diff --git "a/\345\256\211\345\205\250\346\265\213\350\257\225\345\267\245\345\205\267/check_sec/README" "b/\345\256\211\345\205\250\346\265\213\350\257\225\345\267\245\345\205\267/check_sec/README" index 257ae7c78d5090be64b01f0e25fe699f5f4195b3..a6b31bbf75e6c1ecdd90ffea9045191fe70780d5 100644 --- "a/\345\256\211\345\205\250\346\265\213\350\257\225\345\267\245\345\205\267/check_sec/README" +++ "b/\345\256\211\345\205\250\346\265\213\350\257\225\345\267\245\345\205\267/check_sec/README" @@ -11,10 +11,10 @@ checksec 3、检查某个目录 ./checksec --dir=/bin -4. 检查已安装的rpm包关联文件;待办:支持deb包 -./checksec --rpm=box-manager +4. 检查rpm/deb包的安装文件; +./checksec --app=box-manager -5. 检查rpm安装包文件(将rpm包上传到rpm_packages目录中,rpm_packages中不能有目录嵌套)。 待办:支持deb包检查,支持文件嵌套。 -./checksec --packages=./rpm_packages +5. 检查rpm/deb包文件(将软件包上传到packages目录中,packages中不能有目录嵌套)。 +./checksec --packages=./packages -6. 待办: 优化输出结果result.csv,根据配置规则自动识别不安全编译项; \ No newline at end of file +6. 待办: 优化输出结果result.csv,根据配置规则自动识别不安全编译项; diff --git "a/\345\256\211\345\205\250\346\265\213\350\257\225\345\267\245\345\205\267/check_sec/checksec" "b/\345\256\211\345\205\250\346\265\213\350\257\225\345\267\245\345\205\267/check_sec/checksec" index 7c2b5c3e1bd46eacb64aca4a2a0d1ca5a099698d..7a4ed97c4426376e5d97a9c5fd33af0caaa8c63d 100755 --- "a/\345\256\211\345\205\250\346\265\213\350\257\225\345\267\245\345\205\267/check_sec/checksec" +++ "b/\345\256\211\345\205\250\346\265\213\350\257\225\345\267\245\345\205\267/check_sec/checksec" @@ -72,7 +72,7 @@ fi # help help() { - echo "Usage: checksec [--format={cli,csv,xml,json}] [OPTION]" + echo "Usage: checksec [OPTION]" echo echo echo "Options:" @@ -104,15 +104,7 @@ if [[ $# -lt 1 ]]; then fi echo_message() { - if [[ ${format} == "csv" ]]; then - echo -n -e "$2" - elif [[ ${format} == "xml" ]]; then - echo -n -e "$3" - elif [[ ${format} == "json" ]]; then - echo -n -e "$4" - else #default to cli - echo -n -e "${1}" - fi + echo -n -e "${1}" } @@ -137,63 +129,63 @@ filecheck() { # check for RELRO support ${debug} && echo "***function filecheck->RELRO" if ${readelf} -l "${1}" 2>/dev/null | grep -q 'GNU_RELRO'; then - echo_message '\033[32mYES \033[m ' 'Full RELRO,' '> ./result.csv else - echo_message '\033[31mNO \033[m ' 'No RELRO,' '> ./result.csv fi if ${readelf} -d "${1}" 2>/dev/null | grep -q 'BIND_NOW'; then - echo_message '\033[32mYES \033[m ' 'Full RELRO,' '> ./result.csv else - echo_message '\033[31mNO \033[m ' 'Partial RELRO,' '> ./result.csv fi # check for stack canary support ${debug} && echo -e "\n***function filecheck->canary" if ${readelf} -s "${1}" 2>/dev/null | grep -Eq '__stack_chk_fail|__intel_security_cookie'; then - echo_message '\033[32mYES \033[m ' 'Canary found,' ' canary="yes"' '"canary":"yes",' + echo_message '\033[32mYES \033[m ' echo -n -e "YES," >> ./result.csv else - echo_message '\033[31mNO \033[m ' 'No Canary found,' ' canary="no"' '"canary":"no",' + echo_message '\033[31mNO \033[m ' echo -n -e "NO," >> ./result.csv fi # check for NX support ${debug} && echo -e "\n***function filecheck->nx" if ${readelf} -l "${1}" 2>/dev/null | grep -q 'GNU_STACK'; then if ${readelf} -l "${1}" 2>/dev/null | grep 'GNU_STACK' | grep -q 'RWE'; then - echo_message '\033[31mNO \033[m ' 'NX disabled,' ' nx="no"' '"nx":"no",' + echo_message '\033[31mNO \033[m ' echo -n -e "NO," >> ./result.csv else - echo_message '\033[32mYES \033[m ' 'NX enabled,' ' nx="yes"' '"nx":"yes",' + echo_message '\033[32mYES \033[m ' echo -n -e "YES," >> ./result.csv fi else - echo_message '\033[31mNO \033[m ' 'NX disabled,' ' nx="no"' '"nx":"no",' + echo_message '\033[31mNO \033[m ' echo -n -e "NO," >> ./result.csv fi # check for PIE support ${debug} && echo -e "\n***function filecheck->pie" if ${readelf} -h "${1}" 2>/dev/null | grep -q 'Type:[[:space:]]*EXEC'; then - echo_message '\033[31mNO \033[m ' 'No PIE,' ' pie="no"' '"pie":"no",' + echo_message '\033[31mNO \033[m ' echo -n -e "NO," >> ./result.csv elif ${readelf} -h "${1}" 2>/dev/null | grep -q 'Type:[[:space:]]*DYN'; then if ${readelf} -d "${1}" 2>/dev/null | grep -q 'DEBUG'; then - echo_message '\033[32mYES \033[m ' 'PIE enabled,' ' pie="yes"' '"pie":"yes",' + echo_message '\033[32mYES \033[m ' echo -n -e "YES," >> ./result.csv else - echo_message '\033[33mDSO \033[m ' 'DSO,' ' pie="dso"' '"pie":"dso",' + echo_message '\033[33mDSO \033[m ' echo -n -e "DSO," >> ./result.csv fi elif ${readelf} -h "${1}" 2>/dev/null | grep -q 'Type:[[:space:]]*REL'; then - echo_message '\033[33mREL \033[m ' 'REL,' ' pie="rel"' '"pie":"rel",' + echo_message '\033[33mREL \033[m ' echo -n -e "REL," >> ./result.csv else - echo_message '\033[33mNot an ELF file\033[m ' 'Not an ELF file,' ' pie="not_elf"' '"pie":"not_elf",' + echo_message '\033[33mNot an ELF file\033[m ' echo -n -e "not_an_ELF," >> ./result.csv fi @@ -205,14 +197,14 @@ filecheck() { IFS=: read -r -a rpath_array <<< "$(${readelf} -d "${1}" 2>/dev/null | awk -F'[][]' '/RPATH/ {print $2}')" if [[ "${#rpath_array[@]}" -gt 0 ]]; then if xargs stat -c %A <<< "${rpath_array[*]}" 2>/dev/null | grep -q 'rw'; then - echo_message '\033[31mYES \033[m ' 'RPATH,' ' rpath="yes"' '"rpath":"yes",' + echo_message '\033[31mYES \033[m ' echo -n -e "YES," >> ./result.csv else - echo_message '\033[32mNO \033[m ' 'RPATH,' ' rpath="no"' '"rpath":"no",' + echo_message '\033[32mNO \033[m ' echo -n -e "NO," >> ./result.csv fi else - echo_message '\033[32mNO \033[m ' 'No RPATH,' ' rpath="no"' '"rpath":"no",' + echo_message '\033[32mNO \033[m ' echo -n -e "NO," >> ./result.csv fi @@ -220,10 +212,10 @@ filecheck() { # check for stripped symbols in the binary IFS=" " read -r -a SYM_cnt <<< "$(${readelf} --symbols "${1}" 2>/dev/null | grep '\.symtab' | cut -d' ' -f5 | cut -d: -f1))" if ${readelf} --symbols "${1}" 2>/dev/null | grep -q '\.symtab'; then - echo_message "\033[31m${SYM_cnt[0]} NO \t\033[m " 'Symbols,' ' symbols="yes"' '"symbols":"yes",' + echo_message "\033[31m${SYM_cnt[0]} NO \t\033[m " 'Symbols,' echo -n -e "NO," >> ./result.csv else - echo_message '\033[32m YES \t\033[m ' 'No Symbols,' ' symbols="no"' '"symbols":"no",' + echo_message '\033[32m YES \t\033[m ' echo -n -e "YES," >> ./result.csv fi @@ -261,22 +253,21 @@ filecheck() { FS_cnt_total=$((FS_cnt_unchecked+FS_cnt_checked)) if grep -q '_chk$' <<<"$FS_functions"; then - echo_message '\033[32mYES \033[m' 