Commit Graph

338 Commits

Author SHA1 Message Date
Tobias Rüetschi
52a8f78885 send warning to stderr. (#53)
With --batch json there must not be any other output on stdout, so redirect warnings to stderr will show the warning on the console and only the json output is on stdout.
2018-01-11 09:55:43 +01:00
Stéphane Lesimple
a09a5ba38f bump to v0.25 to reflect changes 2018-01-11 09:08:29 +01:00
Abdoul Bah
5a7d8d7edf Produce JSON output formatted for Puppet, Ansible, Chef... (#50)
Produce JSON output formatted for Puppet, Ansible, Chef...
2018-01-11 09:04:13 +01:00
Stéphane Lesimple
49fdc6c449
Merge pull request #51 from cowanml/file_read_check_fixup
fixed file read test
2018-01-10 21:39:09 +01:00
Matt Cowan
af3de2a862 fixed file read test 2018-01-10 15:17:14 -05:00
Stéphane Lesimple
c6e1b0ac8a feat(kernel): add support for LZ4 decompression 2018-01-10 20:10:57 +01:00
Stéphane Lesimple
eb0ebef5a8 fix(opensuse): add specific location for ibrs_enabled file 2018-01-10 17:40:33 +01:00
Stéphane Lesimple
a658de2f01 fix(kernel): fix detection for separate /boot partitions 2018-01-10 16:27:16 +01:00
Stéphane Lesimple
8ed1f5e3af feat(kernel): check the BOOT_IMAGE info from cmdline before trying the default names 2018-01-10 15:46:29 +01:00
Stéphane Lesimple
ffc542eb82 bump to v0.23 to reflect changes 2018-01-10 15:25:55 +01:00
Stéphane Lesimple
74bc7ba637 add --variant to specify what check we want to run 2018-01-10 15:22:30 +01:00
Marcus Downing
59fe8c2ad8 Error on unknown batch format 2018-01-10 13:57:10 +00:00
Marcus Downing
7c11d07865 Stray tab 2018-01-10 11:59:33 +00:00
Marcus Downing
7c5cfbb8c3 batch nrpe 2018-01-10 11:57:45 +00:00
Marcus Downing
381038eceb NRPE mode 2018-01-10 11:18:45 +00:00
Stéphane Lesimple
d6e4aa43f0
Merge pull request #37 from deufrai/better-dmesg-support
Improve PTI detection
2018-01-09 19:52:45 +01:00
Stéphane Lesimple
e5e09384f0 typofix 2018-01-09 18:54:35 +01:00
Stéphane Lesimple
7222367f04 add disclaimer and bump to 0.21 2018-01-09 18:52:21 +01:00
Stéphane Lesimple
ab512687cf
Merge pull request #38 from Alkorin/fixARM
Fix ARM checks
2018-01-09 18:47:25 +01:00
Alkorin
335439dee0 Fix small typo in error message 2018-01-09 18:44:15 +01:00
Alkorin
45297b6f7d Fix ARM checks 2018-01-09 18:41:48 +01:00
Frederic CORNU
a7b14306d5 Improve PTI detection even more
when PTI detection relies on dmesg, dmesg output is checked first
then /var/log/dmesg if dmesg output lacks boot time messages
2018-01-09 18:26:32 +01:00
Frederic CORNU
608952ff71 Improve PTI detection
In case of a busy or misconfigured server, kernel message buffer loop
can be filled with messages broadcasted later than boot time. So dmesg
command wont return boot time messages.

