checksec.sh icon indicating copy to clipboard operation
checksec.sh copied to clipboard
verified publisher icon slimm609

First impression checksec-go

Open teoberi opened this issue 1 year ago • 5 comments

There are small differences in the options, for example: ./checksec --file=/usr/bin/ssh vs ./main file /usr/bin/ssh The variant for Golang seems to me not very intuitive, that is:

  1. missing "--" or at least "-" for options;
  2. missing "=" between the option and the path to the file.

Is ASCII Art Generator for checksec a bit too big?

checksec

RELRO and FORTIFY still differ between the two versions. I only checked for /usr/bin/ssh

teoberi avatar Jun 19 '24 07:06 teoberi

This is a difference between using cobra as part of golang which makes several things much easier including shell completion so this will be a difference between the 2.

slimm609 avatar Jun 23 '24 19:06 slimm609

RELRO is partially broken at the moment (and listed in the README as broken) but FORTIFY should be pretty accurate. The count will be off a bit due to some difference in available functions but it should be more accurate. https://github.com/slimm609/checksec.sh/blob/main/pkg/checksec/fortify.go#L33. lists only functions that can actually be fortified. I have not backported this to the bash version since this is intended to replace it.

slimm609 avatar Jun 23 '24 19:06 slimm609

RELRO is fixed in https://github.com/slimm609/checksec.sh/pull/253

slimm609 avatar Jun 23 '24 23:06 slimm609

I will test the changes! You tried checksec ascii art in the combination of green writing on a black background? It looks more effective and inspires confidence. checksec green I compiled it statically with the command: go build -tags osusergo,netgo main.go but the file size is 6.8 M

teoberi avatar Jun 24 '24 08:06 teoberi

I changed the color to green in the latest MR. The file size will be larger because it is a static binary that doesn't require any external dependencies. This means it does need to include all libraries needed to perform the scans. However, today you need to install many more dependencies and requires bash, and multiple packages that are no longer needed with the golang release.

slimm609 avatar Jun 30 '24 23:06 slimm609

@slimm609 any ETA for the Golang version?

teoberi avatar Dec 09 '24 17:12 teoberi

I have been fighting with brew bottles to get it working as part of the release but I think I am going to pause that and just get it released. I will try to finish this week

slimm609 avatar Dec 09 '24 17:12 slimm609

Glad to know that, I rely on checksec when compiling Linux packages and I do this quite often.

teoberi avatar Dec 09 '24 18:12 teoberi

3.0.0 has been released.

slimm609 avatar Dec 16 '24 00:12 slimm609

I come back with some clarification requests (exposed in the first post of this thread). There is a good reason or technical limitation why: 1. the options lost "--" and "=" for example ./checksec --file=/usr/bin/ssh became ./checksec file /usr/bin/ssh not very intuitive. 2. ./checksec --proc-all became ./checksec procAll capital letter creates a typing problem. Likewise: --fortify-file= -> fortifyFile --fortify-proc= -> fortifyProc These changes don't seem to me to be in the way of Linux.

teoberi avatar Dec 16 '24 19:12 teoberi

checksec file asmc

Warning: Dynamic Binary found but missing libc. Fortify results will be skipped RELRO Stack Canary NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable Name
Full RELRO No Canary Found NX enabled PIE Enabled No RPATH No RUNPATH No Symbols N/A 0 0 asmc

Source file: https://github.com/nidud/asmc_linux

teoberi avatar Dec 20 '24 10:12 teoberi

@slimm609 FYI I've been maintaining Bash-based checksec 2.x.x in Gentoo but am not at home in the Golang ecosystem enough to be a good maintainer of Go-based >=3.0.0 and so have reached out to fellow Gentoo developers to find someone taking over a Golang-remake of the Gentoo package for >=3.0.0 at https://bugs.gentoo.org/946784 and also via mailing list gentoo-dev at https://public-inbox.gentoo.org/gentoo-dev/[email protected]/T/#u . All the best for checksec 3! :pray:

hartwork avatar Dec 21 '24 14:12 hartwork

@slimm609 FYI I've been maintaining Bash-based checksec 2.x.x in Gentoo but am not at home in the Golang ecosystem enough to be a good maintainer of Go-based >=3.0.0 and so have reached out to fellow Gentoo developers to find someone taking over a Golang-remake of the Gentoo package for >=3.0.0 at https://bugs.gentoo.org/946784 and also via mailing list gentoo-dev at https://public-inbox.gentoo.org/gentoo-dev/[email protected]/T/#u . All the best for checksec 3! 🙏

Can you share details for the code that builds the package that exists now? I am not familiar with the gentoo build process but it should be fairly easy to adapt and can see what I can do to help

slimm609 avatar Dec 21 '24 14:12 slimm609

@slimm609 the hard part are the Golang dependencies, so the ebuild targetting the Bash version will likely not help much with the actual task (but it's at https://gitweb.gentoo.org/repo/gentoo.git/tree/app-admin/checksec/checksec-2.7.1-r1.ebuild if you're curious, still).

hartwork avatar Dec 21 '24 14:12 hartwork

@hartwork yea, I understand. I wasn’t familiar with the gentoo sources but kubectx(https://gitweb.gentoo.org/repo/gentoo.git/tree/app-admin/kubectx/kubectx-0.9.4.ebuild) is a similar process to build as the new golang checksec

slimm609 avatar Dec 21 '24 14:12 slimm609

@slimm609 kubectx-0.9.4.ebuild may look easy but there is a deps tarball (line 10) involved and so on. It will need someone at home with the matter to produce a high quality ebuild and be a good maintainer.

hartwork avatar Dec 21 '24 15:12 hartwork