diff --git a/.gitattributes b/.gitattributes
deleted file mode 100644
index 7e2da94..0000000
--- a/.gitattributes
+++ /dev/null
@@ -1,2 +0,0 @@
-*.sh eol=lf
-checksec eol=lf
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
deleted file mode 100644
index c269ebb..0000000
--- a/.github/workflows/pull_request.yml
+++ /dev/null
@@ -1,24 +0,0 @@
-name: docker image test
-on: pull_request
-jobs:
- test:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v3
- - name: render-checksec
- run: |
- pip install pre-commit
- mkdir ${HOME}/bin
- curl -Lo ${HOME}/bin/shfmt https://github.com/mvdan/sh/releases/download/v3.8.0/shfmt_v3.8.0_linux_amd64
- chmod +x ${HOME}/bin/shfmt
- export PATH=${PATH}:${HOME}/bin
- pre-commit run --all-files
- git status
- if [[ ! -z $(git status --porcelain) ]]; then
- echo "source file differs, checksec needs build"
- exit 1
- fi
- - name: Checksec tests
- run: |
- docker build -t checksec:test -f Dockerfile.ubuntu .
- docker run -t checksec:test tests/test-checksec.sh
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 4a4d140..4285756 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -3,6 +3,9 @@ project_name: checksec
release:
prerelease: auto
+ extra_files:
+ - glob: dist/*.sig
+ - glob: dist/*.pub
env:
- DOCKER_CLI_EXPERIMENTAL=enabled
@@ -25,3 +28,11 @@ builds:
goarch:
- amd64
- arm64
+
+sboms:
+- id: checksec
+ documents:
+ - "${artifact}.spdx.sbom.json"
+ cmd: syft
+ args: ["$artifact", "--output", "cyclonedx-json=$document"]
+ artifacts: binary
diff --git a/Makefile b/Makefile
index 493e847..37e9990 100644
--- a/Makefile
+++ b/Makefile
@@ -1,9 +1,5 @@
SHELL = bash
-
-.PHONY: build
-build:
- @echo "Building checksec"
- ./hack/build.sh
+VERSION ?= 3.0.1
.PHONY: test
test:
@@ -13,6 +9,11 @@ test:
build-image:
docker build -t slimm609/checksec .
-.PHONY: go
-go:
+.PHONY: build
+build:
goreleaser build --snapshot --clean
+
+.PHONY: release
+release:
+ git tag $(VERSION) -m "release of $(VERSION)"
+ goreleaser release --clean
diff --git a/README.md b/README.md
index c08dd05..1474088 100644
--- a/README.md
+++ b/README.md
@@ -1,17 +1,12 @@
checksec
========
+Checksec checks the properties of executables (like PIE, RELRO, Canaries, ASLR, Fortify Source).
+It has been originally written by Tobias Klein and the original source is available here: http://www.trapkit.de/tools/checksec.html. Over time this has expanded in feature set and has now moved from Bash to Golang.
-## Bash version entering feature freeze
-
-Checksec is a bash script to check the properties of executables (like PIE, RELRO, Canaries, ASLR, Fortify Source).
-It has been originally written by Tobias Klein and the original source is available here: http://www.trapkit.de/tools/checksec.html
-
+Version: 3.0.1
Updates
-------
- ** Version 2.7.x should be the last version of checksec in bash
-
- Version 3.x will be released as a golang static binary
Checksec was originally released with 1.0 in early 2009 and has been used for validating binary checks of Linux systems for over a decade. Over time as more checks were supported and Linux distributions have changed, this has brought more dependencies into checksec. Adding more and more dependenies to be able to check the security flags of files, it not an ideal solution for systems with minor dependencies including embedded systems, distroless containers, and cross platform checks.
- Feature partial between the bash version and the golang version will be mostly supported.
- Adding support for yaml output
@@ -19,125 +14,208 @@ Updates
- JSON and XML will still both be supported
- Much faster results. When checking 694 files in a directory
- bash: real 0m10.348s
- - golang: real 0m0.691s
- - Adds recursive directory support
- TODO:
- - [X] Fix Partial RELRO
- - [ ] Add fortify file function results
- - [ ] Add fortifyProc
- - [ ] Add ProcLibs
- - [ ] Add selinux checks
- - [ ] Add additional kernel flag checks
- - [ ] Update and Validate all current tests
- - [ ] Enable golint validation
+ - golang: real 0m0.691s
+
For OSX
-------
- Most of the tools do not work on mach-O binaries or the OSX kernel, so it is not supported
-
-**Cosign Verify Checksec**
-
-`cosign verify-blob --signature checksec_new.sig --certificate checksec_new.pub checksec --certificate-identity=slimm609@gmail.com --certificate-oidc-issuer=https://github.com/login/oauth`
+Checksec can scan linux files from OSX however, some checks may be limited due to OS dependencies on resources like glibc.
