Commit 8ce4f96c authored by Loic's avatar Loic
Browse files

HBSD: Big cleanup


Signed-off-by: Loic's avatarLoic <loic.f@hardenedbsd.org>
parent 3bde2a9e
# Issue tracker
If any of these values are not included, the issue will be closed and not worked
## Issue
<!--- Tell us what should happen -->
## Debug Report
include the output of `checksec --debug_report`
## Command run to produce the error
<!--- Provide the exact command run to reproduce the error -->
## OS version and Kernel version
<!--- Include the os and kernel version -->
## Debug output
Run the same command as above to reproduce the error but include the --debug flag
e.x `checksec --debug -f /usr/bin/ls`
name: docker-compose-test
on: pull_request
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: shellcheck
run: docker-compose run shellcheck
- name: ubuntu checksec
run: docker-compose run checksec-ubuntu
- name: arch checksec
run: docker-compose run checksec-arch
- name: photon checksec
run: docker-compose run checksec-photon
\ No newline at end of file
name: docker-compose-test
on:
push:
branches:
- master
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: shellcheck
run: docker-compose run shellcheck
- name: ubuntu checksec
run: docker-compose run checksec-ubuntu
- name: arch checksec
run: docker-compose run checksec-arch
- name: photon checksec
run: docker-compose run checksec-photon
- name: docker build
run: docker build -t slimm609/checksec:latest .
- name: Push to Docker Hub
uses: docker/build-push-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: slimm609/checksec:latest
\ No newline at end of file
sign-checksec.sh
checksec.crt
checksec.key
\ No newline at end of file
Rev-2020081501 Brian Davis <slimm609@gmail.com>
* checksec.sh: Updated to 2.4.0
* checksec.sh: checksec_automator.sh add check x-pie-executable
Thanks @ja-pa
* checksec.sh: Support for list file modifier
Thanks @dsuarezv
* checksec.sh: Update license
Thanks @mr-segfault
Rev-2020052701 Brian Davis <slimm609@gmail.com>
* checksec.sh: Updated to 2.2.0
* checksec.sh: fix several small issues
Thanks @cgzones
* checksec.sh: add selfrando checks
Thanks @Estella
* checksec.sh: fix json validation
* checksec.sh: added github actions validation tests
* checksec.sh: fix stack protector functions
Thanks @cgzones
* checksec.sh: improve core dump checks
Thanks @cgzones
* checksec.sh: Run readelf in wide mode
Thanks @cgzones
Rev-2019061301 Brian Davis <slimm609@gmail.com>
* checksec.sh: Updated to 2.0.0 - Breaking changes in options, no longer support short options
* checksec.sh: Rewrite checksec to use getopts and move to all functions
* checksec.sh: add MUSL support
Thanks g3ngr33n
* checksec.sh: fixed coredumpcheck
Rev-2019061301 Brian Davis <slimm609@gmail.com>
* checksec.sh: adds Clang CFI and SafeStack checks
Thanks dobin
* checksec.sh: Proc-all proccheck() json fix
Thanks etke
* checksec.sh: Fix --proc-all json output
Thanks etke
* checksec.sh: Switch --proc to use pgrep and fix json output
Thanks etke
* checksec.sh: Fix --proc-libs json output
Thanks etke
* checksec.sh: Fixed some calls to readelf missing stderr redirection to /dev/null
Thanks areisbr
* checksec.sh: fixed several issues around json and xml formatting
* checksec.sh: fixed fortify source catching false positives
Rev-2019011901 Brian Davis <slimm609@gmail.com>
* checksec.sh: Updated to 1.11.1
* checksec.sh: resolved issues with readelf
* checksec.sh: Added docker images for testing
