Skip to content

Commit

Permalink
Merge pull request #278 from slimm609/remove_old_artifacts
Browse files Browse the repository at this point in the history 
remove old artifacts
  • Loading branch information
@slimm609
slimm609 authored Feb 20, 2025
2 parents f19bf35 + 4f26b8d commit 4a4afb7
Show file tree
Hide file tree
Showing 11 changed files with 192 additions and 171 deletions.
2 changes: 0 additions & 2 deletions .gitattributes
View file

This file was deleted.

24 changes: 0 additions & 24 deletions .github/workflows/pull_request.yml
View file

This file was deleted.

11 changes: 11 additions & 0 deletions .goreleaser.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ project_name: checksec

release:
prerelease: auto
extra_files:
- glob: dist/*.sig
- glob: dist/*.pub

env:
- DOCKER_CLI_EXPERIMENTAL=enabled
Expand All @@ -25,3 +28,11 @@ builds:
goarch:
- amd64
- arm64

sboms:
- id: checksec
documents:
- "${artifact}.spdx.sbom.json"
cmd: syft
args: ["$artifact", "--output", "cyclonedx-json=$document"]
artifacts: binary
15 changes: 8 additions & 7 deletions Makefile
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,5 @@
SHELL = bash

.PHONY: build
build:
@echo "Building checksec"
./hack/build.sh
VERSION ?= 3.0.1

.PHONY: test
test:
Expand All @@ -13,6 +9,11 @@ test:
build-image:
docker build -t slimm609/checksec .

.PHONY: go
go:
.PHONY: build
build:
goreleaser build --snapshot --clean

.PHONY: release
release:
git tag $(VERSION) -m "release of $(VERSION)"
goreleaser release --clean
266 changes: 172 additions & 94 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,143 +1,221 @@
checksec
========
Checksec checks the properties of executables (like PIE, RELRO, Canaries, ASLR, Fortify Source).
It has been originally written by Tobias Klein and the original source is available here: http://www.trapkit.de/tools/checksec.html. Over time this has expanded in feature set and has now moved from Bash to Golang.

## Bash version entering feature freeze

Checksec is a bash script to check the properties of executables (like PIE, RELRO, Canaries, ASLR, Fortify Source).
It has been originally written by Tobias Klein and the original source is available here: http://www.trapkit.de/tools/checksec.html

Version: 3.0.1

Updates
-------
** Version 2.7.x should be the last version of checksec in bash

Version 3.x will be released as a golang static binary
Checksec was originally released with 1.0 in early 2009 and has been used for validating binary checks of Linux systems for over a decade. Over time as more checks were supported and Linux distributions have changed, this has brought more dependencies into checksec. Adding more and more dependenies to be able to check the security flags of files, it not an ideal solution for systems with minor dependencies including embedded systems, distroless containers, and cross platform checks.
- Feature partial between the bash version and the golang version will be mostly supported.
- Adding support for yaml output
- Removing support for CSV
- JSON and XML will still both be supported
- Much faster results. When checking 694 files in a directory
- bash: real 0m10.348s
- golang: real 0m0.691s
- Adds recursive directory support
TODO:
- [X] Fix Partial RELRO
- [ ] Add fortify file function results
- [ ] Add fortifyProc
- [ ] Add ProcLibs
- [ ] Add selinux checks
- [ ] Add additional kernel flag checks
- [ ] Update and Validate all current tests
- [ ] Enable golint validation
- golang: real 0m0.691s


For OSX
-------
Most of the tools do not work on mach-O binaries or the OSX kernel, so it is not supported

**Cosign Verify Checksec**

`cosign verify-blob --signature checksec_new.sig --certificate checksec_new.pub checksec --certificate-identity=slimm609@gmail.com --certificate-oidc-issuer=https://github.com/login/oauth`
Checksec can scan linux files from OSX however, some checks may be limited due to OS dependencies on resources like glibc.

**Openssl Verify Checksec**
Openssl verification is being deprecated in favor of Cosign Verification, which is backed by a hardware security module and provides a greater level of intergrity.

`openssl dgst -sha256 -verify checksec.pub -signature checksec.sig checksec`

Examples
--------

**normal (or --format=cli)**

$checksec --file=/bin/ls
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH /bin/ls

**csv**

$ checksec --output=csv --file=/bin/ls
Partial RELRO,Canary found,NX enabled,No PIE,No RPATH,No RUNPATH,/bin/ls
$checksec file /bin/ls
RELRO Stack Canary NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable Name
Partial RELRO Canary Found NX enabled PIE Enabled No RPATH No RUNPATH No Symbols No 0 14 /bin/ls

**yaml**

$ checksec file /bin/ls --output yaml
- checks:
canary: Canary Found
fortified: "0"
fortify_source: "No"
fortifyable: "14"
nx: NX enabled
pie: PIE Enabled
relro: Partial RELRO
rpath: No RPATH
runpath: No RUNPATH
symbols: No Symbols
name: /bin/ls