-**Openssl Verify Checksec**
-Openssl verification is being deprecated in favor of Cosign Verification, which is backed by a hardware security module and provides a greater level of intergrity.
-
-`openssl dgst -sha256 -verify checksec.pub -signature checksec.sig checksec`
Examples
--------
**normal (or --format=cli)**
- $checksec --file=/bin/ls
- RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
- Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH /bin/ls
-
-**csv**
-
- $ checksec --output=csv --file=/bin/ls
- Partial RELRO,Canary found,NX enabled,No PIE,No RPATH,No RUNPATH,/bin/ls
+ $checksec file /bin/ls
+ RELRO Stack Canary NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable Name
+ Partial RELRO Canary Found NX enabled PIE Enabled No RPATH No RUNPATH No Symbols No 0 14 /bin/ls
+
+**yaml**
+
+ $ checksec file /bin/ls --output yaml
+ - checks:
+ canary: Canary Found
+ fortified: "0"
+ fortify_source: "No"
+ fortifyable: "14"
+ nx: NX enabled
+ pie: PIE Enabled
+ relro: Partial RELRO
+ rpath: No RPATH
+ runpath: No RUNPATH
+ symbols: No Symbols
+ name: /bin/ls
**xml**
- $ checksec --output=xml --file=/bin/ls
-
-
+ $ checksec file /bin/ls --output xml
+
+ /bin/ls
+
+ Canary Found
+ 0
+ 14
+ No
+ NX enabled
+ PIE Enabled
+ Partial RELRO
+ No RPATH
+ No RUNPATH
+ No Symbols
+
+
**json**
- $ checksec --output=json --file=/bin/ls
- { "file": { "relro":"partial","canary":"yes","nx":"yes","pie":"no","rpath":"no","runpath":"no","filename":"/bin/ls" } }
+ $ checksec file /bin/ls --output json
+ [
+ {
+ "checks": {
+ "canary": "Canary Found",
+ "fortified": "0",
+ "fortify_source": "No",
+ "fortifyable": "14",
+ "nx": "NX enabled",
+ "pie": "PIE Enabled",
+ "relro": "Partial RELRO",
+ "rpath": "No RPATH",
+ "runpath": "No RUNPATH",
+ "symbols": "No Symbols"
+ },
+ "name": "/bin/ls"
+ }
+ ]
**Fortify test in cli**
- $ checksec --fortify-proc=1
- * Process name (PID) : init (1)
- * FORTIFY_SOURCE support available (libc) : Yes
- * Binary compiled with FORTIFY_SOURCE support: Yes
-
- ------ EXECUTABLE-FILE ------- . -------- LIBC --------
- FORTIFY-able library functions | Checked function names
- -------------------------------------------------------
- fdelt_chk | __fdelt_chk
- read | __read_chk
- syslog_chk | __syslog_chk
- fprintf_chk | __fprintf_chk
- vsnprintf_chk | __vsnprintf_chk
- fgets | __fgets_chk
- strncpy | __strncpy_chk
- snprintf_chk | __snprintf_chk
- memset | __memset_chk
- strncat_chk | __strncat_chk
- memcpy | __memcpy_chk
- fread | __fread_chk
- sprintf_chk | __sprintf_chk
-
- SUMMARY:
-
- * Number of checked functions in libc : 78
- * Total number of library functions in the executable: 116
- * Number of FORTIFY-able functions in the executable : 13
- * Number of checked functions in the executable : 7
- * Number of unchecked functions in the executable : 6
+ $ checksec fortifyProc 1
+ _____ _ _ ______ _____ _ __ _____ ______ _____
+ / ____| | | | ____/ ____| |/ // ____| ____/ ____|
+ | | | |__| | |__ | | | ' /| (___ | |__ | |
+ | | | __ | __|| | | < \___ \| __|| |
+ | |____| | | | |___| |____| . \ ____) | |___| |____
+ \_____|_| |_|______\_____|_|\_\_____/|______\_____|
-**Kernel test in Cli**
-
- $ checksec --kernel
- * Kernel protection information:
+ * FORTIFY_SOURCE support available (libc): Yes
+ * Binary compiled with FORTIFY_SOURCE support: No
- Description - List the status of kernel protection mechanisms. Rather than
- inspect kernel mechanisms that may aid in the prevention of exploitation of
- userspace processes, this option lists the status of kernel configuration
- options that harden the kernel itself against attack.
