diff --git a/ChangeLog b/ChangeLog index 1f9ce86..a99f8fc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,233 +1,241 @@ +Rev-2022052701 Brian Davis + * update to 2.6.0 + * fix missing sysctl on fedora + Thanks @spdfnet + * remove extra parenthesis + Thanks @koobs + * add missing libc on LoongArch-64 + Thanks @xiaoxiaoafeifei Rev-2021101001 Brian Davis - * update to 2.5.0 - * split checksec into multiple files for easier maintenance and debugging - * remove space between options and only support `=` until refactor can happen - * Add pre-commit-checks - * update License.txt to include BSD license - Thanks @mr-segfault - * Move to new Arch Linux docker images - Thanks @Maryse47 - * Add photon support for tests - * Check journalctl -k for NX protection - Thanks @Tatsh - * improve debug formatting - Thanks @bmwiedemann - * Fix shellcheck warnings and style issues - Thanks @a1346054 - * Make --dir option follow symlinks + * update to 2.5.0 + * split checksec into multiple files for easier maintenance and debugging + * remove space between options and only support `=` until refactor can happen + * Add pre-commit-checks + * update License.txt to include BSD license + Thanks @mr-segfault + * Move to new Arch Linux docker images + Thanks @Maryse47 + * Add photon support for tests + * Check journalctl -k for NX protection + Thanks @Tatsh + * improve debug formatting + Thanks @bmwiedemann + * Fix shellcheck warnings and style issues + Thanks @a1346054 + * Make --dir option follow symlinks Rev-2020081501 Brian Davis - * checksec.sh: Updated to 2.4.0 - * checksec.sh: checksec_automator.sh add check x-pie-executable - Thanks @ja-pa - * checksec.sh: Support for list file modifier - Thanks @dsuarezv - * checksec.sh: Update license - Thanks @mr-segfault + * checksec.sh: Updated to 2.4.0 + * checksec.sh: checksec_automator.sh add check x-pie-executable + Thanks @ja-pa + * checksec.sh: Support for list file modifier + Thanks @dsuarezv + * checksec.sh: Update license + Thanks @mr-segfault Rev-2020052701 Brian Davis - * checksec.sh: Updated to 2.2.0 - * checksec.sh: fix several small issues - Thanks @cgzones - * checksec.sh: add selfrando checks - Thanks @Estella - * checksec.sh: fix json validation - * checksec.sh: added github actions validation tests - * checksec.sh: fix stack protector functions - Thanks @cgzones - * checksec.sh: improve core dump checks - Thanks @cgzones - * checksec.sh: Run readelf in wide mode - Thanks @cgzones + * checksec.sh: Updated to 2.2.0 + * checksec.sh: fix several small issues + Thanks @cgzones + * checksec.sh: add selfrando checks + Thanks @Estella + * checksec.sh: fix json validation + * checksec.sh: added github actions validation tests + * checksec.sh: fix stack protector functions + Thanks @cgzones + * checksec.sh: improve core dump checks + Thanks @cgzones + * checksec.sh: Run readelf in wide mode + Thanks @cgzones Rev-2019061301 Brian Davis - * checksec.sh: Updated to 2.0.0 - Breaking changes in options, no longer support short options - * checksec.sh: Rewrite checksec to use getopts and move to all functions - * checksec.sh: add MUSL support - Thanks g3ngr33n - * checksec.sh: fixed coredumpcheck + * checksec.sh: Updated to 2.0.0 - Breaking changes in options, no longer support short options + * checksec.sh: Rewrite checksec to use getopts and move to all functions + * checksec.sh: add MUSL support + Thanks g3ngr33n + * checksec.sh: fixed coredumpcheck Rev-2019061301 Brian Davis - * checksec.sh: adds Clang CFI and SafeStack checks - Thanks dobin - * checksec.sh: Proc-all proccheck() json fix - Thanks etke - * checksec.sh: Fix --proc-all json output - Thanks etke - * checksec.sh: Switch --proc to use