* checksec.sh: Added armhf and aarch64 libc locations
Thanks Avamander
* checksec.sh: Replace FS_COUNT with fgrep
Thanks Iraugusto
* checksec.sh: Fixed symbols count in csv
Thanks Iraugusto
* checksec.sh: Fixed RW-RPATH and RW-RUNPATH
Thanks Iraugusto
* checksec.sh: Added stack canaries generated by intel compiler
Thanks Xavier Brouckaert
* checksec.sh: Mute stat errors for non-existent directories
Thanks Iraugusto
* checksec.sh: Removed invalid json structures and duplicate kernel checks
* checksec.sh: fixed spaces in -d option
* checksec.sh: Added stack-protector-string check
Thanks scottellis
* checksec.sh: Add arm64 specific kernel checks
Thanks scottellis
* checksec.sh: Add REFCOUNT_FULL to kernel tests
Thanks scottellis
* checksec.sh: Remove OSX support
Rev-2018012401 Brian Davis <slimm609@gmail.com>
* checksec.sh: Updated to 1.9.0
* checksec.sh: made all kernel checks dependant on kernel version
* checksec.sh: moved man page to section 1
* checksec.sh: fixed debug flag
* checksec.sh: resolved issue with -d
* checksec.sh: fixed stack protector on 4.18+ kernels
Thanks cheese
* checksec.sh: fixed runpath name in output
Thanks philipturnbull
* checksec.sh: updated readme for offline testing
Thanks matthew-l-weber
Rev-2018012401 Brian Davis <slimm609@gmail.com>
* checksec.sh: Updated to 1.8.0
* checksec.sh: resolved issue with eu-readelf debug
* checksec.sh: shellcheck cleanup
Rev-2017080801 Brian Davis <slimm609@gmail.com>
* checksec.sh: Cleaned up if statements for proper bash expressions
Rev-2016102701 Brian Davis <slimm609@gmail.com>
* checksec.sh: updated to 1.7.5
* checksec.sh: added OSX support
Thanks Ben Actis
* checksec.sh: added space and underscore support
Thanks brianmwaters
* checksec.sh: cleaned up code formatting
Rev-2016022002 Brian Davis <slimm609@gmail.com>
* checksec.sh: updated to 1.7.4
* checksec.sh: fixed man page
* checksec.sh: added pkg_release option to disable updates for packaged releases
* checksec.sh: cleanup up proc-libs
Rev-2016021501 Brian Davis <slimm609@gmail.com>
* checksec.sh: merged in zsh completion
Thanks Vaeth
* checksec.sh: added man page for checksec
* checksec.sh: updated readme to reflect output in place of format option
Rev-2016021501 Brian Davis <slimm609@gmail.com>
* checksec.sh: updated to 1.7.3
* checksec.sh: added xml and json validation tests
* checksec.sh: fixed xml and json errors from validation tests
* checksec.sh: expanded grsecurity checks and cleaned up formatting
Rev-2016010502 Brian Davis <slimm609@gmail.com>
* checksec.sh: Added some extra debug output and started cleanup.
Rev-2016010501 Brian Davis <slimm609@gmail.com>
* checksec.sh: Fixed sysctl path issue #20
Thanks hartwork
Rev-2015122201 Brian Davis <slimm609@gmail.com>
* checksec.sh: Merged in json fixes.
Thanks jpouellet
Rev-2015122101 Brian Davis <slimm609@gmail.com>
* checksec.sh: Merged in passing in command line kernel config, x86 fix and optional tools.
Thanks philippedeswert
* checksec.sh: split off mandatory tool from optional tools.
* checksec.sh: Updated to 1.7.1
* checksec.sh: Added Seccomp tests from olivierlemoal.
Rev-2015102001 Brian Davis <slimm609@gmail.com>
* checksec.sh: Set static LC_ALL to resolve LANG errors. Resolves Ticket #13
* checksec.sh: Merged in additional kernel options and arch specfic options. Ticket #14
Thanks philippedeswert
* checksec.sh: Updated to 1.7.0 to support revision releases.
* checksec.sh: put in checks to not display checks that are for different architectures.