+ ------ EXECUTABLE-FILE ------- | -------- LIBC --------
+ Fortifiable library functions | Checked function names
+ Coming Soon
- Kernel config: /proc/config.gz
+ SUMMARY
+ * Number of checked functions in libc : 18
+ * Total number of library functions in the executable: 2011
+ * Number of Fortifiable functions in the executable : 12
+ * Number of checked functions in the executable : 0
+ * Number of unchecked functions in the executable : 12
- GCC stack protector support: Enabled
- Strict user copy checks: Disabled
- Enforce read-only kernel data: Disabled
- Restrict /dev/mem access: Enabled
- Restrict /dev/kmem access: Enabled
- * Kernel Heap Hardening: No KERNHEAP
+**Kernel test in Cli**
- The KERNHEAP hardening patchset is available here:
- https://www.subreption.com/kernheap/
+ $ checksec kernel
+
+ _____ _ _ ______ _____ _ __ _____ ______ _____
+ / ____| | | | ____/ ____| |/ // ____| ____/ ____|
+ | | | |__| | |__ | | | ' /| (___ | |__ | |
+ | | | __ | __|| | | < \___ \| __|| |
+ | |____| | | | |___| |____| . \ ____) | |___| |____
+ \_____|_| |_|______\_____|_|\_\_____/|______\_____|
+
+ Kernel configs only print what is supported by the specific kernel/kernel config
+ Description Value Check Type Config Key
+ Virtually-mapped kernel stack Disabled Kernel Config CONFIG_VMAP_STACK
+ Harden str/mem functions Disabled Kernel Config CONFIG_FORTIFY_SOURCE
+ Restrict Kernel RWX Enabled Kernel Config CONFIG_STRICT_KERNEL_RWX
+ Restrict /dev/mem access Enabled Kernel Config CONFIG_STRICT_DEVMEM
+ SELinux Kernel Flag Disabled Kernel Config CONFIG_SECURITY_SELINUX
+ Emulate privileged access never Disabled Kernel Config CONFIG_ARM64_SW_TTBR0_PAN
+ Restrict I/O access to /dev/mem Disabled Kernel Config CONFIG_IO_STRICT_DEVMEM
+ Kernel Heap Randomization Disabled Kernel Config CONFIG_COMPAT_BRK
+ Stack Protector Strong Disabled Kernel Config CONFIG_STACKPROTECTOR_STRONG
+ Hardened Usercopy Disabled Kernel Config CONFIG_HARDENED_USERCOPY
+ Restrict Module RWX Enabled Kernel Config CONFIG_STRICT_MODULE_RWX
+ Address space layout randomization Disabled Kernel Config CONFIG_RANDOMIZE_BASE
+ Randomize address of kernel image Disabled Kernel Config CONFIG_RANDOMIZE_BASE
+ Stack Protector Disabled Kernel Config CONFIG_STACKPROTECTOR
+ Unmap kernel in userspace (KAISER) Enabled Kernel Config CONFIG_UNMAP_KERNEL_AT_EL0
+ SLAB freelist randomization Disabled Kernel Config CONFIG_SLAB_FREELIST_RANDOM
+ SELinux Enabled Disabled SELinux SELinux
+ Protected symlinks Enabled Sysctl fs.protected_symlinks
+ Protected hardlinks Enabled Sysctl fs.protected_hardlinks
+ Ipv4 reverse path filtering Disabled Sysctl net.ipv4.conf.all.rp_filter
+ YAMA Unknown Sysctl kernel.yama.ptrace_scope
+ Exec Shield Unknown Sysctl kernel.exec-shield
+ Unprivileged BPF Disabled Disabled Sysctl kernel.unprivileged_bpf_disabled
+ Vanilla Kernel ASLR Enabled Sysctl kernel.randomize_va_space
+ Dmesg Restrictions Enabled Sysctl kernel.dmesg_restrict
+ Kernel Pointer Restrictions Disabled Sysctl kernel.kptr_restrict
+ Protected fifos Disabled Sysctl fs.protected_fifos
+ Protected regular Disabled Sysctl fs.protected_regular