'Yes,' ' fortify_source="yes" ' '"fortify_source":"yes",' + echo_message '\033[32mYES \033[m' echo -n -e "YES," >> ./result.csv else - echo_message "\033[31mNO \033[m" "No," ' fortify_source="no" ' '"fortify_source":"no",' + echo_message '\033[31mNO \033[m' echo -n -e "NO," >> ./result.csv fi #echo_message "\t${FS_cnt_checked}\t" "${FS_cnt_checked}", "fortified=\"${FS_cnt_checked}\" " "\"fortified\":\"${FS_cnt_checked}\"," #echo_message "\t${FS_cnt_total}\t\t" "${FS_cnt_total}" "fortify-able=\"${FS_cnt_total}\"" "\"fortify-able\":\"${FS_cnt_total}\"" if ${readelf} --dyn-syms "${1}"|grep -q 'abort';then - echo_message '\033[32mYES \033[m' 'Yes,' ' ftrapv="yes" ' '"ftrapv":"yes",' + echo_message '\033[32mYES \033[m' echo -n -e "YES," >> ./result.csv else - echo_message "\033[31mNO \033[m" "No," ' ftrapv="no" ' '"ftrapv":"no",' + echo_message '\033[31mNO \033[m' echo -n -e "NO," >> ./result.csv fi - echo -n -e "${1}" } chk_dir () { @@ -308,7 +299,7 @@ chk_dir () { fi done < <(find "${tempdir}" -type f 2>/dev/null) if [[ $fdirtotal -gt 0 ]]; then - echo_message "" "" "" "," + echo_message "" fi while read -r N; do if [[ "${N}" != "[A-Za-z1-0]*" ]]; then @@ -320,25 +311,25 @@ chk_dir () { out=$(file "$(readlink -f "${N}")") if [[ ! ${out} =~ ELF ]] ; then if [[ "${verbose}" = "true" ]] ; then - echo_message "\033[34m*** Not an ELF file: ${tempdir}/" "" "" "" + echo_message "\033[34m*** Not an ELF file: ${tempdir}/" file "${N}" - echo_message "\033[m" "" "" "" + echo_message "\033[m" fi else (( fdircount++ )) - echo_message "" "" " " "" + echo_message "" filecheck "${N}" if [[ "$(find "${N}" \( -perm -004000 -o -perm -002000 \) -type f -print)" ]]; then - echo_message "\033[37;41m${N}\033[m\n" ",${N}\n" " filename='${N}' />\n" ", \"filename\":\"${N}\"}" + echo_message '\033[37;41m${N}\033[m\n' echo -n -e "\n" >> ./result.csv else - echo_message "${N}\n" ",${N}\n" " filename='${N}' />\n" ", \"filename\":\"${N}\"}" + echo_message "${N}\n" echo -n -e "\n" >> ./result.csv fi if [[ "${fdircount}" == "${fdirtotal}" ]]; then - echo_message "" "" "" "" + echo_message "" else - echo_message "" "" "" "," + echo_message "" fi fi fi @@ -373,17 +364,17 @@ chk_file () { exit 1 fi if ${extended_checks}; then - echo_message "RELRO BIND_NOW STACK CANARY NX PIE SELFRANDO Clang CFI SafeStack RPATH RUNPATH\tSymbols\t\tFORTIFY\tFortified\tFortifiable\tFILE\n" '' '' '{' + echo_message "RELRO BIND_NOW STACK CANARY NX PIE SELFRANDO Clang CFI SafeStack RPATH RUNPATH\tSymbols\t\tFORTIFY\tFortified\tFortifiable\tFILE\n" else echo_message "RELRO BIND_NOW SP NX PIE RPATH Strip FORTIFY Ftrapv FILE\n" echo 'FILE,RELRO,BIND_NOW,SP,NX,PIE,RPATH,Strip,FORTIFY,Ftrapv' > ./result.csv fi filecheck "${CHK_FILE}" if [[ "$(find "${CHK_FILE}" \( -perm -004000 -o -perm -002000 \) -type f -print)" ]] ; then - echo_message "\033[37;41m${CHK_FILE}\033[m\n" ",${CHK_FILE}\n" " filename='${CHK_FILE}'/>\n" " } }" + echo_message "\033[37;41m${CHK_FILE}\033[m\n" echo -n -e "${N}\n" >> ./result.csv else - echo_message "${CHK_FILE}\n" ",${CHK_FILE}\n" " filename='${CHK_FILE}'/>\n" " } }" + echo_message "${CHK_FILE}\n" echo -n -e "${N}\n" >> ./result.csv fi } @@ -396,10 +387,10 @@ function chk_filelist(){ # CHK_FILE=$file filecheck $file if [[ "$(find "$file" \( -perm -004000 -o -perm -002000 \) -type f -print)" ]]; then - echo_message "\033[37;41m${N}\033[m\n" ",$file\n" " filename='$file' />\n" ", \"filename\":\"${N}\"}" + echo_message "\033[37;41m${N}\033[m\n" echo -n -e "\n" >> ./result.csv else - echo_message "$file\n" ",$file\n" " filename='$file' />\n" ", \"filename\":\"$file\"}" + echo_message "$file\n" echo -n -e "\n" >> ./result.csv fi #chk_file @@ -407,19 +398,34 @@ function chk_filelist(){ done } -function chk_rpm(){ +function chk_app(){ echo 'FILE,RELRO,BIND_NOW,SP,NX,PIE,RPATH,Strip,FORTIFY,Ftrapv' > ./result.csv echo_message "RELRO BIND_NOW SP NX PIE RPATH Strip FORTIFY Ftrapv FILE\n" - for file in `rpm -ql ${CHK_RPM}` - do - out=$(file "$(readlink -f "${file}")") - if [[ ! ${out} =~ ELF ]] ; then - continue - fi - filecheck $file - echo "" - echo -n -e "\n" >> ./result.csv - done + oskey=`cat /etc/issue | grep Kylin` + if [ -n "$oskey" ] ; then + for file in `dpkg -L ${CHK_RPM}` + do + out=$(file "$(readlink -f "${file}")") + if [[ ! ${out} =~ ELF ]] ; then + continue + fi + filecheck $file + echo -n -e "$file\n" + echo "" + echo -n -e "\n" >> ./result.csv + done + else + for file in `rpm -ql ${CHK_RPM}` + do + out=$(file "$(readlink -f "${file}")") + if [[ ! ${out} =~ ELF ]] ; then + continue + fi + filecheck $file + echo "$file" + echo -n -e "\n" >> ./result.csv + done + fi } function chk_pkgs(){ @@ -429,18 +435,24 @@ function chk_pkgs(){ for line in `ls *` do - echo ${line##*.} if [ ${line##*.} = "rpm" ] ; then mkdir ${line%.*} - mv $line ${line%.*} + cp $line ${line%.*} cd ${line%.*} rpm2cpio *rpm | cpio -div 1>/dev/null 2>&1 cd .. + elif [ ${line##*.} = "deb" ] ; then + mkdir ${line%.*} + cp $line ${line%.*} + dpkg -x $line . 1>/dev/null 2>&1 + cd .. fi done cd $curdir CHK_DIR=${CHK_PKGS} chk_dir + cd $CHK_PKGS + find . -maxdepth 1 -type d -exec rm -rf {} \; 1>/dev/null 2>&1; # # # for file in `rpm -ql ${CHK_RPM}` @@ -466,10 +478,6 @@ while getopts "${optspec}" optchar; do help exit 0 ;; - format=*|output=*) - output_format=${OPTARG#*=} - format - ;; dir=*|dir) CHK_DIR=${OPTARG#*=}; OPT=$((OPT + 1)) @@ -485,10 +493,10 @@ while getopts "${optspec}" optchar; do OPT=$((OPT + 1)) CHK_FUNCTION="chk_filelist" ;; - rpm=*|rpm) + app=*|app) CHK_RPM=${OPTARG#*=}; OPT=$((OPT + 1)) - CHK_FUNCTION="chk_rpm" + CHK_FUNCTION="chk_app" ;; packages=*|packages) CHK_PKGS=${OPTARG#*=}; diff --git "a/\345\256\211\345\205\250\346\265\213\350\257\225\347\224\250\344\276\213\345\272\223/.~\344\272\247\345\223\201\345\256\211\345\205\250\346\265\213\350\257\225\347\224\250\344\276\213.xlsx" "b/\345\256\211\345\205\250\346\265\213\350\257\225\347\224\250\344\276\213\345\272\223/.~\344\272\247\345\223\201\345\256\211\345\205\250\346\265\213\350\257\225\347\224\250\344\276\213.xlsx" deleted file mode 100644 index f2a79fcfc4060fbf06eff0cddf30acae44db61eb..0000000000000000000000000000000000000000 Binary files "a/\345\256\211\345\205\250\346\265\213\350\257\225\347\224\250\344\276\213\345\272\223/.~\344\272\247\345\223\201\345\256\211\345\205\250\346\265\213\350\257\225\347\224\250\344\276\213.xlsx" and /dev/null differ