Rev-2015091505 Brian Davis <slimm609@gmail.com>
* checksec.sh: added additional debug output for troubleshooting purposes
Rev-2015091401 Brian Davis <slimm609@gmail.com>
* checksec.sh: added debug option for troubleshooting purposes
Rev-2015091301 Brian Davis <slimm609@gmail.com>
* checksec.sh: merged in changes for fedora/epel compilance
Thanks Besser82
* checksec.sh: updated check binaries on run
Thanks Roberto Martelloni
Rev-2015060201 Brian Davis <slimm609@gmail.com>
* checksec.sh: merged in fortified/fortify-able stats on --file output changed
Thanks Roberto Martelloni
Rev-2015011201 Brian Davis <slimm609@gmail.com>
* checksec.sh: moved checksec.sh to checksec
Rev-2014021802 Brian Davis <slimm609@gmail.com>
* checksec.sh: merged in RODATA and STRICT_USER_COPY changes
Thanks N8Fear
Rev-2014021801 Brian Davis <slimm609@gmail.com>
* checksec.sh: merged in JIT and MODHARDEN changes
Thanks N8Fear
Rev-2014021605 Brian Davis <slimm609@gmail.com>
* checksec.sh: Changed --update to verify signature of updates.
* checksec.sig: file added
Rev-2014021601 Brian Davis <slimm609@gmail.com>
* checksec.sh: Removed deprecated Kern Heap section
Thanks Unspawn
2014-02-14 Brian Davis <slimm609@gmail.com>
* checksec.sh: Updated to version 1.6
* checksec.sh: Implemented rev numbers and --update option
* checksec.sh: Added SELinux checks as additional checks for kernel security.
* checksec.sh: Added update option to pull the latest release
* checksec.sh: Added foritfy_source to proc-all output.
* checksec.sh: Added Json, strict XML and updated Grsecurity section.
* checksec.sh: Carried over Robin David's changes with XML and CSV.
2013-10-06 Robin David <dev.robin.david@gmail.com>
* add machine-readable outputs like CSV and XML
2011-11-17 Tobias Klein <tk@trapkit.de>
* 1.5
* New checks for rpath and runpath elements in the dynamic sections.
Thanks to Ollie Whitehouse.
* Other bugfixes and improvements
- checksec.sh now takes account of the KBUILD_OUTPUT
environment variable when checking the Linux kernel
protection mechanisms (--kernel).
Thanks to Martin Vaeth for the hint.
- Some minor changes and clean-ups. Thanks to Brian Davis.
- Ubuntu 11.10 support for --fortify-file and --fortify-proc.
2011-01-14 Tobias Klein <tk@trapkit.de>
* 1.4
* Support for FORTIFY_SOURCE (--fortify-file, --fortify-proc)
* Lots of other bugfixes and improvements
- Check if the readelf command is available
- readelf support for 64-bit ELF files
- Check if the requested files and directories do exist
- '--dir' is now case-sensitive and correctly deals with
trailing slashes
- Check user permissions
- Etc.
2010-06-15 Tobias Klein <tk@trapkit.de>
* 1.3.1
* New BSD License
(http://www.opensource.org/licenses/bsd-license.php)
2010-05-04 Tobias Klein <tk@trapkit.de>
* 1.3
* Additional checks for a number of Linux kernel
protection mechanisms.
Thanks to Jon Oberheide (jon.oberheide.org).
2010-01-02 Tobias Klein <tk@trapkit.de>
* 1.2
* Additional PaX (http://pax.grsecurity.net/) checks.
Thanks to Brad Spengler (grsecurity.net) for the PaX
support.
* Some minor fixes (coloring adjusted, 'pidof' replacement)
2009-12-27 Tobias Klein <tk@trapkit.de>
* 1.1
* New '--proc-libs' option. This option instructs
checksec.sh to test the loaded libraries of a process.
* Additional information on ASLR results (--proc,
-proc-all, --proc-libs)
Thanks to Anthony G. Basile of the Tin Hat project
for the hint.