+ Performance events by normal users Enabled Sysctl kernel.perf_event_paranoid
+ Disable Autoload TTY Line Disciplines Disabled Sysctl dev.tty.ldisc_autoload
+ Disable Legacy TIOCSTI Disabled Sysctl dev.tty.legacy_tiocsti
**Kernel Test in XML**
- $ checksec --output=xml --kernel
-
-
-
-
+ $ checksec kernel --output xml
+
+ CONFIG_IO_STRICT_DEVMEM
+ Restrict I/O access to /dev/mem
+ Disabled
+ Kernel Config
+
+
+ CONFIG_STRICT_MODULE_RWX
+ Restrict Module RWX
+ Enabled
+ Kernel Config
+
+
+ CONFIG_SECURITY_SELINUX
+ SELinux Kernel Flag
+ Disabled
+ Kernel Config
+
**Kernel Test in Json**
- $ checksec --output=json --kernel
- { "kernel": { "KernelConfig":"/boot/config-3.11-2-amd64","gcc_stack_protector":"yes","strict_user_copy_check":"no","ro_kernel_data":"yes","restrict_dev_mem_access":"yes","restrict_dev_kmem_access":"no" },{ "kernheap_config":"no" } }
+ $ checksec kernel --output json
+ [
+ {
+ "desc": "Hardened Usercopy",
+ "name": "CONFIG_HARDENED_USERCOPY",
+ "type": "Kernel Config",
+ "value": "Disabled"
+ },
+ {
+ "desc": "Harden str/mem functions",
+ "name": "CONFIG_FORTIFY_SOURCE",
+ "type": "Kernel Config",
+ "value": "Disabled"
+ },
+ {
+ "desc": "Restrict Kernel RWX",
+ "name": "CONFIG_STRICT_KERNEL_RWX",
+ "type": "Kernel Config",
+ "value": "Enabled"
+ },
+ {
+ "desc": "Virtually-mapped kernel stack",
+ "name": "CONFIG_VMAP_STACK",
+ "type": "Kernel Config",
+ "value": "Disabled"
+ },
+ {
+ "desc": "SELinux Kernel Flag",
+ "name": "CONFIG_SECURITY_SELINUX",
+ "type": "Kernel Config",
+ "value": "Disabled"
+ }
+ ]
Using with Cross-compiled Systems
---------------------------------------
diff --git a/checksec b/checksec.bash
similarity index 99%
rename from checksec
rename to checksec.bash
index 6ba1120..498e83b 100755
--- a/checksec
+++ b/checksec.bash
@@ -1,6 +1,5 @@
#!/usr/bin/env bash
-# Do not edit this file directly, this file is generated from the files
-# in the src directory. Any updates to this file will be overwritten when generated
+# This version is no longer maintained/updated and only being kept for historal purposes
# --- Modified Version ---
# Name : checksec.sh
diff --git a/checksec.pub b/checksec.pub
deleted file mode 100644
index bf045c7..0000000
--- a/checksec.pub
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwgndry6Xbi4O0Gl5Oe3I
-uydr2VjGXmx2E3KawL++QwkaUODG8EnOn0xVuKVddJaf67FlswzOb8uDTCN7lYDg
-qJAwf6YS9AluNQFiEAhEFX1/Gl2/SJqGaxEUOGNUw529kpUGC06czHxD4G/ucABY
-ONbZoUsZHbdgeCnyk5w6tIk70Je6fvznCkbqmFaKE2BxVLDKSIbH0SjNWOtR2azd
-uWzvEMdUqefVcaq+P1cWGK7/xVYR6Ew0MZA7VSLdDHeEErIoJsu/3eZyDyd9ZRRo
-gij36GSvHTDrU5eWWFStCMT3oCD8LJ5impQyjVwvy3vxeSUc5dw+YP549Oc4qvo6
-9wIDAQAB
------END PUBLIC KEY-----
diff --git a/checksec.sig b/checksec.sig
deleted file mode 100644
index ea607e4..0000000
Binary files a/checksec.sig and /dev/null differ
diff --git a/checksec_automator.sh b/checksec_automator.sh
deleted file mode 100755
index 7f9dafc..0000000
--- a/checksec_automator.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/env bash
-
-# keep checksec executable and checksec_automation file in same directory.
