Commit a9abfef7 authored by slimm609's avatar slimm609
Browse files

signed update

parent c14d5749
Rev-2019061301 Brian Davis <slimm609@gmail.com>
* checksec.sh: Updated to 2.0.0 - Breaking changes in options, no longer support short options
* checksec.sh: Rewrite checksec to use getopts and move to all functions
* checksec.sh: add MUSL support
Thanks g3ngr33n
* checksec.sh: fixed coredumpcheck
Rev-2019061301 Brian Davis <slimm609@gmail.com>
* checksec.sh: adds Clang CFI and SafeStack checks
Thanks dobin
......
FROM archlinux/base:latest
# Install dependencies
RUN pacman -Syu --noconfirm vim base-devel && ln -s $(command -v vim) /bin/vi
RUN pacman -Syu --noconfirm vim base-devel python-pip && ln -s $(command -v vim) /bin/vi && pip install demjson
COPY . /root
WORKDIR /root
......@@ -6,7 +6,10 @@ It has been originally written by Tobias Klein and the original source is availa
Updates
-------
Last Update: 2019-06-13
** MAJOR UPDATES **
- changed structure to more modular and switched to getopts so options can be in any order. e.g. format=json can be at the end now, however. All options now require `--$option=$value` instead of `--$option $value`
Last Update: 2019-07-23
For OSX
-------
......@@ -15,31 +18,31 @@ For OSX
Examples
--------
**normal (or --format cli)**
**normal (or --format=cli)**
$checksec --file /bin/ls
$checksec --file=/bin/ls
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH /bin/ls
**csv**
$ checksec --output csv --file /bin/ls
$ checksec --output=csv --file=/bin/ls
Partial RELRO,Canary found,NX enabled,No PIE,No RPATH,No RUNPATH,/bin/ls
**xml**
$ checksec --output xml --file /bin/ls
$ checksec --output=xml --file=/bin/ls
<?xml version="1.0" encoding="UTF-8"?>
<file relro="partial" canary="yes" nx="yes" pie="no" rpath="no" runpath="no" filename='/bin/ls'/>
**json**
$ checksec --output json --file /bin/ls
$ checksec --output=json --file=/bin/ls
{ "file": { "relro":"partial","canary":"yes","nx":"yes","pie":"no","rpath":"no","runpath":"no","filename":"/bin/ls" } }
**Fortify test in cli**
$ checksec --fortify-proc 1
$ checksec --fortify-proc=1
* Process name (PID) : init (1)
* FORTIFY_SOURCE support available (libc) : Yes
* Binary compiled with FORTIFY_SOURCE support: Yes
......@@ -123,7 +126,7 @@ Examples
**Kernel Test in XML**
$ checksec --output xml --kernel
$ checksec --output=xml --kernel
<?xml version="1.0" encoding="UTF-8"?>
<kernel config='/boot/config-3.11-2-amd64' gcc_stack_protector='yes' strict_user_copy_check='no' ro_kernel_data='yes' restrict_dev_mem_access='yes' restrict_dev_kmem_access='no'>
<grsecurity config='no' />
......@@ -132,7 +135,7 @@ Examples
**Kernel Test in Json**
$ checksec --output json --kernel
$ checksec --output=json --kernel
{ "kernel": { "KernelConfig":"/boot/config-3.11-2-amd64","gcc_stack_protector":"yes","strict_user_copy_check":"no","ro_kernel_data":"yes","restrict_dev_mem_access":"yes","restrict_dev_kmem_access":"no" },{ "grsecurity_config":"no" },{ "kernheap_config":"no" } }
Using with Cross-compiled Systems
......@@ -146,8 +149,3 @@ The checksec tool's normal use case is for runtime checking of the systems confi
Even with those limitations, the amount of valuable information this script provides, still makes it a valuable tool for checking offline file-systems.