pgrep and fix json output - Thanks etke - * checksec.sh: Fix --proc-libs json output - Thanks etke - * checksec.sh: Fixed some calls to readelf missing stderr redirection to /dev/null - Thanks areisbr - * checksec.sh: fixed several issues around json and xml formatting - * checksec.sh: fixed fortify source catching false positives + * checksec.sh: adds Clang CFI and SafeStack checks + Thanks dobin + * checksec.sh: Proc-all proccheck() json fix + Thanks etke + * checksec.sh: Fix --proc-all json output + Thanks etke + * checksec.sh: Switch --proc to use pgrep and fix json output + Thanks etke + * checksec.sh: Fix --proc-libs json output + Thanks etke + * checksec.sh: Fixed some calls to readelf missing stderr redirection to /dev/null + Thanks areisbr + * checksec.sh: fixed several issues around json and xml formatting + * checksec.sh: fixed fortify source catching false positives Rev-2019011901 Brian Davis - * checksec.sh: Updated to 1.11.1 - * checksec.sh: resolved issues with readelf - * checksec.sh: Added docker images for testing - * checksec.sh: Added armhf and aarch64 libc locations - Thanks Avamander - * checksec.sh: Replace FS_COUNT with fgrep - Thanks Iraugusto - * checksec.sh: Fixed symbols count in csv - Thanks Iraugusto - * checksec.sh: Fixed RW-RPATH and RW-RUNPATH - Thanks Iraugusto - * checksec.sh: Added stack canaries generated by intel compiler - Thanks Xavier Brouckaert - * checksec.sh: Mute stat errors for non-existent directories - Thanks Iraugusto - * checksec.sh: Removed invalid json structures and duplicate kernel checks - * checksec.sh: fixed spaces in -d option - * checksec.sh: Added stack-protector-string check - Thanks scottellis - * checksec.sh: Add arm64 specific kernel checks - Thanks scottellis - * checksec.sh: Add REFCOUNT_FULL to kernel tests - Thanks scottellis - * checksec.sh: Remove OSX support + * checksec.sh: Updated to 1.11.1 + * checksec.sh: resolved issues with readelf + * checksec.sh: Added docker images for testing + * checksec.sh: Added armhf and aarch64 libc locations + Thanks Avamander + * checksec.sh: Replace FS_COUNT with fgrep + Thanks Iraugusto + * checksec.sh: Fixed symbols count in csv + Thanks Iraugusto + * checksec.sh: Fixed RW-RPATH and RW-RUNPATH + Thanks Iraugusto + * checksec.sh: Added stack canaries generated by intel compiler + Thanks Xavier Brouckaert + * checksec.sh: Mute stat errors for non-existent directories + Thanks Iraugusto + * checksec.sh: Removed invalid json structures and duplicate kernel checks + * checksec.sh: fixed spaces in -d option + * checksec.sh: Added stack-protector-string check + Thanks scottellis + * checksec.sh: Add arm64 specific kernel checks + Thanks scottellis + * checksec.sh: Add REFCOUNT_FULL to kernel tests + Thanks scottellis + * checksec.sh: Remove OSX support Rev-2018012401 Brian Davis - * checksec.sh: Updated to 1.9.0 - * checksec.sh: made all kernel checks dependant on kernel version - * checksec.sh: moved man page to section 1 - * checksec.sh: fixed debug flag - * checksec.sh: resolved issue with -d - * checksec.sh: fixed stack protector on 4.18+ kernels - Thanks cheese - * checksec.sh: fixed runpath name in output - Thanks philipturnbull - * checksec.sh: updated readme for offline testing - Thanks matthew-l-weber + * checksec.sh: Updated to 1.9.0 + * checksec.sh: made all kernel checks dependant on kernel version + * checksec.sh: moved man page to section 1 + * checksec.sh: fixed debug flag + * checksec.sh: resolved issue with -d + * checksec.sh: fixed stack protector on 4.18+ kernels + Thanks cheese + * checksec.sh: fixed runpath name in output + Thanks philipturnbull + * checksec.sh: updated readme for offline testing + Thanks