checksec - Man Page

check executables and kernel properties

Examples (TL;DR)

Synopsis

checksec[--options] [file]

Description

checksec is a bash script used to check the properties of executables (like PIE, RELRO, PaX, Canaries, ASLR, Fortify Source), library calls (Fortify Source), and kernel security options (like GRSecurity and SELinux).

Options

Options specifying input and action:

--file=filename

Checks individual files for security features compiled into the executable

--dir=directory

Recursively checks all executable files in the directory for security features compiled into the executables

--listfile=listfile

Check all files specified in a newline-separeted text file for security features compiled into the executable

--proc=pid

Checks the security features of a running process by name

--proc-all

Checks the security features of all running processes

--proc-libs

Checks the security features of the all libraries of a running process ID

--kernel[=config]

Checks the security features of the running kernel or a specified kernel config

--fortify-file=filename

Checks for the use of fortifiable and fortified library functions in a file

--fortify-proc=pid

Checks for the use of fortifiable and fortified library functions in a running process

Options modifying behavior:

--debug

Enable debug-level output.

--extended

Check for additional security features (e.g. Clang CFI, SafeStack)

--libcfile=path

Specify the libc file path or a search path

--output=(cli|csv|xml|json), or --format=(cli|csv|xml|json)

Output the results in different formats for ingestion to other applications.

--trace

Enable bash tracing (set -x).

Miscellaneous options:

--debug_report

Generate a system report and exit.

-h or --help

Displays the help text and exit

--update or --upgrade

Checks source for a signed update and updates the application if available and exit

--version

Shows the current version of the running software and exit

Diagnostics

The following diagnostics may be issued on stderr:

Permission Denied.

For most of the checks you must be root.

See Also

hardening-check(1), feature_test_macros(7), gcc(1), ld(1)

History

checksec was originally written by Tobias Klein. This version is expanded and maintained by Brian Davis <slimm609@gmail.com>

Info

March 2023