**xml**

$ checksec --output=xml --file=/bin/ls
<?xml version="1.0" encoding="UTF-8"?>
<file relro="partial" canary="yes" nx="yes" pie="no" rpath="no" runpath="no" filename='/bin/ls'/>
$ checksec file /bin/ls --output xml
<SecurityCheck>
<Name>/bin/ls</Name>
<Checks>
<Canary>Canary Found</Canary>
<Fortified>0</Fortified>
<FortifyAble>14</FortifyAble>
<FortifySource>No</FortifySource>
<NX>NX enabled</NX>
<PIE>PIE Enabled</PIE>
<Relro>Partial RELRO</Relro>
<RPath>No RPATH</RPath>
<RunPath>No RUNPATH</RunPath>
<Symbols>No Symbols</Symbols>
</Checks>
</SecurityCheck>

**json**

$ checksec --output=json --file=/bin/ls
{ "file": { "relro":"partial","canary":"yes","nx":"yes","pie":"no","rpath":"no","runpath":"no","filename":"/bin/ls" } }
$ checksec file /bin/ls --output json
[
{
"checks": {
"canary": "Canary Found",
"fortified": "0",
"fortify_source": "No",
"fortifyable": "14",
"nx": "NX enabled",
"pie": "PIE Enabled",
"relro": "Partial RELRO",
"rpath": "No RPATH",
"runpath": "No RUNPATH",
"symbols": "No Symbols"
},
"name": "/bin/ls"
}
]

**Fortify test in cli**

$ checksec --fortify-proc=1
* Process name (PID) : init (1)
* FORTIFY_SOURCE support available (libc) : Yes
* Binary compiled with FORTIFY_SOURCE support: Yes

------ EXECUTABLE-FILE ------- . -------- LIBC --------
FORTIFY-able library functions | Checked function names
-------------------------------------------------------
fdelt_chk | __fdelt_chk
read | __read_chk
syslog_chk | __syslog_chk
fprintf_chk | __fprintf_chk
vsnprintf_chk | __vsnprintf_chk
fgets | __fgets_chk
strncpy | __strncpy_chk
snprintf_chk | __snprintf_chk
memset | __memset_chk
strncat_chk | __strncat_chk
memcpy | __memcpy_chk
fread | __fread_chk
sprintf_chk | __sprintf_chk

SUMMARY:

* Number of checked functions in libc : 78
* Total number of library functions in the executable: 116
* Number of FORTIFY-able functions in the executable : 13
* Number of checked functions in the executable : 7
* Number of unchecked functions in the executable : 6
$ checksec fortifyProc 1

_____ _ _ ______ _____ _ __ _____ ______ _____
/ ____| | | | ____/ ____| |/ // ____| ____/ ____|
| | | |__| | |__ | | | ' /| (___ | |__ | |
| | | __ | __|| | | < \___ \| __|| |
| |____| | | | |___| |____| . \ ____) | |___| |____
\_____|_| |_|______\_____|_|\_\_____/|______\_____|

**Kernel test in Cli**

$ checksec --kernel
* Kernel protection information:
* FORTIFY_SOURCE support available (libc): Yes
* Binary compiled with FORTIFY_SOURCE support: No

Description - List the status of kernel protection mechanisms. Rather than
inspect kernel mechanisms that may aid in the prevention of exploitation of
userspace processes, this option lists the status of kernel configuration
options that harden the kernel itself against attack.
------ EXECUTABLE-FILE ------- | -------- LIBC --------
Fortifiable library functions | Checked function names
Coming Soon

Kernel config: /proc/config.gz
SUMMARY
* Number of checked functions in libc : 18
* Total number of library functions in the executable: 2011
* Number of Fortifiable functions in the executable : 12
* Number of checked functions in the executable : 0
* Number of unchecked functions in the executable : 12

GCC stack protector support: Enabled
Strict user copy checks: Disabled
Enforce read-only kernel data: Disabled
Restrict /dev/mem access: Enabled
Restrict /dev/kmem access: Enabled

* Kernel Heap Hardening: No KERNHEAP
**Kernel test in Cli**

The KERNHEAP hardening patchset is available here:
https://www.subreption.com/kernheap/
$ checksec kernel

_____ _ _ ______ _____ _ __ _____ ______ _____
/ ____| | | | ____/ ____| |/ // ____| ____/ ____|
| | | |__| | |__ | | | ' /| (___ | |__ | |
| | | __ | __|| | | < \___ \| __|| |
| |____| | | | |___| |____| . \ ____) | |___| |____
\_____|_| |_|______\_____|_|\_\_____/|______\_____|

Kernel configs only print what is supported by the specific kernel/kernel config
Description Value Check Type Config Key
Virtually-mapped kernel stack Disabled Kernel Config CONFIG_VMAP_STACK
Harden str/mem functions Disabled Kernel Config CONFIG_FORTIFY_SOURCE
Restrict Kernel RWX Enabled Kernel Config CONFIG_STRICT_KERNEL_RWX
Restrict /dev/mem access Enabled Kernel Config CONFIG_STRICT_DEVMEM
SELinux Kernel Flag Disabled Kernel Config CONFIG_SECURITY_SELINUX
Emulate privileged access never Disabled Kernel Config CONFIG_ARM64_SW_TTBR0_PAN
Restrict I/O access to /dev/mem Disabled Kernel Config CONFIG_IO_STRICT_DEVMEM
Kernel Heap Randomization Disabled Kernel Config CONFIG_COMPAT_BRK
Stack Protector Strong Disabled Kernel Config CONFIG_STACKPROTECTOR_STRONG
Hardened Usercopy Disabled Kernel Config CONFIG_HARDENED_USERCOPY
Restrict Module RWX Enabled Kernel Config CONFIG_STRICT_MODULE_RWX
Address space layout randomization Disabled Kernel Config CONFIG_RANDOMIZE_BASE
Randomize address of kernel image Disabled Kernel Config CONFIG_RANDOMIZE_BASE
Stack Protector Disabled Kernel Config CONFIG_STACKPROTECTOR
Unmap kernel in userspace (KAISER) Enabled Kernel Config CONFIG_UNMAP_KERNEL_AT_EL0
SLAB freelist randomization Disabled Kernel Config CONFIG_SLAB_FREELIST_RANDOM
SELinux Enabled Disabled SELinux SELinux
Protected symlinks Enabled Sysctl fs.protected_symlinks
Protected hardlinks Enabled Sysctl fs.protected_hardlinks
Ipv4 reverse path filtering Disabled Sysctl net.ipv4.conf.all.rp_filter
YAMA Unknown Sysctl kernel.yama.ptrace_scope
Exec Shield Unknown Sysctl kernel.exec-shield
Unprivileged BPF Disabled Disabled Sysctl kernel.unprivileged_bpf_disabled
Vanilla Kernel ASLR Enabled Sysctl kernel.randomize_va_space
Dmesg Restrictions Enabled Sysctl kernel.dmesg_restrict
Kernel Pointer Restrictions Disabled Sysctl kernel.kptr_restrict
Protected fifos Disabled Sysctl fs.protected_fifos
Protected regular Disabled Sysctl fs.protected_regular
Performance events by normal users Enabled Sysctl kernel.perf_event_paranoid
Disable Autoload TTY Line Disciplines Disabled Sysctl dev.tty.ldisc_autoload
Disable Legacy TIOCSTI Disabled Sysctl dev.tty.legacy_tiocsti


**Kernel Test in XML**

$ checksec --output=xml --kernel
<?xml version="1.0" encoding="UTF-8"?>
<kernel config='/boot/config-3.11-2-amd64' gcc_stack_protector='yes' strict_user_copy_check='no' ro_kernel_data='yes' restrict_dev_mem_access='yes' restrict_dev_kmem_access='no'>
<kernheap config='no' />
</kernel>
$ checksec kernel --output xml
<KernelCheck>
<Name>CONFIG_IO_STRICT_DEVMEM</Name>
<Description>Restrict I/O access to /dev/mem</Description>
<Value>Disabled</Value>
<CheckType>Kernel Config</CheckType>
</KernelCheck>
<KernelCheck>
<Name>CONFIG_STRICT_MODULE_RWX</Name>
<Description>Restrict Module RWX</Description>
<Value>Enabled</Value>
<CheckType>Kernel Config</CheckType>
</KernelCheck>
<KernelCheck>
<Name>CONFIG_SECURITY_SELINUX</Name>
<Description>SELinux Kernel Flag</Description>
<Value>Disabled</Value>
<CheckType>Kernel Config</CheckType>
</KernelCheck>

**Kernel Test in Json**

$ checksec --output=json --kernel
{ "kernel": { "KernelConfig":"/boot/config-3.11-2-amd64","gcc_stack_protector":"yes","strict_user_copy_check":"no","ro_kernel_data":"yes","restrict_dev_mem_access":"yes","restrict_dev_kmem_access":"no" },{ "kernheap_config":"no" } }
$ checksec kernel --output json
[
{
"desc": "Hardened Usercopy",
"name": "CONFIG_HARDENED_USERCOPY",
"type": "Kernel Config",
"value": "Disabled"
},
{
"desc": "Harden str/mem functions",
"name": "CONFIG_FORTIFY_SOURCE",
"type": "Kernel Config",
"value": "Disabled"
},
{
"desc": "Restrict Kernel RWX",
"name": "CONFIG_STRICT_KERNEL_RWX",
"type": "Kernel Config",
"value": "Enabled"
},
{
"desc": "Virtually-mapped kernel stack",
"name": "CONFIG_VMAP_STACK",
"type": "Kernel Config",
"value": "Disabled"
},
{
"desc": "SELinux Kernel Flag",
"name": "CONFIG_SECURITY_SELINUX",
"type": "Kernel Config",
"value": "Disabled"
}
]

Using with Cross-compiled Systems
---------------------------------------
Expand Down
3 changes: 1 addition & 2 deletions checksec → checksec.bash
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
#!/usr/bin/env bash
# Do not edit this file directly, this file is generated from the files
# in the src directory. Any updates to this file will be overwritten when generated
# This version is no longer maintained/updated and only being kept for historal purposes

# --- Modified Version ---
# Name : checksec.sh
Expand Down
Loading

0 comments on commit 4a4afb7

Please sign in to comment.