Warning
-------
Due to the original structure of the script the **--output** argument should be placed first on the command line arguments. Doing differently would require really big changes in the code.
This diff is collapsed.
No preview for this file type
......@@ -6,29 +6,26 @@
#tree -fi $1 > linux_executables.txt
help() {
echo "Usage: ./checksec_automation.sh [<dir_to_scan>] [<output_file_name>]"
}
#run help if nothing is passed
if [[ "$#" -lt 1 ]]; then
help
exit 1
fi
echo "Usage: ./checksec_automation.sh [<dir_to_scan>] [<output_file_name>]"
}
#run help if nothing is passed
if [[ "$#" -lt 1 ]]; then
help
exit 1
fi
find "$1" -type f -executable -exec file -i '{}' \; | grep -e 'application/x-sharedlib; charset=binary' -e 'application/x-executable; charset=binary' | cut -c1- | cut -d ':' -f1 > linux_executables.txt
echo "Checksec Output" | tee "$2"
for i in $(cat linux_executables.txt)
do
./checksec &> /dev/null
if [ "$?" -eq 127 ]; then
echo "File not Found. Keep checksec in same directory and run the script again."
exit 1
else
./checksec -f "$i" | tee -a "$2"
fi
done
for i in $(cat linux_executables.txt); do
./checksec &> /dev/null
if [ "$?" -eq 127 ]; then
echo "File not Found. Keep checksec in same directory and run the script again."
exit 1
else
./checksec --file="$i" | tee -a "$2"
fi
done
......@@ -5,5 +5,12 @@ services:
build:
context: ./
dockerfile: Dockerfile.ubuntu
image: checksec
image: checksec-ubuntu
command: bash -c "./tests/test-checksec.sh"
checksec-arch:
build:
context: ./
dockerfile: Dockerfile.arch
image: checksec-arch
command: bash -c "./tests/test-checksec.sh"
......@@ -12,10 +12,11 @@ fi
DIR=$(cd $(dirname "$0"); pwd)
PARENT=$(cd $(dirname "$0")/..; pwd)
jsonlint=$(which jsonlint || which jsonlint-py)
#check json for proc-all
echo "starting proc-all check - json"
$PARENT/checksec --format json --proc-all > $DIR/output.json
jsonlint-py --allow duplicate-keys $DIR/output.json > /dev/null
$PARENT/checksec --format=json --proc-all > $DIR/output.json
$jsonlint --allow duplicate-keys $DIR/output.json > /dev/null
RET=$?
if [ $RET != 0 ]; then
echo "proc-all json validation failed"
......@@ -24,8 +25,8 @@ fi
#check json for kernel
echo "starting kernel check - json"
$PARENT/checksec --format json --kernel > $DIR/output.json
jsonlint-py $DIR/output.json > /dev/null
$PARENT/checksec --format=json --kernel > $DIR/output.json
$jsonlint $DIR/output.json > /dev/null
RET=$?
if [ $RET != 0 ]; then
echo "kernel json validation failed"
......@@ -34,8 +35,8 @@ fi
#check json against custom kernel config to trigger all checks
echo "starting custom kernel check - json"
$PARENT/checksec --format json --kernel kernel.config > $DIR/output.json
jsonlint-py $DIR/output.json > /dev/null
$PARENT/checksec --format=json --kernel=kernel.config > $DIR/output.json
$jsonlint $DIR/output.json > /dev/null
RET=$?
if [ $RET != 0 ]; then
echo "custom kernel json validation failed"
......@@ -44,8 +45,8 @@ fi
#check json for file
echo "starting file check - json"
$PARENT/checksec --format json --file $test_file > $DIR/output.json
jsonlint-py $DIR/output.json > /dev/null
$PARENT/checksec --format=json --file=$test_file > $DIR/output.json
$jsonlint $DIR/output.json > /dev/null
RET=$?