* Additional CPU NX check (--proc, --proc-all, --proc-libs)
2009-01-28 Tobias Klein <tk@trapkit.de>
* 1.0
* Initial release
FROM photon:3.0
COPY checksec /bin/
RUN tdnf update && tdnf remove -y toybox && tdnf upgrade -y && \
tdnf install -y coreutils util-linux sed tar texinfo procps-ng grep findutils gzip file which awk binutils && \
chmod +x /bin/checksec
FROM archlinux:latest
# Install dependencies
RUN pacman -Syu --noconfirm vim base-devel python-pip && ln -s $(command -v vim) /bin/vi && pip install demjson
COPY . /root
WORKDIR /root
FROM photon:3.0
# Install dependencies
RUN tdnf update -y && tdnf upgrade -y && tdnf remove toybox -y && \
tdnf install -y build-essential git rpm-build coreutils util-linux \
make autoconf automake gcc ncurses-devel sed tar texinfo procps-ng grep \
findutils gzip file which libxml2 python3 python3-pip && \
pip3 install --upgrade pip && pip3 install setuptools && \
pip3 install demjson
COPY . /root
WORKDIR /root
FROM ubuntu:18.04
# Install dependencies
RUN apt-get update && apt-get -y -q upgrade && DEBIAN_FRONTEND=noninteractive apt-get -y -q install \
bc bison flex build-essential ccache git \
libncurses-dev libssl-dev u-boot-tools wget \
xz-utils vim xfce4 libxml2-utils python-demjson \
&& apt-get clean
COPY . /root
WORKDIR /root
The BSD License (http://www.opensource.org/licenses/bsd-license.php)
specifies the terms and conditions of use for checksec.sh:
specifies the terms and conditions of use for hbsd-checksec:
Copyright (c) 2014-2015, Brian Davis
Copyright (c) 2021, Loic <loic.f@hardenedbsd.org>
Copyright (c) 2014-2020, Brian Davis
Copyright (c) 2013, Robin David
Copyright (c) 2009-2011, Tobias Klein
All rights reserved.
......
checksec
hbsd-checksec
========
Checksec is a bash script to check the properties of executables (like PIE, RELRO, PaX, Canaries, ASLR, Fortify Source).
hbsd-checksec is a script to check the properties of executables (like PIE, RELRO, PaX, Canaries, ASLR).
It has been originally written by Tobias Klein and the original source is available here: http://www.trapkit.de/tools/checksec.html
Updates
-------
** MAJOR UPDATES ** 2.1.0
- Changed structure to be more modular and switched to getopts so options can be in any order. e.g. format=json can be at the end now, however.
- All options now require `--$option=$value` instead of `--$option $value`
- --extended option now includes clang CFI and safe stack checks
Last Update: 2020-08-15
For OSX
-------
Most of the tools do not work on mach-O binaries or the OSX kernel, so it is not supported
Manually verify checksec
`openssl dgst -sha256 -verify checksec.pub -signature checksec.sig checksec`
Examples
--------
......@@ -45,113 +28,3 @@ Examples
$ checksec --output=json --file=/bin/ls
{ "file": { "relro":"partial","canary":"yes","nx":"yes","pie":"no","rpath":"no","runpath":"no","filename":"/bin/ls" } }
**Fortify test in cli**
$ checksec --fortify-proc=1
* Process name (PID) : init (1)
* FORTIFY_SOURCE support available (libc) : Yes
* Binary compiled with FORTIFY_SOURCE support: Yes
------ EXECUTABLE-FILE ------- . -------- LIBC --------
FORTIFY-able library functions | Checked function names
-------------------------------------------------------
fdelt_chk | __fdelt_chk
read | __read_chk
syslog_chk | __syslog_chk
fprintf_chk | __fprintf_chk
vsnprintf_chk | __vsnprintf_chk
fgets | __fgets_chk
strncpy | __strncpy_chk
snprintf_chk | __snprintf_chk
memset | __memset_chk
strncat_chk | __strncat_chk
memcpy | __memcpy_chk
fread | __fread_chk
sprintf_chk | __sprintf_chk
SUMMARY:
* Number of checked functions in libc : 78
* Total number of library functions in the executable: 116
* Number of FORTIFY-able functions in the executable : 13
* Number of checked functions in the executable : 7
* Number of unchecked functions in the executable : 6
**Kernel test in Cli**
$ checksec --kernel
* Kernel protection information:
Description - List the status of kernel protection mechanisms. Rather than
inspect kernel mechanisms that may aid in the prevention of exploitation of
userspace processes, this option lists the status of kernel configuration
options that harden the kernel itself against attack.
Kernel config: /proc/config.gz
GCC stack protector support: Enabled
Strict user copy checks: Disabled
Enforce read-only kernel data: Disabled
Restrict /dev/mem access: Enabled
Restrict /dev/kmem access: Enabled
* grsecurity / PaX: Auto GRKERNSEC
Non-executable kernel pages: Enabled
Non-executable pages: Enabled
Paging Based Non-executable pages: Enabled
Restrict MPROTECT: Enabled
Address Space Layout Randomization: Enabled
Randomize Kernel Stack: Enabled
Randomize User Stack: Enabled
Randomize MMAP Stack: Enabled
Sanitize freed memory: Enabled
Sanitize Kernel Stack: Enabled
Prevent userspace pointer deref: Enabled
Prevent kobject refcount overflow: Enabled
Bounds check heap object copies: Enabled
JIT Hardening: Enabled
Thread Stack Random Gaps: Enabled
Disable writing to kmem/mem/port: Enabled
Disable privileged I/O: Enabled
Harden module auto-loading: Enabled
Chroot Protection: Enabled
Deter ptrace process snooping: Enabled
Larger Entropy Pools: Enabled
TCP/UDP Blackhole: Enabled
Deter Exploit Bruteforcing: Enabled
Hide kernel symbols: Enabled
* Kernel Heap Hardening: No KERNHEAP
The KERNHEAP hardening patchset is available here:
https://www.subreption.com/kernheap/
**Kernel Test in XML**
$ checksec --output=xml --kernel
<?xml version="1.0" encoding="UTF-8"?>
<kernel config='/boot/config-3.11-2-amd64' gcc_stack_protector='yes' strict_user_copy_check='no' ro_kernel_data='yes' restrict_dev_mem_access='yes' restrict_dev_kmem_access='no'>
<grsecurity config='no' />
<kernheap config='no' />
</kernel>
**Kernel Test in Json**
$ checksec --output=json --kernel
{ "kernel": { "KernelConfig":"/boot/config-3.11-2-amd64","gcc_stack_protector":"yes","strict_user_copy_check":"no","ro_kernel_data":"yes","restrict_dev_mem_access":"yes","restrict_dev_kmem_access":"no" },{ "grsecurity_config":"no" },{ "kernheap_config":"no" } }
Using with Cross-compiled Systems
---------------------------------------
The checksec tool can be used against cross-compiled target file-systems offline. Key limitations to note:
* Kernel tests - require you to execute the script on the running system you'd like to check as they directly access kernel resources to identify system configuration/state. You can specify the config file for the kernel after the -k option.
* File check - the offline testing works for all the checks but the Fortify feature. Fortify, uses the running system's libraries vs those in the offline file-system. There are ways to workaround this (chroot) but at the moment, the ideal configuration would have this script executing on the running system when checking the files.
The checksec tool's normal use case is for runtime checking of the systems configruation. If the system is an embedded target, the native binutils tools like readelf may not be present. This would restrict which parts of the script will work.
Even with those limitations, the amount of valuable information this script provides, still makes it a valuable tool for checking offline file-systems.
