:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
checksec version: 1.11.0 -- 2018122701
OS=Ubuntu
VER=18.04
-rwxr-xr-x 1 root root 35064 Jan 18 2018 /bin/cat
/bin/cat: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=747e524bc20d33ce25ed4aea108e3025e5c3b78f, stripped
lrwxrwxrwx 1 root root 21 Sep 30 16:56 /usr/bin/awk -> /etc/alternatives/awk
-rwxr-xr-x 1 root root 658072 Feb 11 2018 /usr/bin/gawk
/usr/bin/gawk: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=c8501e8e996c37ed412a87269b6395bc6afbbebb, stripped
-rwxr-xr-x 1 root root 22600 May 14 2018 /sbin/sysctl
/sbin/sysctl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=dc85edfc927eaa77ea0fd0bdc558f687326c55e2, stripped
-rwxr-xr-x 1 root root 35032 Jan 18 2018 /bin/uname
/bin/uname: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=2b4b6989bb8cf1061951e98ab1cc8e6130f6aa5c, stripped
-rwxr-xr-x 1 root root 43192 Jan 18 2018 /bin/mktemp
/bin/mktemp: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=8258387eab419d6c48de0e1f6d6518eac46dac36, stripped
-rwxr-xr-x 1 root root 650296 Dec 5 10:59 /usr/bin/openssl
/usr/bin/openssl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=06754a7652ec38716fc41ec6f074654ec3b2ed27, stripped
-rwxr-xr-x 1 root root 219528 Jul 12 2017 /bin/grep
/bin/grep: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8fce2b8087b2c31aa35b499f249b01658e5c218b, stripped
-rwxr-xr-x 1 root root 80088 Jan 18 2018 /usr/bin/stat
/usr/bin/stat: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=a8ada86d60f0d5361c99eb114227dea0b8b133b4, stripped
-rwxr-xr-x 1 root root 22792 Jun 13 2018 /usr/bin/file
/usr/bin/file: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=ba74252751fddf2ef1b1d3bd2098c95550eee976, stripped
-rwxr-xr-x 1 root root 238080 Nov 5 2017 /usr/bin/find
/usr/bin/find: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=b920f53e0c67a31d8ef07b84b1344f87a0e82d71, stripped
-rwxr-xr-x 1 root root 43224 Jan 18 2018 /usr/bin/head
/usr/bin/head: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=f53353500249659d3b82d732445de676de95b24a, stripped
-rwxr-xr-x 1 root root 133432 May 14 2018 /bin/ps
/bin/ps: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=63f6aa9139f4ce7b58275597fcc43babf0146a7a, stripped
-rwxr-xr-x 1 root root 43192 Jan 18 2018 /bin/readlink
/bin/readlink: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=427b7c5d8766a0185381c7ad75855d4758030fb2, stripped
-rwxr-xr-x 1 root root 35000 Jan 18 2018 /usr/bin/basename
/usr/bin/basename: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=cb1bb6b3247280ca512b0443ab48fdcf87e32aef, stripped
-rwxr-xr-x 1 root root 43224 Jan 18 2018 /usr/bin/id
/usr/bin/id: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=cba786491810c0767b2a66ab876bcb7783955cad, stripped
lrwxrwxrwx 1 root root 10 Sep 30 16:56 /usr/bin/which -> /bin/which
-rwxr-xr-x 1 root root 946 Dec 30 2017 /bin/which
/bin/which: POSIX shell script, ASCII text executable
-rwxr-xr-x 1 root root 499264 May 8 2018 /usr/bin/wget
/usr/bin/wget: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=a163624cff1591ed5a6a6f4d77b289ba76e4b61e, stripped
-rwxr-xr-x 1 root root 223304 Oct 29 08:10 /usr/bin/curl
/usr/bin/curl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=08ef94c44332a736ebe03f2064729d6ae8e8559a, stripped
lrwxrwxrwx 1 root root 24 Sep 12 11:38 /usr/bin/readelf -> x86_64-linux-gnu-readelf
-rwxr-xr-x 1 root root 596440 Sep 12 11:38 /usr/bin/x86_64-linux-gnu-readelf
/usr/bin/x86_64-linux-gnu-readelf: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=7dce75907448d6ad1af092c8ee1a3873c04ef494, stripped
*** can not find command eu-readelf
Command run to produce the error
/checksec --output json --proc-libs <pid>
OS version and Kernel version
Ubuntu 18.04, 4.15.0-43-generic #46-Ubuntu SMP Thu Dec 6 14:45:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Checksec apparmor
Hello,
Small idea to improve this script, as for selinux, apparmor should be part of the checksec -k
fix xmllint errors for proc-all
add xml procs group to not fail xml validation.
