checksec FORTIFY detection (proccheck) again #244
Conversation
Added detailed results for Fortify: 'N/A', 'Partial'
Add cases for 'N/A' and 'Partial'
Generating test files for Fortify (nolibc*, fszero*)
NASM can be added or I can add the object files (.o), i.e. nolibc.o and nolibc32.o generated with the commands: I would still prefer the addition of NASM instead of the .o binary files that contain the machine code. |
Required if NASM assembler is not installed.
|
If the addition of missing object files is accepted, does it go through a Draft pull requests? |
The Dockerfiles are not generated, its only the checksec script itself that is generated. The formatting/linters apply to all files though |
|
So can NASM be installed or do I add the object files generated by me with NASM? |
|
yes, please add it to the test dockerfiles |
Add files via upload *.o (object files)
…r installation. Installing the NASM assembler leads to the regeneration of the object files (.o) from the .asm sources
…ec.sh into Fortify_proccheck Fetching changes from remote repository (Fortify_proccheck) for object files (.o)
There was a problem hiding this comment.
Do these .o files need included? Wouldn't these be compiled by nasm?
There was a problem hiding this comment.
There are two variants:
- NASM is installed together with the other packages for ubuntu checksec + photon checksec, otherwise an error occurs due to the lack of the 2 files;
- NASM is not installed and the two files are delivered to pass the tests.
If the two files are delivered but NASM is also installed, the files are overwritten, as I explained in the post here and here.
I know from experience in other open-source projects that in general binary files are not accepted in the source code but should be generated. Without installing NASM I have no way to do this, that's why I added them.
I asked in the first post after the description for Pull requests if NASM can be installed or if I should add the object files.
There was a problem hiding this comment.
Can be added:
nasm binutils
in the docker unbuntu and photon configuration files?
https://github.com/slimm609/checksec.sh/blob/9a7f5353af5ab714abb91c1d4aecfc10ce3af8e4/Dockerfile.ubuntu#L8
gcc clang gcc-multilib nasm binutils && apt-get clean \
https://github.com/slimm609/checksec.sh/blob/9a7f5353af5ab714abb91c1d4aecfc10ce3af8e4/Dockerfile.photon#L7
findutils gzip file which libxml2 python3 python3-pip jq clang nasm binutils && \
There was a problem hiding this comment.
We can add nasm to the images, thats just fine. The Dockerfile.photon and Dockerfile.ubuntu are only used for testing and not shipped as part of the checksec docker image. Anything added to those 2 images is fine
There was a problem hiding this comment.
I will do that. If it will be OK, I will make a new Pull Requests, this is a bit messy.
Added detailed results for Fortify: 'N/A', 'Partial' in src/functions/proccheck.sh
Add cases for 'N/A' and 'Partial' in tests/hardening-checks.sh ('# process checks' section)
Update build_binaries.sh ('# Fortify source' section)
Change test files for Fortify
Fix for #241