matthew-l-weber Rev-2018012401 Brian Davis - * checksec.sh: Updated to 1.8.0 - * checksec.sh: resolved issue with eu-readelf debug - * checksec.sh: shellcheck cleanup + * checksec.sh: Updated to 1.8.0 + * checksec.sh: resolved issue with eu-readelf debug + * checksec.sh: shellcheck cleanup Rev-2017080801 Brian Davis - * checksec.sh: Cleaned up if statements for proper bash expressions + * checksec.sh: Cleaned up if statements for proper bash expressions Rev-2016102701 Brian Davis - * checksec.sh: updated to 1.7.5 - * checksec.sh: added OSX support - Thanks Ben Actis - * checksec.sh: added space and underscore support - Thanks brianmwaters - * checksec.sh: cleaned up code formatting + * checksec.sh: updated to 1.7.5 + * checksec.sh: added OSX support + Thanks Ben Actis + * checksec.sh: added space and underscore support + Thanks brianmwaters + * checksec.sh: cleaned up code formatting Rev-2016022002 Brian Davis - * checksec.sh: updated to 1.7.4 - * checksec.sh: fixed man page - * checksec.sh: added pkg_release option to disable updates for packaged releases - * checksec.sh: cleanup up proc-libs + * checksec.sh: updated to 1.7.4 + * checksec.sh: fixed man page + * checksec.sh: added pkg_release option to disable updates for packaged releases + * checksec.sh: cleanup up proc-libs Rev-2016021501 Brian Davis - * checksec.sh: merged in zsh completion - Thanks Vaeth - * checksec.sh: added man page for checksec - * checksec.sh: updated readme to reflect output in place of format option + * checksec.sh: merged in zsh completion + Thanks Vaeth + * checksec.sh: added man page for checksec + * checksec.sh: updated readme to reflect output in place of format option Rev-2016021501 Brian Davis - * checksec.sh: updated to 1.7.3 - * checksec.sh: added xml and json validation tests - * checksec.sh: fixed xml and json errors from validation tests - * checksec.sh: expanded grsecurity checks and cleaned up formatting + * checksec.sh: updated to 1.7.3 + * checksec.sh: added xml and json validation tests + * checksec.sh: fixed xml and json errors from validation tests + * checksec.sh: expanded grsecurity checks and cleaned up formatting Rev-2016010502 Brian Davis - * checksec.sh: Added some extra debug output and started cleanup. + * checksec.sh: Added some extra debug output and started cleanup. Rev-2016010501 Brian Davis - * checksec.sh: Fixed sysctl path issue #20 - Thanks hartwork + * checksec.sh: Fixed sysctl path issue #20 + Thanks hartwork Rev-2015122201 Brian Davis - * checksec.sh: Merged in json fixes. - Thanks jpouellet + * checksec.sh: Merged in json fixes. + Thanks jpouellet Rev-2015122101 Brian Davis - * checksec.sh: Merged in passing in command line kernel config, x86 fix and optional tools. - Thanks philippedeswert - * checksec.sh: split off mandatory tool from optional tools. - * checksec.sh: Updated to 1.7.1 - * checksec.sh: Added Seccomp tests from olivierlemoal. + * checksec.sh: Merged in passing in command line kernel config, x86 fix and optional tools. + Thanks philippedeswert + * checksec.sh: split off mandatory tool from optional tools. + * checksec.sh: Updated to 1.7.1 + * checksec.sh: Added Seccomp tests from olivierlemoal. Rev-2015102001 Brian Davis - * checksec.sh: Set static LC_ALL to resolve LANG errors. Resolves Ticket #13 - * checksec.sh: Merged in additional kernel options and arch specific options. Ticket #14 - Thanks philippedeswert - * checksec.sh: Updated to 1.7.0 to support revision releases. - * checksec.sh: put in checks to not display checks that are for different architectures. + * checksec.sh: Set static LC_ALL to resolve LANG errors. Resolves Ticket #13 + * checksec.sh: Merged in additional kernel options and arch specific options. Ticket #14 + Thanks philippedeswert + * checksec.sh: Updated to 1.7.0 to support revision releases. + * checksec.sh: put in checks to not display checks that are for different architectures. Rev-2015091505 Brian Davis - * checksec.sh: added additional debug output for troubleshooting purposes + * checksec.sh: added additional debug output for troubleshooting purposes Rev-2015091401 Brian Davis - * checksec.sh: added debug option for troubleshooting purposes + * checksec.sh: added debug option for troubleshooting purposes Rev-2015091301 Brian Davis - * checksec.sh: merged in changes for fedora/epel compliance - Thanks Besser82 - * checksec.sh: updated check binaries on run - Thanks Roberto Martelloni + * checksec.sh: merged in changes for fedora/epel compliance + Thanks Besser82 + * checksec.sh: updated check binaries on run + Thanks Roberto Martelloni Rev-2015060201 Brian Davis - * checksec.sh: merged in fortified/fortify-able stats on --file output changed - Thanks Roberto Martelloni + * checksec.sh: merged in fortified/fortify-able stats on --file output changed + Thanks Roberto Martelloni Rev-2015011201 Brian Davis - * checksec.sh: moved checksec.sh to checksec + * checksec.sh: moved checksec.sh to checksec Rev-2014021802 Brian Davis - * checksec.sh: merged in RODATA and STRICT_USER_COPY changes - Thanks N8Fear + * checksec.sh: merged in RODATA and STRICT_USER_COPY changes + Thanks N8Fear Rev-2014021801 Brian Davis - * checksec.sh: merged in JIT and MODHARDEN changes - Thanks N8Fear + * checksec.sh: merged in JIT and MODHARDEN changes + Thanks N8Fear Rev-2014021605 Brian Davis - * checksec.sh: Changed --update to verify signature of updates. - * checksec.sig: file added + * checksec.sh: Changed --update to verify signature of updates. + * checksec.sig: file added Rev-2014021601 Brian Davis - * checksec.sh: Removed deprecated Kern Heap section - Thanks Unspawn + * checksec.sh: Removed deprecated Kern Heap section + Thanks Unspawn 2014-02-14 Brian Davis - * checksec.sh: Updated to version 1.6 - * checksec.sh: Implemented rev numbers and --update option - * checksec.sh: Added SELinux checks as additional checks for kernel security. - * checksec.sh: Added update option to pull the latest release - * checksec.sh: Added fortify_source to proc-all output. - * checksec.sh: Added Json, strict XML and updated Grsecurity section. - * checksec.sh: Carried over Robin David's changes with XML and CSV. + * checksec.sh: Updated to version 1.6 + * checksec.sh: Implemented rev numbers and --update option + * checksec.sh: Added SELinux checks as additional checks for kernel security. + * checksec.sh: Added update option to pull the latest release + * checksec.sh: Added fortify_source to proc-all output. + * checksec.sh: Added Json, strict XML and updated Grsecurity section. + * checksec.sh: Carried over Robin David's changes with XML and CSV. 2013-10-06 Robin David - * add machine-readable outputs like CSV and XML + * add machine-readable outputs like CSV and XML 2011-11-17 Tobias Klein - * 1.5 - * New checks for rpath and runpath elements in the dynamic sections. - Thanks to Ollie Whitehouse. - * Other bugfixes and improvements - - checksec.sh now takes account of the KBUILD_OUTPUT - environment variable when checking the Linux kernel - protection mechanisms (--kernel). - Thanks to Martin Vaeth for the hint. - - Some minor changes and clean-ups. Thanks to Brian Davis. - - Ubuntu 11.10 support for --fortify-file and --fortify-proc. + * 1.5 + * New checks for rpath and runpath elements in the dynamic sections. + Thanks to Ollie Whitehouse. + * Other bugfixes and improvements + - checksec.sh now takes account of the KBUILD_OUTPUT + environment variable when checking the Linux kernel + protection mechanisms (--kernel). + Thanks to Martin Vaeth for the hint. + - Some minor changes and clean-ups. Thanks to Brian Davis. + - Ubuntu 11.10 support for --fortify-file and --fortify-proc. 2011-01-14 Tobias Klein - * 1.4 + * 1.4 - * Support for FORTIFY_SOURCE (--fortify-file, --fortify-proc) + * Support for FORTIFY_SOURCE (--fortify-file, --fortify-proc) - * Lots of other bugfixes and improvements - - Check if the readelf command is available - - readelf support for 64-bit ELF files - - Check if the requested files and directories do exist - - '--dir' is now case-sensitive and correctly deals with - trailing slashes - - Check user permissions - - Etc. + * Lots of other bugfixes and improvements + - Check if the readelf command is available + - readelf support for 64-bit ELF files + - Check if the requested files and directories do exist + - '--dir' is now case-sensitive and correctly deals with + trailing slashes + - Check user permissions + - Etc. 2010-06-15 Tobias Klein - * 1.3.1 + * 1.3.1 - * New BSD License - (http://www.opensource.org/licenses/bsd-license.php) + * New BSD License + (http://www.opensource.org/licenses/bsd-license.php) 2010-05-04 Tobias Klein - * 1.3 - * Additional checks for a number of Linux kernel - protection mechanisms. - Thanks to Jon Oberheide (jon.oberheide.org). + * 1.3 + * Additional checks for a number of Linux kernel + protection mechanisms. + Thanks to Jon Oberheide (jon.oberheide.org). 2010-01-02 Tobias Klein - * 1.2 - * Additional PaX (http://pax.grsecurity.net/) checks. - Thanks to Brad Spengler (grsecurity.net) for the PaX - support. - * Some minor fixes (coloring adjusted, 'pidof' replacement) + * 1.2 + * Additional PaX (http://pax.grsecurity.net/) checks. + Thanks to Brad Spengler (grsecurity.net) for the PaX + support. + * Some minor fixes (coloring adjusted, 'pidof' replacement) 2009-12-27 Tobias Klein - * 1.1 - * New '--proc-libs' option. This option instructs - checksec.sh to test the loaded libraries of a process. - * Additional information on ASLR results (--proc, - -proc-all, --proc-libs) - Thanks to Anthony G. Basile of the Tin Hat project - for the hint. - * Additional CPU NX check (--proc, --proc-all, --proc-libs) + * 1.1 + * New '--proc-libs' option. This option instructs + checksec.sh to test the loaded libraries of a process. + * Additional information on ASLR results (--proc, + -proc-all, --proc-libs) + Thanks to Anthony G. Basile of the Tin Hat project + for the hint. + * Additional CPU NX check (--proc, --proc-all, --proc-libs) 2009-01-28 Tobias Klein - * 1.0 - * Initial release + * 1.0 + * Initial release diff --git a/README.md b/README.md index 2a42d21..95a2527 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ Updates - All options now require `--$option=$value` instead of `--$option $value` - --extended option now includes clang CFI and safe stack checks - Last Update: 2021-10-10 + Last Update: 2022-05-27 For OSX ------- diff --git a/checksec b/checksec index 3f7e866..4fc3c31 100755 --- a/checksec +++ b/checksec @@ -62,9 +62,9 @@ export LC_ALL="C" # version -SCRIPT_VERSION=2021101001 +SCRIPT_VERSION=2022052701 SCRIPT_MAJOR=2 -SCRIPT_MINOR=5 +SCRIPT_MINOR=6 SCRIPT_REVISION=0 # global vars diff --git a/checksec.sig b/checksec.sig index 47e6ba0..fed3f09 100644 Binary files a/checksec.sig and b/checksec.sig differ diff --git a/src/core.sh b/src/core.sh index e1afdf2..b08e3d6 100644 --- a/src/core.sh +++ b/src/core.sh @@ -6,9 +6,9 @@ export LC_ALL="C" # version -SCRIPT_VERSION=2021101001 +SCRIPT_VERSION=2022052701 SCRIPT_MAJOR=2 -SCRIPT_MINOR=5 +SCRIPT_MINOR=6 SCRIPT_REVISION=0 # global vars