Commit "Fix RW-RPATH and RW-RUNPATH logic" causes warnings if RPATH/RUNPATH doesn't exist
Issue
Commit Fix RW-RPATH and RW-RUNPATH logic causes warnings each time when RPATH/RUNPATH doesn't exist in system. Reverting this commit fixes this issue. @lraugusto
Debug Report
***** Checksec debug *****
uid=1000(user) gid=100(users) groups=100(users)
Linux host 4.19.7 #1 SMP PREEMPT
checksec version: 1.10.0 -- 2018120601
OS=Arch Linux
VER=rolling
-rwxr-xr-x 1 root root 38912 Aug 19 11:54 /usr/bin/cat
/usr/bin/cat: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=abd59e639d7d2c3e5cea7e89be055917fe906044, stripped
lrwxrwxrwx 1 root root 4 Feb 27 2018 /usr/bin/awk -> gawk
-rwxr-xr-x 2 root root 671584 Feb 27 2018 /usr/bin/gawk
/usr/bin/gawk: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=31bc8afd09c9fa30929c72876dea5756442eca2e, stripped
-rwxr-xr-x 1 root root 22360 Jun 1 2018 /usr/bin/sysctl
/usr/bin/sysctl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=2a9b00728f1458714f686bb4dd52e57f832d9780, stripped
-rwxr-xr-x 1 root root 38880 Aug 19 11:54 /usr/bin/uname
/usr/bin/uname: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=bca476f9f043fadbce5ca6446649ee98e779719a, stripped
-rwxr-xr-x 1 root root 42944 Aug 19 11:54 /usr/bin/mktemp
/usr/bin/mktemp: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=90842803a95b5bb6f8d2e4a03dfd309255328368, stripped
-rwxr-xr-x 1 root root 719768 Nov 20 18:41 /usr/bin/openssl
/usr/bin/openssl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=b2df1fa550731d843bff86e468d1e25205f4d5ec, stripped
-rwxr-xr-x 1 root root 170064 Nov 4 03:10 /usr/bin/grep
/usr/bin/grep: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=af4bdaddff69380e14c744f4ddc809473e79aad0, stripped
-rwxr-xr-x 1 root root 79840 Aug 19 11:54 /usr/bin/stat
/usr/bin/stat: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=1d3dab87848cd1d570375465daf8cdf3cd74a18e, stripped
-rwxr-xr-x 1 root root 26704 Oct 20 16:09 /usr/bin/file
/usr/bin/file: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=6b7d6a773c767cff63447f3602c3f4923bfa55e4, stripped
-rwxr-xr-x 1 root root 216400 Nov 3 23:36 /usr/bin/find
/usr/bin/find: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=8b1b8e2dd522bd895bd1f184c944e6050d7d2d42, stripped
-rwxr-xr-x 1 root root 47072 Aug 19 11:54 /usr/bin/head
/usr/bin/head: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=62e272c1b443f2dbdf9cfdffa55193a9e417fded, stripped
-rwxr-xr-x 1 root root 129088 Jun 1 2018 /usr/bin/ps
/usr/bin/ps: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=864dd7723b4bd8a0cc9d5cac70694312691b4970, stripped
-rwxr-xr-x 1 root root 47040 Aug 19 11:54 /usr/bin/readlink
/usr/bin/readlink: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=d57b38e892707a648324b93f321c3fc5533fe36e, stripped
-rwxr-xr-x 1 root root 38848 Aug 19 11:54 /usr/bin/basename
/usr/bin/basename: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=f8df7effb62236a819813ef0764886772213339d, stripped
-rwxr-xr-x 1 root root 42976 Aug 19 11:54 /usr/bin/id
/usr/bin/id: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=c96bab36239547a627047bbaa64a422ae89e48cd, stripped
-rwxr-xr-x 1 root root 31288 Nov 3 17:33 /usr/bin/which
/usr/bin/which: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=02c822d2f01f85aa78a5ff80c65cb3b505d1c6b6, stripped
-rwxr-xr-x 1 root root 174008 Oct 31 08:22 /usr/bin/curl
/usr/bin/curl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=78924b334b3475e2ad76df2476237e1cb65c3ee6, stripped
-rwxr-xr-x 1 root root 608440 Aug 11 17:02 /usr/bin/readelf
/usr/bin/readelf: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=4cb860d9d620096232b6d7064f8cb94f625cee0f, stripped
-rwxr-xr-x 1 root root 256160 Sep 25 22:12 /usr/bin/eu-readelf
/usr/bin/eu-readelf: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=d5115e2d82dddc9fbd48af519c8348aca3f704ea, stripped
Command run to produce the error
$ sudo pacman -Syu nss
$ checksec --output csv -f /usr/bin/modutil
Full RELRO,Canary found,NX enabled,PIE enabled,stat: cannot stat '$ORIGIN/lib/': No such file or directory
RPATH,No RUNPATH,No SYMTABLES,Yes,7,12,/usr/bin/modutil
OS version and Kernel version
OS: Arch Linux
KERNEL: Linux 4.19.7
Debug output
$ checksec --debug --output csv -f /usr/bin/modutil
***function filecheck
***function filecheck->RELRO
Full RELRO,
***function filecheck->canary
Canary found,
***function filecheck->nx
NX enabled,
***function filecheck->pie
PIE enabled,
***function filecheck->rpath
stat: cannot stat '$ORIGIN/lib/': No such file or directory
RPATH,
***function filecheck->runpath
No RUNPATH,No SYMTABLES,***function filecheck->fortify
Yes,7,12,/usr/bin/modutil
release notifications
Please uncompress man page "checksec.7" in Git
Hi! I noticed that the man page at
https://github.com/slimm609/checksec.sh/blob/master/extras/man/checksec.7.gz
is compressed in Git. I can think of quite a few downsides of that (..) but only a single upside with size of a direct download. On a side note, Linux distros like and do take care of man page compression themselves. Unless I am missing something, I would ask to store the man page uncompressed (and ideally even to have it be generated from AsciiDoc or something).
Thanks and best, S
DEBUG_RODATA and DEBUG_STRICT_USER_COPY_CHECKS no longer exist in newer kernels
Title says it all, DEBUG_RODATA was renamed/split to STRICT_KERNEL_RWX and STRICT_MODULE_RWX.
torvalds/linux@7bb0338
CONFIG_DEBUG_STRICT_USER_COPY_CHECKS got removed as it's not needed.
torvalds/linux@0d025d2
In other news, HARDENED_USERCOPY and HARDENED_USERCOPY_PAGESPAN were added and I do believe they are roughly equivalent to PAXes PAX_USERCOPY.
torvalds/linux@f5509cc
Do you mind updating your shellscript to reflect these?
checksec -d doesn't handle spaces in filename
Issue
Running checksec -d on a directory which contains filenames with spaces fails on them as they are treated as separate files.
Debug Report
***** Checksec debug *****
uid=1000(user) gid=100(users) groups=100(users)
Linux laptop 4.20.0-1 #1 SMP PREEMPT x86_64 GNU/Linux
checksec version: 1.10.0 -- 2018120601
OS=Arch Linux
VER=
-rwxr-xr-x 1 root root 38912 Aug 19 11:54 /usr/bin/cat
/usr/bin/cat: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=abd59e639d7d2c3e5cea7e89be055917fe906044, stripped
lrwxrwxrwx 1 root root 4 Feb 27 2018 /usr/bin/awk -> gawk
-rwxr-xr-x 2 root root 671584 Feb 27 2018 /usr/bin/gawk
/usr/bin/gawk: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=31bc8afd09c9fa30929c72876dea5756442eca2e, stripped
-rwxr-xr-x 1 root root 22360 Jun 1 2018 /usr/bin/sysctl
/usr/bin/sysctl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=2a9b00728f1458714f686bb4dd52e57f832d9780, stripped
-rwxr-xr-x 1 root root 38880 Aug 19 11:54 /usr/bin/uname
/usr/bin/uname: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=bca476f9f043fadbce5ca6446649ee98e779719a, stripped
-rwxr-xr-x 1 root root 42944 Aug 19 11:54 /usr/bin/mktemp
/usr/bin/mktemp: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=90842803a95b5bb6f8d2e4a03dfd309255328368, stripped
-rwxr-xr-x 1 root root 719768 Nov 20 18:41 /usr/bin/openssl
/usr/bin/openssl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=b2df1fa550731d843bff86e468d1e25205f4d5ec, stripped
-rwxr-xr-x 1 root root 157808 Dec 21 11:14 /usr/bin/grep
/usr/bin/grep: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=efbba1ea6419232c285a239a0bc4cf3608ad7e91, stripped
-rwxr-xr-x 1 root root 79840 Aug 19 11:54 /usr/bin/stat
/usr/bin/stat: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=1d3dab87848cd1d570375465daf8cdf3cd74a18e, stripped
-rwxr-xr-x 1 root root 26704 Oct 20 16:09 /usr/bin/file
/usr/bin/file: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=6b7d6a773c767cff63447f3602c3f4923bfa55e4, stripped
-rwxr-xr-x 1 root root 216400 Nov 3 23:36 /usr/bin/find
/usr/bin/find: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=8b1b8e2dd522bd895bd1f184c944e6050d7d2d42, stripped
-rwxr-xr-x 1 root root 47072 Aug 19 11:54 /usr/bin/head
/usr/bin/head: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=62e272c1b443f2dbdf9cfdffa55193a9e417fded, stripped
-rwxr-xr-x 1 root root 129088 Jun 1 2018 /usr/bin/ps
/usr/bin/ps: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=864dd7723b4bd8a0cc9d5cac70694312691b4970, stripped
-rwxr-xr-x 1 root root 47040 Aug 19 11:54 /usr/bin/readlink
/usr/bin/readlink: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=d57b38e892707a648324b93f321c3fc5533fe36e, stripped
-rwxr-xr-x 1 root root 38848 Aug 19 11:54 /usr/bin/basename
/usr/bin/basename: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=f8df7effb62236a819813ef0764886772213339d, stripped
-rwxr-xr-x 1 root root 42976 Aug 19 11:54 /usr/bin/id
/usr/bin/id: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=c96bab36239547a627047bbaa64a422ae89e48cd, stripped
-rwxr-xr-x 1 root root 31288 Nov 3 17:33 /usr/bin/which
/usr/bin/which: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=02c822d2f01f85aa78a5ff80c65cb3b505d1c6b6, stripped
-rwxr-xr-x 1 root root 174032 Dec 20 10:50 /usr/bin/curl
/usr/bin/curl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=b728c9ed78dd59d865704c062ddedd99c7b31d44, stripped
-rwxr-xr-x 1 root root 608480 Dec 26 16:27 /usr/bin/readelf
/usr/bin/readelf: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=90504b06d572f2c441e0a712562319352273fe74, stripped
-rwxr-xr-x 1 root root 256144 Dec 3 22:48 /usr/bin/eu-readelf
/usr/bin/eu-readelf: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=1656346a6af6c222ab263be36e0ba5d87261cf7c, stripped
Command run to produce the error
$ mkdir test
$ cp /usr/bin/bash test/bash
$ checksec -d test
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable Filename
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH No Symbols Yes 13 33 test/bash
$ mv test/bash "test/ba sh"
$ checksec -d test
Error: No read permissions for 'test/ba' (run as root).
Error: No read permissions for 'sh' (run as root).
OS version and Kernel version
OS: Arch Linux
Kernel: 4.20
Debug output
checksec --debug -d test
Error: No read permissions for 'test/ba' (run as root).
Error: No read permissions for 'sh' (run as root).
JSON containing multiple root elements generated
Issue
Running checksec with --kernel in my machine generates an invalid JSON, which is as follows:
{
"kernel": {
"KernelConfig": "/boot/config-4.15.0-43-generic",
"randomize_va_space": "full",
"protect_symlinks": "yes",
"protect_hardlinks": "yes",
"ipv4_rpath": "yes",
"ipv6_rpath": "no",
"kernel_heap_randomization": "yes",
"gcc_stack_protector": "yes",
"slab_freelist_randomization": "yes",
"virtually_mapped_stack": "yes",
"restrict_dev_mem_access": "yes",
"restrict_io_dev_mem_access": "no",
"ro_kernel_data": "yes",
"ro_module_data": "yes",
"hardened_usercopy": "yes",
"hardened_usercopy_pagespan": "no",
"fortify_source": "yes",
"restrict_dev_mem_access": "yes",
"restrict_io_dev_mem_access": "no",
"restrict_dev_kmem_access": "yes"
},
"random_address_space_layout": "yes"
}, "selinux": {
"enabled": "no"
}, "grsecurity": {
"grsecurity_config": "no"
}
}A JSON without multiple root elements would be preferably be produced.
Note: Even the JSON present in the README does not pass validation from JSONLint or JSONFormatter
Debug Report
***** Checksec debug *****
uid=0(root) gid=0(root) groups=0(root),127(kvm)
Linux xxxx 4.15.0-43-generic #46-Ubuntu SMP Thu Dec 6 14:45:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
checksec version: 1.10.0 -- 2018120601
OS=Ubuntu
VER=18.04
-rwxr-xr-x 1 root root 35064 Jan 18 2018 /bin/cat
/bin/cat: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=747e524bc20d33ce25ed4aea108e3025e5c3b78f, stripped
lrwxrwxrwx 1 root root 21 Sep 30 16:56 /usr/bin/awk -> /etc/alternatives/awk
-rwxr-xr-x 1 root root 658072 Feb 11 2018 /usr/bin/gawk
/usr/bin/gawk: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=c8501e8e996c37ed412a87269b6395bc6afbbebb, stripped
-rwxr-xr-x 1 root root 22600 May 14 2018 /sbin/sysctl
/sbin/sysctl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=dc85edfc927eaa77ea0fd0bdc558f687326c55e2, stripped
-rwxr-xr-x 1 root root 35032 Jan 18 2018 /bin/uname
/bin/uname: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=2b4b6989bb8cf1061951e98ab1cc8e6130f6aa5c, stripped
-rwxr-xr-x 1 root root 43192 Jan 18 2018 /bin/mktemp
/bin/mktemp: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=8258387eab419d6c48de0e1f6d6518eac46dac36, stripped
-rwxr-xr-x 1 root root 650296 Dec 5 10:59 /usr/bin/openssl
/usr/bin/openssl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=06754a7652ec38716fc41ec6f074654ec3b2ed27, stripped
-rwxr-xr-x 1 root root 219528 Jul 12 2017 /bin/grep
/bin/grep: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8fce2b8087b2c31aa35b499f249b01658e5c218b, stripped
-rwxr-xr-x 1 root root 80088 Jan 18 2018 /usr/bin/stat
/usr/bin/stat: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=a8ada86d60f0d5361c99eb114227dea0b8b133b4, stripped
-rwxr-xr-x 1 root root 22792 Jun 13 2018 /usr/bin/file