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwgndry6Xbi4O0Gl5Oe3I
uydr2VjGXmx2E3KawL++QwkaUODG8EnOn0xVuKVddJaf67FlswzOb8uDTCN7lYDg
qJAwf6YS9AluNQFiEAhEFX1/Gl2/SJqGaxEUOGNUw529kpUGC06czHxD4G/ucABY
ONbZoUsZHbdgeCnyk5w6tIk70Je6fvznCkbqmFaKE2BxVLDKSIbH0SjNWOtR2azd
uWzvEMdUqefVcaq+P1cWGK7/xVYR6Ew0MZA7VSLdDHeEErIoJsu/3eZyDyd9ZRRo
gij36GSvHTDrU5eWWFStCMT3oCD8LJ5impQyjVwvy3vxeSUc5dw+YP549Oc4qvo6
9wIDAQAB
-----END PUBLIC KEY-----
#!/usr/bin/env bash
# keep checksec executable and checksec_automation file in same directory.
#sudo find $1 -type f -executable -exec file -i '{}' \; | grep 'x-executable; charset=binary' | cut -c1- | cut -d ':' -f1 > linux_executables.txt
#tree -fi $1 > linux_executables.txt
help() {
echo "Usage: ./checksec_automation.sh [<dir_to_scan>] [<output_file_name>]"
}
#run help if nothing is passed
if [[ "$#" -lt 1 ]]; then
help
exit 1
fi
find "$1" -type f -executable -exec file -i '{}' \; | grep -e 'application/x-sharedlib; charset=binary' -e 'application/x-pie-executable; charset=binary' -e 'application/x-executable; charset=binary' | cut -c1- | cut -d ':' -f1 > linux_executables.txt
echo "Checksec Output" | tee "$2"
for i in $(cat linux_executables.txt); do
./checksec &> /dev/null
if [ "$?" -eq 127 ]; then
echo "File not Found. Keep checksec in same directory and run the script again."
exit 1
else
./checksec --file="$i" | tee -a "$2"
fi
done
version: '2'
services:
checksec-ubuntu:
build:
context: ./
dockerfile: Dockerfile.ubuntu
image: checksec-ubuntu
command: bash -c "./tests/test-checksec.sh"
checksec-arch:
build:
context: ./
dockerfile: Dockerfile.arch
image: checksec-arch
command: bash -c "./tests/test-checksec.sh"
checksec-photon:
build:
context: ./
dockerfile: Dockerfile.photon
image: checksec-photon
command: bash -c "./tests/test-checksec.sh"
shellcheck:
volumes:
- .:/mnt
image: koalaman/shellcheck
command: "checksec"
\ No newline at end of file
\" Process this file with
.\" groff -man -Tascii foo.1
.\"
.TH CHECKSEC 1 "FEBURARY 2019" Linux "User Manuals"
.SH NAME
checksec \- check executables and kernel properties
.SH SYNOPSIS
.B checksec [options] [file]
.SH DESCRIPTION
.B checksec
is a bash script used to check the properties of executables
(like PIE, RELRO, PaX, Canaries, ASLR, Fortify Source) and kernel security
options (like GRSecurity and SELinux).
.SH OPTIONS
.TP
\fB\--output=\fP or \fB\--format=\fP \fB{cli|csv|xml|json}\fP
Output the results in different formats for ingestion to other applications.
NOTE: This option must go before any other options currently
.TP
\fB\--help\fP
Displays the help text
.TP
\fB\--file={filename}\fP
Checks individual files for security features compiled into the executable
.TP
\fB\--dir={directory}\fP
Recursively checks all executable files in the directory for security features compiled into the executables
.TP
\fB\--proc={pid}\fP
Checks the security features of a running process by name
.TP
\fB\--proc-all\fP
Checks the security features of all running processes
.TP
\fB\--proc-libs\fP
Checks the security features of the all libraries of a running process ID
.TP
\fB\--kernel[=kconfig]\fP
Checks the security features of the running kernel or a specified kernel config
.TP
\fB\--fortify-file={filename}\fP
Checks the fortifiability of a file and if any of the fortifiable features have already been compiled into the file