1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
|
#!/usr/bin/env bash
set -ou pipefail
if [[ -f /bin/bash ]]; then
test_file="/bin/bash"
elif [[ -f /bin/sh ]]; then
test_file="/bin/sh"
elif [[ -f /bin/ls ]]; then
test_file="/bin/ls"
else
echo "could not find valid file to test"
exit 255
fi
DIR=$(
cd "$(dirname "$0")"
pwd
)
PARENT=$(
cd "$(dirname "$0")/.."
pwd
)
jsonlint=$(command -v jsonlint || command -v jsonlint-py)
#check json for proc-all
echo "starting proc-all check - json"
"${PARENT}"/checksec --format=json --proc-all > "${DIR}/output.json"
"${jsonlint}" --allow duplicate-keys "${DIR}/output.json" > /dev/null
RET=$?
jq . < "${DIR}/output.json" &> /dev/null
JQRET=$?
if [[ ${RET} != 0 ]] || [[ ${JQRET} != 0 ]]; then
cat "${DIR}/output.json"
echo "proc-all json validation failed"
exit 1
fi
#check json for proc-all
echo "starting extended proc-all check - json"
"${PARENT}/checksec" --format=json --proc-all --extended > "${DIR}/output.json"
"${jsonlint}" --allow duplicate-keys "${DIR}/output.json" > /dev/null
RET=$?
jq . < "${DIR}/output.json" &> /dev/null
JQRET=$?
if [[ ${RET} != 0 ]] || [[ ${JQRET} != 0 ]]; then
cat "${DIR}/output.json"
echo "proc-all json validation failed"
exit 1
fi
#check json for kernel
echo "starting kernel check - json"
"${PARENT}/checksec" --format=json --kernel > "${DIR}/output.json"
"${jsonlint}" "${DIR}/output.json" > /dev/null
RET=$?
jq . < "${DIR}/output.json" &> /dev/null
JQRET=$?
if [[ ${RET} != 0 ]] || [[ ${JQRET} != 0 ]]; then
cat "${DIR}/output.json"
echo "kernel json validation failed"
exit 1
fi
echo "starting custom kernel check for file kernel.config - json"
"${PARENT}/checksec" --format=json --kernel=kernel.config > "${DIR}/output.json"
"${jsonlint}" "${DIR}/output.json" > /dev/null
RET=$?
jq . < "${DIR}/output.json" &> /dev/null
JQRET=$?
if [[ ${RET} != 0 ]] || [[ ${JQRET} != 0 ]]; then
cat "${DIR}/output.json"
echo "custom kernel json validation failed"
exit 1
fi
while read -r file; do
#check json against custom kernel config to trigger all checks
echo "starting custom kernel check for file ${file} - json"
"${PARENT}/checksec" --format=json --kernel="${file}" > "${DIR}/output.json"
"${jsonlint}" "${DIR}/output.json" > /dev/null
RET=$?
jq . < "${DIR}/output.json" &> /dev/null
JQRET=$?
if [[ ${RET} != 0 ]] || [[ ${JQRET} != 0 ]]; then
cat "${DIR}/output.json"
echo "custom kernel json validation failed"
exit 1
fi
done < <(find "${PARENT}"/kernel_configs/configs/ -type f -iname "config-*")
#check json for file
echo "starting file check - json"
"${PARENT}/checksec" --format=json --file="${test_file}" > "${DIR}/output.json"
"${jsonlint}" "${DIR}/output.json" > /dev/null
RET=$?
jq . < "${DIR}/output.json" &> /dev/null
JQRET=$?
if [[ ${RET} != 0 ]] || [[ ${JQRET} != 0 ]]; then
cat "${DIR}/output.json"
echo "file json validation failed"
exit 1
fi
#check json for file extended
echo "starting extended file check - json"
"${PARENT}/checksec" --format=json --extended --file="${test_file}" > "${DIR}/output.json"
"${jsonlint}" "${DIR}/output.json" > /dev/null
RET=$?
jq . < "${DIR}/output.json" &> /dev/null
JQRET=$?
if [[ ${RET} != 0 ]] || [[ ${JQRET} != 0 ]]; then
cat "${DIR}/output.json"
echo "file json validation failed"
exit 1
fi
#check json for fortify file
echo "starting fortify-file check - json"
"${PARENT}/checksec" --format=json --fortify-file="${test_file}" > "${DIR}/output.json"
"${jsonlint}" --allow duplicate-keys "${DIR}/output.json" > /dev/null
RET=$?
jq . < "${DIR}/output.json" &> /dev/null
JQRET=$?
if [[ ${RET} != 0 ]] || [[ ${JQRET} != 0 ]]; then
cat "${DIR}/output.json"
echo "fortify-file json validation failed"
exit 1
fi
#check json for fortify file
echo "starting extended fortify-file check - json"
"${PARENT}/checksec" --format=json --fortify-file="${test_file}" --extended > "${DIR}/output.json"
"${jsonlint}" --allow duplicate-keys "${DIR}/output.json" > /dev/null
RET=$?
jq . < "${DIR}/output.json" &> /dev/null
JQRET=$?
if [[ ${RET} != 0 ]] || [[ ${JQRET} != 0 ]]; then
cat "${DIR}/output.json"
echo "fortify-file json validation failed"
exit 1
fi
#check json for fortify proc
echo "starting fortify-proc check - json"
"${PARENT}/checksec" --format=json --fortify-proc=1 > "${DIR}/output.json"
"${jsonlint}" --allow duplicate-keys "${DIR}/output.json" > /dev/null
RET=$?
jq . < "${DIR}/output.json" &> /dev/null
JQRET=$?
if [[ ${RET} != 0 ]] || [[ ${JQRET} != 0 ]]; then
cat "${DIR}/output.json"
echo "fortify-file json validation failed"
exit 1
fi
#check json for fortify proc
echo "starting extended fortify-proc check - json"
"${PARENT}/checksec" --format=json --fortify-proc=1 --extended > "${DIR}/output.json"
"${jsonlint}" --allow duplicate-keys "${DIR}/output.json" > /dev/null
RET=$?
jq . < "${DIR}/output.json" &> /dev/null
JQRET=$?
if [[ ${RET} != 0 ]] || [[ ${JQRET} != 0 ]]; then
cat "${DIR}/output.json"
echo "fortify-file json validation failed"
exit 1
fi
#check json for dir
echo "starting dir check - json"
"${PARENT}"/checksec --format=json --dir=/sbin > "${DIR}/output.json"
"${jsonlint}" "${DIR}/output.json" > /dev/null
RET=$?
jq . < "${DIR}/output.json" &> /dev/null
JQRET=$?
if [[ ${RET} != 0 ]] || [[ ${JQRET} != 0 ]]; then
cat "${DIR}/output.json"
echo "dir json validation failed"
exit 1
fi
echo "All json validation tests passed jsonlint"
rm -f "${DIR}/output.json"
|