-
-#sudo find $1 -type f -executable -exec file -i '{}' \; | grep 'x-executable; charset=binary' | cut -c1- | cut -d ':' -f1 > linux_executables.txt
-
-#tree -fi $1 > linux_executables.txt
-
-help() {
- echo "Usage: ./checksec_automation.sh [] []"
-}
-
-#run help if nothing is passed
-if [[ "$#" -lt 1 ]]; then
- help
- exit 1
-fi
-
-find "$1" -type f -executable -exec file -i '{}' \; | grep -e 'application/x-sharedlib; charset=binary' -e 'application/x-pie-executable; charset=binary' -e 'application/x-executable; charset=binary' | cut -c1- | cut -d ':' -f1 > linux_executables.txt
-
-echo "Checksec Output" | tee "$2"
-
-while read -r i; do
- ./checksec &> /dev/null
- if [ "$?" -eq 127 ]; then
- echo "File not Found. Keep checksec in same directory and run the script again."
- exit 1
- else
- ./checksec --file="$i" | tee -a "$2"
- fi
-done < <(cat linux_executables.txt)
diff --git a/checksec_new.pub b/checksec_new.pub
deleted file mode 100644
index 9cb9980..0000000
--- a/checksec_new.pub
+++ /dev/null
@@ -1 +0,0 @@
-LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMwRENDQWxhZ0F3SUJBZ0lVWXIwc3VGbStHUzJWRC9yKzFnV3RSL251SGdFd0NnWUlLb1pJemowRUF3TXcKTnpFVk1CTUdBMVVFQ2hNTWMybG5jM1J2Y21VdVpHVjJNUjR3SEFZRFZRUURFeFZ6YVdkemRHOXlaUzFwYm5SbApjbTFsWkdsaGRHVXdIaGNOTWpRd05qQTVNREl5T1RJMFdoY05NalF3TmpBNU1ESXpPVEkwV2pBQU1Ga3dFd1lICktvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVMaWp6QlFPenR2T0lxVXAzc1lmU25tclptQTNzUlVReU1FcVQKS1NabDFKczY3S3hXTlNFTEhIbHAwQ1NVTk84VEE2OWpkSEd1OXB0dDhiNlpabHRxTktPQ0FYVXdnZ0Z4TUE0RwpBMVVkRHdFQi93UUVBd0lIZ0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREF6QWRCZ05WSFE0RUZnUVVJaU85ClBHemhPK1pKOFFLbmlFYkoyT01KU2U4d0h3WURWUjBqQkJnd0ZvQVUzOVBwejFZa0VaYjVxTmpwS0ZXaXhpNFkKWkQ4d0lBWURWUjBSQVFIL0JCWXdGSUVTYzJ4cGJXMDJNRGxBWjIxaGFXd3VZMjl0TUN3R0Npc0dBUVFCZzc4dwpBUUVFSG1oMGRIQnpPaTh2WjJsMGFIVmlMbU52YlM5c2IyZHBiaTl2WVhWMGFEQXVCZ29yQmdFRUFZTy9NQUVJCkJDQU1IbWgwZEhCek9pOHZaMmwwYUhWaUxtTnZiUzlzYjJkcGJpOXZZWFYwYURDQmlRWUtLd1lCQkFIV2VRSUUKQWdSN0JIa0Fkd0IxQU4wOU1Hckd4eEV5WXhrZUhKbG5Od0tpU2w2NDNqeXQvNGVLY29BdktlNk9BQUFCai9yVQpQaThBQUFRREFFWXdSQUlnRDZXVVk1aE1ZYjYzZjg4RHl4QVhFbk5GNStTQ3RmaHdEVUJKZUtvZHRXTUNJRHhhCmVaWlg4ZXpnTy9FTFhna2RJeUhvZnFWZWV2aU9PQk1EVUNFMFdScEVNQW9HQ0NxR1NNNDlCQU1EQTJnQU1HVUMKTUJmQ0tiTU05ak83OHo0UzhjT08zTHRBUFFFZ2h0U1BLcDJLZUZxSVd0Zk5rN0JVNGNwNTA4YWNOSkZBT2czOApmQUl4QUxlQjJqN2JYTDJycEwwZVBPQy9COWhmL0hrdUp2SGlFQmhxR0djYm5LSG9lVklTTkVrdHRlclBxVDZTCnFUdXBqdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
diff --git a/checksec_new.sig b/checksec_new.sig
deleted file mode 100644
index e8808ee..0000000
--- a/checksec_new.sig
+++ /dev/null
@@ -1 +0,0 @@
-MEUCIQCzLRdf/RXXxhifWOabwJhNBYfviKL5Y8fZ2CjFWcwH0wIgJEYWYgcX4DOfVvG0m2aj+AOVrEHjJocM4A1JrCeAl0c=