if [ $RET != 0 ]; then
echo "file json validation failed"
......@@ -54,18 +55,28 @@ fi
#check json for fortify file
echo "starting fortify-file check - json"
$PARENT/checksec --format json --fortify-file $test_file > $DIR/output.json
jsonlint-py --allow duplicate-keys $DIR/output.json > /dev/null
$PARENT/checksec --format=json --fortify-file=$test_file > $DIR/output.json
$jsonlint --allow duplicate-keys $DIR/output.json > /dev/null
RET=$?
if [ $RET != 0 ]; then
echo "fortify-file json validation failed"
exit $RET
fi
#check json for fortify proc
echo "starting fortify-proc check - json"
$PARENT/checksec --format=json --fortify-proc=1 > $DIR/output.json
$jsonlint --allow duplicate-keys $DIR/output.json > /dev/null
RET=$?
if [ $RET != 0 ]; then
echo "fortify-file json validation failed"
exit $RET
fi
#check json for dir
echo "starting dir check - json"
$PARENT/checksec --format json --dir /sbin > $DIR/output.json
jsonlint-py $DIR/output.json > /dev/null
$PARENT/checksec --format=json --dir=/sbin > $DIR/output.json
$jsonlint $DIR/output.json > /dev/null
RET=$?
if [ $RET != 0 ]; then
echo "dir json validation failed"
......
......@@ -15,7 +15,7 @@ PARENT=$(cd $(dirname "$0")/..; pwd)
#check xml for proc-all
echo "starting proc-all check - xml"
$PARENT/checksec --format xml --proc-all > $DIR/output.xml
$PARENT/checksec --format=xml --proc-all > $DIR/output.xml
xmllint --noout $DIR/output.xml
RET=$?
if [ $RET != 0 ]; then
......@@ -25,7 +25,7 @@ fi
#check xml for kernel
echo "starting kernel check - xml"
$PARENT/checksec --format xml --kernel > $DIR/output.xml
$PARENT/checksec --format=xml --kernel > $DIR/output.xml
xmllint --noout $DIR/output.xml
RET=$?
if [ $RET != 0 ]; then
......@@ -35,7 +35,7 @@ fi
#check xml against custom kernel config to trigger all checks
echo "starting custom kernel check - xml"
$PARENT/checksec --format xml --kernel kernel.config > $DIR/output.xml
$PARENT/checksec --format=xml --kernel=kernel.config > $DIR/output.xml
xmllint --noout $DIR/output.xml
RET=$?
if [ $RET != 0 ]; then
......@@ -45,7 +45,7 @@ fi
#check xml for file
echo "starting file check - xml"
$PARENT/checksec --format xml --file $test_file > $DIR/output.xml
$PARENT/checksec --format=xml --file=$test_file > $DIR/output.xml
xmllint --noout $DIR/output.xml
RET=$?
if [ $RET != 0 ]; then
......@@ -55,17 +55,28 @@ fi
#check xml for fortify file
echo "starting fortify-file check - xml"
$PARENT/checksec --format xml --fortify-file $test_file > $DIR/output.xml.json
$PARENT/checksec --format=xml --fortify-file=$test_file > $DIR/output.xml
xmllint --noout $DIR/output.xml
RET=$?
if [ $RET != 0 ]; then
echo "fortify-file xml validation failed"
exit $RET
fi
#check xml for fortify proc
echo "starting fortify-proc check - xml"
$PARENT/checksec --format=xml --fortify-proc=1 > $DIR/output.xml
xmllint --noout $DIR/output.xml
RET=$?
if [ $RET != 0 ]; then
echo "fortify-proc xml validation failed"
exit $RET
fi
#check xml for dir
echo "starting dir check - xml"
$PARENT/checksec --format xml --dir /sbin > $DIR/output.xml
$PARENT/checksec --format=xml --dir=/sbin > $DIR/output.xml
xmllint --noout $DIR/output.xml
RET=$?
if [ $RET != 0 ]; then
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment