ChangeLog 10.4 KB
Newer Older
Brian Davis's avatar
Brian Davis committed
1
2
3
4
5
6
Rev-2020081501  Brian Davis    <slimm609@gmail.com>
        * checksec.sh: Updated to 2.4.0 
        * checksec.sh: checksec_automator.sh add check x-pie-executable
           Thanks @ja-pa
        * checksec.sh: Support for list file modifier
           Thanks @dsuarezv
Brian Davis's avatar
Brian Davis committed
7
8
        * checksec.sh: Update license
           Thanks @mr-segfault
Brian Davis's avatar
Brian Davis committed
9
10
11
12
13
14
15
16
17
18
19
20
Rev-2020052701  Brian Davis    <slimm609@gmail.com>
        * checksec.sh: Updated to 2.2.0 
        * checksec.sh: fix several small issues
           Thanks @cgzones
        * checksec.sh: add selfrando checks
           Thanks @Estella
        * checksec.sh: fix json validation
        * checksec.sh: added github actions validation tests
        * checksec.sh: fix stack protector functions
           Thanks @cgzones
        * checksec.sh: improve core dump checks
           Thanks @cgzones
Brian Davis's avatar
Brian Davis committed
21
22
        * checksec.sh: Run readelf in wide mode
           Thanks @cgzones
slimm609's avatar
slimm609 committed
23
24
25
26
27
28
Rev-2019061301  Brian Davis     <slimm609@gmail.com>
        * checksec.sh: Updated to 2.0.0 - Breaking changes in options, no longer support short options
        * checksec.sh: Rewrite checksec to use getopts and move to all functions
        * checksec.sh: add MUSL support
           Thanks g3ngr33n
        * checksec.sh: fixed coredumpcheck
slimm609's avatar
slimm609 committed
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Rev-2019061301  Brian Davis     <slimm609@gmail.com>
        * checksec.sh: adds Clang CFI and SafeStack checks
           Thanks dobin
        * checksec.sh: Proc-all proccheck() json fix
           Thanks etke
        * checksec.sh: Fix --proc-all json output
           Thanks etke
        * checksec.sh: Switch --proc to use pgrep and fix json output
           Thanks etke
        * checksec.sh: Fix --proc-libs json output
           Thanks etke
        * checksec.sh: Fixed some calls to readelf missing stderr redirection to /dev/null
           Thanks areisbr
        * checksec.sh: fixed several issues around json and xml formatting
        * checksec.sh: fixed fortify source catching false positives

slimm609's avatar
slimm609 committed
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
Rev-2019011901  Brian Davis     <slimm609@gmail.com>
        * checksec.sh: Updated to 1.11.1
        * checksec.sh: resolved issues with readelf
        * checksec.sh: Added docker images for testing
        * checksec.sh: Added armhf and aarch64 libc locations
            Thanks Avamander
        * checksec.sh: Replace FS_COUNT with fgrep
            Thanks Iraugusto
        * checksec.sh: Fixed symbols count in csv
            Thanks Iraugusto
        * checksec.sh: Fixed RW-RPATH and RW-RUNPATH
            Thanks Iraugusto
        * checksec.sh: Added stack canaries generated by intel compiler
            Thanks Xavier Brouckaert
        * checksec.sh: Mute stat errors for non-existent directories
            Thanks Iraugusto
        * checksec.sh: Removed invalid json structures and duplicate kernel checks
        * checksec.sh: fixed spaces in -d option
        * checksec.sh: Added stack-protector-string check
            Thanks scottellis
        * checksec.sh: Add arm64 specific kernel checks
            Thanks scottellis
        * checksec.sh: Add REFCOUNT_FULL to kernel tests
            Thanks scottellis
        * checksec.sh: Remove OSX support


slimm609's avatar
slimm609 committed
72
73
74
75
76
77
78
79
80
81
82
83
84
85
Rev-2018012401  Brian Davis     <slimm609@gmail.com>
        * checksec.sh: Updated to 1.9.0
        * checksec.sh: made all kernel checks dependant on kernel version
        * checksec.sh: moved man page to section 1
        * checksec.sh: fixed debug flag
        * checksec.sh: resolved issue with -d
        * checksec.sh: fixed stack protector on 4.18+ kernels
            Thanks cheese
        * checksec.sh: fixed runpath name in output
            Thanks philipturnbull
        * checksec.sh: updated readme for offline testing
            Thanks matthew-l-weber


slimm609's avatar
slimm609 committed
86
87
88
89
90
Rev-2018012401  Brian Davis     <slimm609@gmail.com>
        * checksec.sh: Updated to 1.8.0
        * checksec.sh: resolved issue with eu-readelf debug
        * checksec.sh: shellcheck cleanup

slimm609's avatar
slimm609 committed
91
92
93
Rev-2017080801  Brian Davis     <slimm609@gmail.com>
        * checksec.sh: Cleaned up if statements for proper bash expressions

slimm609's avatar
slimm609 committed
94
95
96
97
98
99
100
101
Rev-2016102701  Brian Davis     <slimm609@gmail.com>
        * checksec.sh: updated to 1.7.5
        * checksec.sh: added OSX support
            Thanks Ben Actis
        * checksec.sh: added space and underscore support
            Thanks brianmwaters
        * checksec.sh: cleaned up code formatting

slimm609's avatar
slimm609 committed
102
103
104
105
106
107
Rev-2016022002  Brian Davis     <slimm609@gmail.com>
        * checksec.sh: updated to 1.7.4
        * checksec.sh: fixed man page 
        * checksec.sh: added pkg_release option to disable updates for packaged releases
        * checksec.sh: cleanup up proc-libs

Brian Davis's avatar
Brian Davis committed
108
109
110
111
112
113
Rev-2016021501  Brian Davis     <slimm609@gmail.com>
        * checksec.sh: merged in zsh completion 
            Thanks Vaeth
        * checksec.sh: added man page for checksec
        * checksec.sh: updated readme to reflect output in place of format option

slimm609's avatar
slimm609 committed
114
115
116
117
118
119
Rev-2016021501  Brian Davis     <slimm609@gmail.com>
        * checksec.sh: updated to 1.7.3
        * checksec.sh: added xml and json validation tests
        * checksec.sh: fixed xml and json errors from validation tests
        * checksec.sh: expanded grsecurity checks and cleaned up formatting

Brian Davis's avatar
Brian Davis committed
120
121
122
Rev-2016010502  Brian Davis     <slimm609@gmail.com>
        * checksec.sh: Added some extra debug output and started cleanup. 

Brian Davis's avatar
Brian Davis committed
123
124
125
126
Rev-2016010501  Brian Davis     <slimm609@gmail.com>
        * checksec.sh: Fixed sysctl path issue #20
            Thanks hartwork

Brian Davis's avatar
Brian Davis committed
127
128
129
130
Rev-2015122201  Brian Davis     <slimm609@gmail.com>
        * checksec.sh: Merged in json fixes. 
            Thanks jpouellet

Brian Davis's avatar
Brian Davis committed
131
132
133
134
135
Rev-2015122101  Brian Davis     <slimm609@gmail.com>
        * checksec.sh: Merged in passing in command line kernel config, x86 fix and optional tools.
            Thanks philippedeswert 
        * checksec.sh: split off mandatory tool from optional tools. 
        * checksec.sh: Updated to 1.7.1
slimm609's avatar
slimm609 committed
136
        * checksec.sh: Added Seccomp tests from olivierlemoal.
Brian Davis's avatar
Brian Davis committed
137

Brian Davis's avatar
Brian Davis committed
138
139
140
Rev-2015102001  Brian Davis     <slimm609@gmail.com>
        * checksec.sh: Set static LC_ALL to resolve LANG errors. Resolves Ticket #13
        * checksec.sh: Merged in additional kernel options and arch specfic options.  Ticket #14 
slimm609's avatar
slimm609 committed
141
            Thanks philippedeswert
Brian Davis's avatar
Brian Davis committed
142
143
144
        * checksec.sh: Updated to 1.7.0 to support revision releases.
        * checksec.sh: put in checks to not display checks that are for different architectures.

