False negative on NX protection check
Tatsh opened this issue · comments
Issue
checksec --kernel incorrectly reports NX protection as Disabled.
The issue here seems to be that grepping dmesg is unreliable if for example, netfilter is logging packets. One alternative would be to grep journald output on systemd machines.
if {
(command_exists journalctl) && \
[[ $(systemctl is-active systemd-journald) = 'active' ]] && \
journalctl -b --grep '^NX \(Execute Disable\) protection: active$' >/dev/null
}; then
echo_message "\033[32mEnabled\033[m\n" "Enabled," " protect_symlinks='yes'" ', "protect_symlinks":"yes"'
fiDebug Report
***** Checksec debug *****
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video)
Linux limelight 5.8.0-gentoo-r1-limelight #3 SMP Tue Aug 4 06:49:29 EDT 2020 x86_64 Intel(R) Core(TM) i7-5930K CPU @ 3.50GHz GenuineIntel GNU/Linux
checksec version: 2.2.3 -- 2020070801
OS=Gentoo
VER=1
-rwxr-xr-x 1 root root 43656 Jun 10 20:54 /bin/cat
/bin/cat: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
lrwxrwxrwx 1 root root 4 Dec 3 2014 /usr/bin/awk -> gawk
-rwxr-xr-x 1 root root 646768 Jun 10 22:21 /usr/bin/gawk
/usr/bin/gawk: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 31200 Jun 10 20:10 /usr/sbin/sysctl
/usr/sbin/sysctl: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
lrwxrwxrwx 1 root root 15 Jun 10 20:54 /usr/bin/uname -> ../../bin/uname
-rwxr-xr-x 1 root root 39496 Jun 10 20:54 /bin/uname
/bin/uname: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
lrwxrwxrwx 1 root root 16 Jun 10 20:54 /usr/bin/mktemp -> ../../bin/mktemp
-rwxr-xr-x 1 root root 47792 Jun 10 20:54 /bin/mktemp
/bin/mktemp: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 739536 Jun 10 19:46 /usr/bin/openssl
/usr/bin/openssl: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 224336 Jun 10 22:01 /bin/grep
/bin/grep: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 84840 Jun 10 20:54 /usr/bin/stat
/usr/bin/stat: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 31488 Jun 28 12:32 /usr/bin/file
/usr/bin/file: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 312976 Jun 10 21:02 /usr/bin/find
/usr/bin/find: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
lrwxrwxrwx 1 root root 14 Jun 10 20:54 /usr/bin/head -> ../../bin/head
-rwxr-xr-x 1 root root 47720 Jun 10 20:54 /bin/head
/bin/head: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 138216 Jun 10 20:10 /bin/ps
/bin/ps: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
lrwxrwxrwx 1 root root 18 Jun 10 20:54 /usr/bin/readlink -> ../../bin/readlink
-rwxr-xr-x 1 root root 51760 Jun 10 20:54 /bin/readlink
/bin/readlink: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
lrwxrwxrwx 1 root root 18 Jun 10 20:54 /usr/bin/basename -> ../../bin/basename
-rwxr-xr-x 1 root root 39440 Jun 10 20:54 /bin/basename
/bin/basename: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 47752 Jun 10 20:54 /usr/bin/id
/usr/bin/id: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 31632 Jun 10 19:01 /usr/bin/which
/usr/bin/which: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 505392 Dec 4 2019 /usr/bin/wget
/usr/bin/wget: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 244768 Aug 5 21:27 /usr/bin/curl
/usr/bin/curl: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
lrwxrwxrwx 1 root root 27 Aug 1 02:02 /usr/bin/readelf -> x86_64-pc-linux-gnu-readelf
-rwxr-xr-x 1 root root 671048 Aug 1 02:01 /usr/x86_64-pc-linux-gnu/binutils-bin/2.34/readelf
/usr/x86_64-pc-linux-gnu/binutils-bin/2.34/readelf: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 553192 Jun 20 02:33 /usr/bin/eu-readelf
/usr/bin/eu-readelf: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3a17388b4a26b677691d9ebfdae5ca9d4906032a, for GNU/Linux 3.2.0, stripped
Command run to produce the error
checksec --kernel
OS version and Kernel version
Gentoo Linux
Kernel 5.8.0
Debug output
* Kernel protection information:
***function kernelcheck
Description - List the status of kernel protection mechanisms. Rather than
inspect kernel mechanisms that may aid in the prevention of exploitation of
userspace processes, this option lists the status of kernel configuration
options that harden the kernel itself against attack.
Kernel config:
/proc/config.gz
Vanilla Kernel ASLR: Full
NX protection: ***function root_privs
Disabled
Protected symlinks: Enabled
Protected hardlinks: Enabled
Protected fifos: Enabled
Protected regular: Enabled
Ipv4 reverse path filtering: Enabled
Kernel heap randomization: Enabled
GCC stack protector support: Enabled
GCC stack protector strong: Enabled
GCC structleak plugin: Enabled
GCC structleak by ref plugin: Enabled
SLAB freelist randomization: Enabled
Virtually-mapped kernel stack: Enabled
Restrict /dev/mem access: Enabled
Restrict I/O access to /dev/mem: Enabled
Enforce read-only kernel data: Enabled
Enforce read-only module data: Enabled
Exec Shield: Unsupported
Hardened Usercopy: Enabled
Harden str/mem functions: Enabled
Restrict /dev/kmem access: Enabled
* X86 only:
Address space layout randomization: Enabled
* SELinux: No SELinux
SELinux infomation available here:
http://selinuxproject.org/
* grsecurity / PaX: No GRKERNSEC
The grsecurity / PaX patchset is available here:
http://grsecurity.net/
What's the output of dmesg | grep -i nx ?
Normally it should match something like [ 0.000000] NX (Execute Disable) protection: active
# dmesg | grep -i nx
#
My dmesg consists of messages from logging netfilter. The buffer doesn't go on forever, and the NX message is gone.
# dmesg | head
[58589.822408] (output) IN= OUT=eno1 SRC=192.168.1.101 DST=255.255.255.255 LEN=71 TOS=0x00 PREC=0x00 TTL=127 ID=13604 PROTO=UDP SPT=42170 DPT=5050 LEN=51
[58594.839517] (output) IN= OUT=eno1 SRC=192.168.1.101 DST=255.255.255.255 LEN=71 TOS=0x00 PREC=0x00 TTL=127 ID=14803 PROTO=UDP SPT=42170 DPT=5050 LEN=51
However, journald retains all messages until it has to rotate which by default is a very long time.
I already proposed moving to nxcheck function here which is better and more reliable. AFAIK grep support in journalctl isn't ubiquitous, for example ubuntu added it only in 20.04.
I have a feeling that nxcheck function could give a false positive since it's such a simple grep, even with -w passed. Maybe want to grep the flags : line first?
grep -E '^flags[^:]+' /proc/cpuinfo | grep -w nx