/usr/bin/file: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=ba74252751fddf2ef1b1d3bd2098c95550eee976, stripped
-rwxr-xr-x 1 root root 238080 Nov 5 2017 /usr/bin/find
/usr/bin/find: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=b920f53e0c67a31d8ef07b84b1344f87a0e82d71, stripped
-rwxr-xr-x 1 root root 43224 Jan 18 2018 /usr/bin/head
/usr/bin/head: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=f53353500249659d3b82d732445de676de95b24a, stripped
-rwxr-xr-x 1 root root 133432 May 14 2018 /bin/ps
/bin/ps: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=63f6aa9139f4ce7b58275597fcc43babf0146a7a, stripped
-rwxr-xr-x 1 root root 43192 Jan 18 2018 /bin/readlink
/bin/readlink: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=427b7c5d8766a0185381c7ad75855d4758030fb2, stripped
-rwxr-xr-x 1 root root 35000 Jan 18 2018 /usr/bin/basename
/usr/bin/basename: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=cb1bb6b3247280ca512b0443ab48fdcf87e32aef, stripped
-rwxr-xr-x 1 root root 43224 Jan 18 2018 /usr/bin/id
/usr/bin/id: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=cba786491810c0767b2a66ab876bcb7783955cad, stripped
lrwxrwxrwx 1 root root 10 Sep 30 16:56 /usr/bin/which -> /bin/which
-rwxr-xr-x 1 root root 946 Dec 30 2017 /bin/which
/bin/which: POSIX shell script, ASCII text executable
-rwxr-xr-x 1 root root 499264 May 8 2018 /usr/bin/wget
/usr/bin/wget: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=a163624cff1591ed5a6a6f4d77b289ba76e4b61e, stripped
-rwxr-xr-x 1 root root 223304 Oct 29 08:10 /usr/bin/curl
/usr/bin/curl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=08ef94c44332a736ebe03f2064729d6ae8e8559a, stripped
lrwxrwxrwx 1 root root 24 Sep 12 11:38 /usr/bin/readelf -> x86_64-linux-gnu-readelf
-rwxr-xr-x 1 root root 596440 Sep 12 11:38 /usr/bin/x86_64-linux-gnu-readelf
/usr/bin/x86_64-linux-gnu-readelf: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=7dce75907448d6ad1af092c8ee1a3873c04ef494, stripped
*** can not find command eu-readelf
Command run to produce the error
sudo ./checksec.sh/checksec --output json --kernel
OS version and Kernel version
Ubuntu 18.04.1 LTS 4.15.0-43-generic
add json validation tests
add json validation tests and fix any json validation errors.
curl should not be mandatory
I guess the curl dependency should not be mandatory because I want to use the script but I never want to update.
Incorectly reported FORTIFY on PPC64 with binutils 2.29
I am using checksec to ensure that Ruby in Fedora is correctly fortified:
$ checksec -f libruby.so.2.4.1 | grep 'Full RELRO.*Canary found.*NX enabled.*DSO.*No RPATH.*No RUNPATH.*Yes.*\d*.*\d*.*libruby.so.2.4.1'
Unfortunately, with binutils 2.29 this check started to fail and this is the output:
$ checksec -f libruby.so.2.4.1
WARNING: 'openssl' not found! It's required for most checks.
WARNING: Not all necessary commands found. Some tests might not work!
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabled DSO No RPATH No RUNPATH No 0 0 libruby.so.2.4.1
Apparently, the "FORTIFY" used to be "Yes" on all platforms, while it is "No" for PPC64LE ATM.
And this is the analysis from the Fedora bug I opened [1]:
--- Comment 4 Nick Clifton 2017-08-08 17:29:43 CEST
Right, well I have found the cause, but not a solution. The 2.29 linker for PowerPC is setting some extra symbol information, in order to help optimise run-time performance. (This is related to BZ 14756316, but it is not exactly the same problem).
So, when libruby is built with the 2.28 linker the readelf command run by checksec would see output something like this:
138: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __memmove_chk@GLIBC_2.17 (2)
But when it is built with the 2.29 linker the readelf output looks like this:
257: 0000000000000000 0 FUNC GLOBAL DEFAULT [<localentry>: 8] UND __memmove_chk@GLIBC_2.17 (2)
(This is true regardless of which version of readelf is used).
The problem is that checksec uses an awk script to extract the names of symbols, based upon the field in which they appear, and this field is hardcoded to be field number 8. This works for the 2.28 linked libruby, but not the 2.29 libruby. So the checksec script thinks that no *_chk functions are accessed by the library, and hence that it has not been fortified.
Now I do not think that the linker is wrong in adding this extra information. In fact I think that it may be a requirement of the new ABI that IBM are creating. So I would suggest that the real fix is to update checksec to cope with the new information. Maybe by searching for a symbol name suffixed by an @ symbol for example, instead of replying upon field numbers.
I have not changed the component field of this BZ yet however as I want to see if there are any other suggestions.
Cheers
Nick
--- Comment 5 Nick Clifton 2017-08-08 17:34:26 CEST
Addendum: It occurs to me that one thing I could do is to patch readelf so that this "extra" information is printed at the end of the line, rather than in the middle. That way checksec's awk scanner would resume working. Of course this might potentially break other tools that rely upon the latest format of the output...
Seems it doesn't work well on macOS
I have use the latest version of checksec, but it cannot run on macOS
Add completion to checksec
I cannot use completion to complete statements when using checksec, could you fix it?
fetch bash function security
If security is of the essence here and you are attempting to check the script against a signed signature, should we also not be disabling TLS verification here: https://github.com/slimm609/checksec.sh/blob/master/checksec#L110-L122
Requesting releases and drop of ".sh" extension
Hi!
My understanding is that yours is the most active successor to the original checksec.sh 1.5.
I believe checksec.sh should go into Linux distributions at some point as a proper package.
To make that smoother I would ask to
- get rid of the
.shextension, since that looks wierd in a ``$PATH` folder - start making release tags
Then updating process may need changes then, which you know best.
If .sh needs to stay alive to not break updates of existing installations, maybe a simple Automake-based build system installing checksec.sh as checksec would be cool.
What do you think?
Shellcheck test report
Hi!
There is a nice tool called Shellcheck to statically analyze shell scripts. I performed simple test and it shows many potential issues. If you are interested you can look at the report or perform test yourself.
https://www.shellcheck.net/
shellecheck_test.txt
spelling "checksec.sh" versus "checksec" in the README.md
when did the suffix vanished?
Run test suite for each push/PR in Travis CI?
Hi!
I recently made (Bash tool) porticron run its BATS test suite in Travis CI. I could imagine it is of interest to you with ./tests/test-checksec.sh as well.
Best, Sebastian
Bad info in --kernel on CentOS
Issue
Running checksec with --kernel on CentOS pollutes the output with errors for missing files:
sudo src/ossec/scripts/checksec.sh/checksec --kernel
* Kernel protection information:
Description - List the status of kernel protection mechanisms. Rather than
inspect kernel mechanisms that may aid in the prevention of exploitation of
userspace processes, this option lists the status of kernel configuration
options that harden the kernel itself against attack.
Kernel config:
/boot/config-2.6.32-754.9.1.el6.x86_64
Warning: The config on disk may not represent running kernel config!
Vanilla Kernel ASLR: Full
Protected symlinks: Disabled
Protected hardlinks: Disabled
Ipv4 reverse path filtering: Enabled
Ipv6 reverse path filtering: Disabled
Kernel heap randomization: Enabled
GCC stack protector support: Enabled
Enforce read-only kernel data: Enabled
Enforce read-only module data: Disabled
Exec Shield: Disabled
Restrict /dev/kmem access: Enabled
* X86 only:
* SELinux: Enforcing
Checkreqprot: cat: /sys/fs/selinux/checkreqprot: No such file or directory
Disabled
Deny Unknown: cat: /sys/fs/selinux/deny_unknown: No such file or directory
Disabled
* grsecurity / PaX: No GRKERNSEC
The grsecurity / PaX patchset is available here:
http://grsecurity.net/
Likewise, the respective JSON is broken:
{ "kernel": { "KernelConfig":"/boot/config-2.6.32-754.9.1.el6.x86_64","randomize_va_space":"full","protect_symlinks":"no","protect_hardlinks":"no","ipv4_rpath":"yes","ipv6_rpath":"no","kernel_heap_randomization":"yes","gcc_stack_protector":"yes","ro_kernel_data":"yes","ro_module_data":"no","restrict_dev_kmem_access":"yes",},"selinux":{ "enabled":"yes", "mode":"enforcing"cat: /sys/fs/selinux/checkreqprot: No such file or direc
tory , "checkreqprot":"no"cat: /sys/fs/selinux/deny_unknown: No such file or directory
, "deny_unknown":"no" },"grsecurity": { "grsecurity_config":"no" } }Debug Report
***** Checksec debug *****
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Linux xxx 2.6.32-754.9.1.el6.x86_64 #1 SMP Thu Dec 6 08:02:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
checksec version: 1.11.0 -- 2018122701
OS=CentOS release 6.10 (Final)
VER=2.6.32-754.9.1.el6.x86_64
-rwxr-xr-x. 1 root root 48568 Jun 19 2018 /bin/cat
/bin/cat: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
lrwxrwxrwx. 1 root root 4 Dec 10 19:10 /bin/awk -> gawk
-rwxr-xr-x. 1 root root 382752 Nov 10 2015 /bin/gawk
/bin/gawk: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 19376 Jun 1 2018 /sbin/sysctl
/sbin/sysctl: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 27776 Jun 19 2018 /bin/uname
/bin/uname: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 38048 Jun 19 2018 /bin/mktemp
/bin/mktemp: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 548184 Mar 22 2017 /usr/bin/openssl
/usr/bin/openssl: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 167840 Mar 22 2017 /bin/grep
/bin/grep: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 50984 Jun 19 2018 /usr/bin/stat
/usr/bin/stat: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 19784 May 10 2016 /usr/bin/file
/usr/bin/file: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 239000 Mar 1 2016 /bin/find
/bin/find: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 36136 Jun 19 2018 /usr/bin/head
/usr/bin/head: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 89504 Jun 1 2018 /bin/ps
/bin/ps: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 40056 Jun 19 2018 /bin/readlink
/bin/readlink: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 26264 Jun 19 2018 /bin/basename
/bin/basename: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 32720 Jun 19 2018 /usr/bin/id
/usr/bin/id: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 25528 Sep 23 2011 /usr/bin/which
/usr/bin/which: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 366848 Mar 21 2017 /usr/bin/wget
/usr/bin/wget: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 134504 Apr 3 2017 /usr/bin/curl
/usr/bin/curl: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 303440 Jun 19 2018 /usr/bin/readelf
/usr/bin/readelf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
-rwxr-xr-x. 1 root root 178616 May 10 2016 /usr/bin/eu-readelf
/usr/bin/eu-readelf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
Command run to produce the error
Running checksec --kernel in Centos6 should suffice.
OS version and Kernel version
centos6 2.6.32-754.9.1.el6.x86_64 #1 SMP Thu Dec 6 08:02:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Debug output
Same as --kerel output.
/proc/sys/net/ipv6/conf/all/rp_filter does not exist
Issue
checksec uses sysctl to check the value of /proc/sys/net/ipv6/conf/all/rp_filter. However, only /proc/sys/net/ipv4/conf/all/rp_filter exists - there is no such thing as an rp_filter kernel parameter for IPv6.
See also:
https://cansecwest.com/csw12/conntrack-attack.pdf#page=94
Debug Report
$ ./checksec --debug_report
***** Checksec debug *****
uid=1000(vm) gid=1000(vm) groups=1000(vm),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev)
Linux vm 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u6 (2018-10-08) x86_64 GNU/Linux
checksec version: 1.10.0 -- 2018120601
OS=Debian GNU/Linux
VER=9
-rwxr-xr-x 1 root root 35688 Feb 22 2017 /bin/cat
/bin/cat: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8a5ac6fc8d1a22b34798b7896be48428086d5df1, stripped
lrwxrwxrwx 1 root root 21 Jul 13 13:41 /usr/bin/awk -> /etc/alternatives/awk
-rwxr-xr-x 1 root root 121976 Mar 23 2012 /usr/bin/mawk
/usr/bin/mawk: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=1e84b07571ac879b843266c79c5c2c05626f5e7e, stripped
-rwxr-xr-x 1 root root 22600 May 17 2018 /sbin/sysctl
/sbin/sysctl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=7bd2da33837a4e9520db7316e19bd04c16c3b025, stripped
-rwxr-xr-x 1 root root 35592 Feb 22 2017 /bin/uname
/bin/uname: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=9a7f13d1496fdfba6e01816f91ba2e4bc5eda66a, stripped
-rwxr-xr-x 1 root root 43912 Feb 22 2017 /bin/mktemp
/bin/mktemp: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=cec0dfe524eadbf9dcbb1d0bd8f83b7f8e6ff5ba, stripped
-rwxr-xr-x 1 root root 651880 Mar 29 2018 /usr/bin/openssl
/usr/bin/openssl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=0c4249e27df8296c67806646931c018354f8fc16, stripped
-rwxr-xr-x 1 root root 215360 Jan 23 2017 /bin/grep
/bin/grep: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=0b72a4b88afe6711c7154541e1f002331041c71f, stripped
-rwxr-xr-x 1 root root 85096 Feb 22 2017 /usr/bin/stat
/usr/bin/stat: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=f9db89b81b1505176af32d8c13e34c770ee0b459, stripped
-rwxr-xr-x 1 root root 22792 Jun 11 2018 /usr/bin/file
/usr/bin/file: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=833d99e1b8d7884dc6b1cfb142ba3034b1bf6968, stripped
-rwxr-xr-x 1 root root 221768 Feb 18 2017 /usr/bin/find
/usr/bin/find: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=7079a38abca5fb9d188cc66bb15fbec5e98f0f00, stripped
-rwxr-xr-x 1 root root 43848 Feb 22 2017 /usr/bin/head
/usr/bin/head: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=d37253992564bafb79e0c8af798e0fab5b728066, stripped
-rwxr-xr-x 1 root root 129336 May 17 2018 /bin/ps
/bin/ps: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=91389d6ef35c87b7fd9ac60df95cb1986ae15b71, stripped
-rwxr-xr-x 1 root root 43816 Feb 22 2017 /bin/readlink
/bin/readlink: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=4505da392d1f523c8c73bb9ed0138c0d4d085ab5, stripped
-rwxr-xr-x 1 root root 31464 Feb 22 2017 /usr/bin/basename
/usr/bin/basename: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=f138d7ef0a8acf88bda17dbe4c6583e0e882a08e, stripped
-rwxr-xr-x 1 root root 43944 Feb 22 2017 /usr/bin/id
/usr/bin/id: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=dd8a6756f63270ea0c6a15c47d82c30e30fb8096, stripped
lrwxrwxrwx 1 root root 10 Jul 13 13:41 /usr/bin/which -> /bin/which
-rwxr-xr-x 1 root root 946 Apr 2 2017 /bin/which
/bin/which: POSIX shell script, ASCII text executable
-rwxr-xr-x 1 root root 491072 May 6 2018 /usr/bin/wget
/usr/bin/wget: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=65d641edbbabe10c2b4106acfb0f4b0773b7d570, stripped
-rwxr-xr-x 1 root root 198728 Sep 3 18:50 /usr/bin/curl
/usr/bin/curl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=e61025e23eeccb31ae65b8ccfbbda0fd1de80584, stripped
lrwxrwxrwx 1 root root 24 Dec 14 14:22 /usr/bin/readelf -> x86_64-linux-gnu-readelf
-rwxr-xr-x 1 root root 597056 Dec 14 14:22 /usr/bin/x86_64-linux-gnu-readelf
/usr/bin/x86_64-linux-gnu-readelf: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=b445d8e3982f32ed81603705b5ae31b40767024e, stripped
-rwxr-xr-x 1 root root 204448 May 27 2017 /usr/bin/eu-readelf
/usr/bin/eu-readelf: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=50742cdcf672f1e2de01c4403762e95ba55dbf80, stripped
Command run to produce the error
$ sudo ./checksec --kernel
* Kernel protection information:
Description - List the status of kernel protection mechanisms. Rather than
inspect kernel mechanisms that may aid in the prevention of exploitation of
userspace processes, this option lists the status of kernel configuration
options that harden the kernel itself against attack.
Kernel config:
/boot/config-4.9.0-8-amd64
Warning: The config on disk may not represent running kernel config!
Vanilla Kernel ASLR: Full
Protected symlinks: Enabled
Protected hardlinks: Enabled
Ipv4 reverse path filtering: Enabled
Ipv6 reverse path filtering: Disabled
OS version and Kernel version
Linux vm 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u6 (2018-10-08) x86_64 GNU/Linux
Debug output
$ sudo ./checksec --debug --kernel
* Kernel protection information:
***function kernelcheck
Description - List the status of kernel protection mechanisms. Rather than
inspect kernel mechanisms that may aid in the prevention of exploitation of
userspace processes, this option lists the status of kernel configuration
options that harden the kernel itself against attack.
Kernel config:
/boot/config-4.9.0-8-amd64
Warning: The config on disk may not represent running kernel config!
Vanilla Kernel ASLR: Full
Protected symlinks: Enabled
Protected hardlinks: Enabled
Ipv4 reverse path filtering: Enabled
Ipv6 reverse path filtering: Disabled
--file: non-zero exit code on missing hardening features
Could you add please non-zero exit codes when using --file if there are missing hardening features? That would be useful for using checksec inside automated test suites.
sysctl is at /usr/sbin/sysctl (rather than /sbin/sysctl) in some distros
Hi!
There are three places where sysctl is called via /sbin/sysctl rather than plain sysctl in the current code. Would you mind changing those calls to sysctl?
Thanks and best, Sebastian
debug_report lack of meaningful exit code
I am running checksec with debug_report in a minimal linux environment to test dependencies installed in my environment and noticed that if a required binary is not present, debug_report exists with a normal exit code. I am thinking this should exit with a non-zero exist code.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.