checksec - Man Page
check executables and kernel properties
Examples (TL;DR)
List security properties of an executable binary file:
checksec --file=path/to/binary
List security properties recursively of all executable files in a directory:
checksec --dir=path/to/directory
List security properties of a process:
checksec --proc=pid
List security properties of the running kernel:
checksec --kernel
Synopsis
checksec | [--options ] [file] |
Description
checksec is a bash script used to check the properties of executables (like PIE, RELRO, PaX, Canaries, ASLR, Fortify Source), library calls (Fortify Source), and kernel security options (like GRSecurity and SELinux).
Options
Options specifying input and action:
- --file=filename
Checks individual files for security features compiled into the executable
- --dir=directory
Recursively checks all executable files in the directory for security features compiled into the executables
- --listfile=listfile
Check all files specified in a newline-separeted text file for security features compiled into the executable
- --proc=pid
Checks the security features of a running process by name
- --proc-all
Checks the security features of all running processes
- --proc-libs
Checks the security features of the all libraries of a running process ID
- --kernel[=config]
Checks the security features of the running kernel or a specified kernel config
- --fortify-file=filename
Checks for the use of fortifiable and fortified library functions in a file
- --fortify-proc=pid
Checks for the use of fortifiable and fortified library functions in a running process
Options modifying behavior:
- --debug
Enable debug-level output.
- --extended
Check for additional security features (e.g. Clang CFI, SafeStack)
- --libcfile=path
Specify the libc file path or a search path
- --output=(cli|csv|xml|json), or --format=(cli|csv|xml|json)
Output the results in different formats for ingestion to other applications.
- --trace
Enable bash tracing (set
-x
).
Miscellaneous options:
- --debug_report
Generate a system report and exit.
- -h or --help
Displays the help text and exit
- --update or --upgrade
Checks source for a signed update and updates the application if available and exit
- --version
Shows the current version of the running software and exit
Diagnostics
The following diagnostics may be issued on stderr:
- Permission Denied.
For most of the checks you must be root.
See Also
History
checksec was originally written by Tobias Klein. This version is expanded and maintained by Brian Davis <slimm609@gmail.com>