Brian Davis's avatar
Brian Davis committed
145
Rev-2015091505  Brian Davis     <slimm609@gmail.com> 
Brian Davis's avatar
Brian Davis committed
146
147
        * checksec.sh: added additional debug output for troubleshooting purposes

Brian Davis's avatar
Brian Davis committed
148
149
150
Rev-2015091401  Brian Davis     <slimm609@gmail.com> 
        * checksec.sh: added debug option for troubleshooting purposes

Brian Davis's avatar
Brian Davis committed
151
152
Rev-2015091301  Brian Davis     <slimm609@gmail.com>
        * checksec.sh: merged in changes for fedora/epel compilance 
slimm609's avatar
slimm609 committed
153
            Thanks Besser82
Brian Davis's avatar
Brian Davis committed
154
        * checksec.sh: updated check binaries on run
slimm609's avatar
slimm609 committed
155
            Thanks Roberto Martelloni
slimm609's avatar
slimm609 committed
156

slimm609's avatar
slimm609 committed
157
158
159
Rev-2015060201	Brian Davis    <slimm609@gmail.com>
        * checksec.sh: merged in fortified/fortify-able stats on --file output changed
            Thanks Roberto Martelloni
Björn Esser's avatar
Björn Esser committed
160

slimm609's avatar
slimm609 committed
161
162
Rev-2015011201	Brian Davis    <slimm609@gmail.com>
        * checksec.sh: moved checksec.sh to checksec
Björn Esser's avatar
Björn Esser committed
163

slimm609's avatar
slimm609 committed
164
165
166
Rev-2014021802	Brian Davis    <slimm609@gmail.com>
        * checksec.sh: merged in RODATA and STRICT_USER_COPY changes
            Thanks N8Fear
Björn Esser's avatar
Björn Esser committed
167

slimm609's avatar
slimm609 committed
168
169
170
Rev-2014021801	Brian Davis    <slimm609@gmail.com>
        * checksec.sh: merged in JIT and MODHARDEN changes
            Thanks N8Fear
Björn Esser's avatar
Björn Esser committed
171

slimm609's avatar
slimm609 committed
172
173
174
Rev-2014021605	Brian Davis    <slimm609@gmail.com>
        * checksec.sh: Changed --update to verify signature of updates.
        * checksec.sig: file added
slimm609's avatar
slimm609 committed
175

slimm609's avatar
slimm609 committed
176
177
178
Rev-2014021601	Brian Davis    <slimm609@gmail.com>
        * checksec.sh: Removed deprecated Kern Heap section
            Thanks Unspawn
Björn Esser's avatar
Björn Esser committed
179

slimm609's avatar
slimm609 committed
180
181
182
183
184
185
186
187
2014-02-14	Brian Davis    <slimm609@gmail.com>
        * checksec.sh: Updated to version 1.6
        * checksec.sh: Implemented rev numbers and --update option
        * checksec.sh: Added SELinux checks as additional checks for kernel security.
        * checksec.sh: Added update option to pull the latest release
        * checksec.sh: Added foritfy_source to proc-all output.
        * checksec.sh: Added Json, strict XML and updated Grsecurity section.
        * checksec.sh: Carried over Robin David's changes with XML and CSV.
Björn Esser's avatar
Björn Esser committed
188

slimm609's avatar
slimm609 committed
189
190
2013-10-06	Robin David    <dev.robin.david@gmail.com>
        * add machine-readable outputs like CSV and XML
Björn Esser's avatar
Björn Esser committed
191

slimm609's avatar
slimm609 committed
192
193
2011-11-17	Tobias Klein    <tk@trapkit.de>
        * 1.5
Björn Esser's avatar
Björn Esser committed
194

slimm609's avatar
slimm609 committed
195
196
        * New checks for rpath and runpath elements in the dynamic sections.
          Thanks to Ollie Whitehouse.
Björn Esser's avatar
Björn Esser committed
197

slimm609's avatar
slimm609 committed
198
199
200
201
202
203
204
        * Other bugfixes and improvements
          - checksec.sh now takes account of the KBUILD_OUTPUT
            environment variable when checking the Linux kernel
            protection mechanisms (--kernel).
            Thanks to Martin Vaeth for the hint.
          - Some minor changes and clean-ups. Thanks to Brian Davis.
          - Ubuntu 11.10 support for --fortify-file and --fortify-proc.
Björn Esser's avatar
Björn Esser committed
205

slimm609's avatar
slimm609 committed
206
207
2011-01-14	Tobias Klein     <tk@trapkit.de>
        * 1.4
Björn Esser's avatar
Björn Esser committed
208

slimm609's avatar
slimm609 committed
209
        * Support for FORTIFY_SOURCE (--fortify-file, --fortify-proc)
Björn Esser's avatar
Björn Esser committed
210

slimm609's avatar
slimm609 committed
211
212
213
214
215
216
217
218
        * Lots of other bugfixes and improvements
          - Check if the readelf command is available
          - readelf support for 64-bit ELF files
          - Check if the requested files and directories do exist
          - '--dir' is now case-sensitive and correctly deals with
            trailing slashes
          - Check user permissions
          - Etc.
Björn Esser's avatar
Björn Esser committed
219

slimm609's avatar
slimm609 committed
220
221
2010-06-15	Tobias Klein    <tk@trapkit.de>
        * 1.3.1
Björn Esser's avatar
Björn Esser committed
222

slimm609's avatar
slimm609 committed
223
224
        * New BSD License
          (http://www.opensource.org/licenses/bsd-license.php)
Björn Esser's avatar
Björn Esser committed
225

slimm609's avatar
slimm609 committed
226
227
2010-05-04	Tobias Klein    <tk@trapkit.de>
        * 1.3
Björn Esser's avatar
Björn Esser committed
228

slimm609's avatar
slimm609 committed
229
230
231
        * Additional checks for a number of Linux kernel
          protection mechanisms.
          Thanks to Jon Oberheide (jon.oberheide.org).
Björn Esser's avatar
Björn Esser committed
232

slimm609's avatar
slimm609 committed
233
234
2010-01-02	Tobias Klein    <tk@trapkit.de>
        * 1.2
Björn Esser's avatar
Björn Esser committed
235

slimm609's avatar
slimm609 committed
236
237
238
        * Additional PaX (http://pax.grsecurity.net/) checks.
          Thanks to Brad Spengler (grsecurity.net) for the PaX
          support.
Björn Esser's avatar
Björn Esser committed
239

slimm609's avatar
slimm609 committed
240
        * Some minor fixes (coloring adjusted, 'pidof' replacement)
Björn Esser's avatar
Björn Esser committed
241

slimm609's avatar
slimm609 committed
242
243
244
245
2009-12-27	Tobias Klein    <tk@trapkit.de>
        * 1.1
        * New '--proc-libs' option. This option instructs
         checksec.sh to test the loaded libraries of a process.
Björn Esser's avatar
Björn Esser committed
246

slimm609's avatar
slimm609 committed
247
248
249
250
        * Additional information on ASLR results (--proc,
          -proc-all, --proc-libs)
          Thanks to Anthony G. Basile of the Tin Hat project
          for the hint.
Björn Esser's avatar
Björn Esser committed
251

slimm609's avatar
slimm609 committed
252
        * Additional CPU NX check (--proc, --proc-all, --proc-libs)
Björn Esser's avatar
Björn Esser committed
253

slimm609's avatar
slimm609 committed
254
255
256
2009-01-28	Tobias Klein    <tk@trapkit.de>
        * 1.0
        * Initial release
slimm609's avatar
slimm609 committed
257