Grepping /var/log/dmesg fixes it and this log file location semms pretty
standard across many common distros
2018-01-09 18:17:39 +01:00
Stéphane Lesimple
1c3d349667
Merge pull request #31 from Feandil/batch
Add a "batch" and "verbose" mode
2018-01-09 18:12:39 +01:00
Stéphane Lesimple
b93b13263d fix(pti): remove escapes since we use grep -E now 2018-01-09 16:01:44 +01:00
Vincent Brillault
ad342cab06
Introduce "verbose" and "batch" modes
Rewrite the way the output is processed:
- Define verbosity level (currently warn, info (default) & verbose)
- Add a batch mode, for simple machine parsing
2018-01-09 15:58:13 +01:00
Vincent Brillault
5fd85e288b
No-color: interpret string (-e) to be able to mach \x1B 2018-01-09 15:57:10 +01:00
Stéphane Lesimple
322f4efc8f fix broken logic of 68961f9, increment version to 0.20 2018-01-09 14:55:12 +01:00
Vincent Brillault
b6bfcdbd45
Move configuration at the beginning of the script 2018-01-09 14:18:02 +01:00
Stéphane Lesimple
68961f98c2 adding known non-vulnerable ARM chips 2018-01-09 13:11:48 +01:00
Stéphane Lesimple
f0f2ea9b11 v0.19: introduce --no-color 2018-01-09 10:32:51 +01:00
Stéphane Lesimple
6f1bdba1d9 bump to v0.18 to reflect changes 2018-01-09 09:21:42 +01:00
Stéphane Lesimple
7b05105a54
Merge pull request #25 from Feandil/proc_config
When using /proc/config.gz, indicate it more clearly
2018-01-09 09:19:36 +01:00
Stéphane Lesimple
8aed2d4086
Merge pull request #26 from Feandil/proc_kallsym
Use /proc/kallsyms to get symbols, if available
2018-01-09 09:17:18 +01:00
Vincent Brillault
f4140a992a
Use /proc/kallsyms to get symbols, if available 2018-01-09 08:58:09 +01:00
Vincent Brillault
2c51b00a90
When using /proc/config.gz, indicate it more clearly 2018-01-09 08:54:07 +01:00
Stéphane Lesimple
2d94514c07 adding mention of heuristic for variant 1 check 2018-01-09 08:43:52 +01:00
Stéphane Lesimple
0e8f97afbc
Merge pull request #24 from angus-p/Remove-extra-space
remove superfluous space from test line 315
2018-01-09 08:34:10 +01:00
angus-p
cc0b325383
remove superfluous space from test line 315
Extra space was causing non-existent variable to be tested resulting in 'YES' if running in live mode and IBRS compiled in
2018-01-09 03:47:25 +00:00
Matthew Radcliffe
4454f03136 Increases tmp directory uniqueness to 6 characters to support Slackware 2018-01-08 22:28:55 -05:00
Stéphane Lesimple
949f316f89 missed version bump + README typofix 2018-01-08 23:15:42 +01:00
Stéphane Lesimple
d73a24cb5b implement offline mode and help 2018-01-08 23:09:17 +01:00
Grim Kriegor
2d33a4369e Linux-libre support 2018-01-08 21:56:11 +00:00
Stéphane Lesimple
8d4d295309 bump to v0.16 to reflect changes 2018-01-08 17:48:20 +01:00
Stéphane Lesimple
1ff437edbb
Merge pull request #16 from Alkorin/fixes
Fixes
2018-01-08 17:45:59 +01:00
Stéphane Lesimple
34656827f5 detect retpoline-compliant compiler from latest LKML patches 2018-01-08 17:32:19 +01:00
Alkorin
8c8a8d35fd Detect if 'readelf' is present 2018-01-08 16:52:09 +01:00
Alkorin
debd10b517 Detect if 'strings' is present 2018-01-08 16:51:20 +01:00
Alkorin
21f81ff5c9 Detect if uncompress binaries are present 2018-01-08 16:51:14 +01:00
Stéphane Lesimple
206e4b7fbc add detection of retpoline-aware compiler 2018-01-08 16:28:00 +01:00
Alkorin
1a14483c98 Use 'readelf' instead of 'file' to detect kernel 2018-01-08 15:56:19 +01:00
Alkorin
26564206db Do not execute checks if we already found that PTI is enabled 2018-01-08 15:56:19 +01:00
Stéphane Lesimple
207168e097 detect if the used compiler supports retpoline (WIP) 2018-01-08 15:45:09 +01:00
Sebastian Wiesinger
c88acdd31d Remove superfluous 'YES' output when checking cpuinfo 2018-01-08 14:50:59 +01:00
Sebastian Wiesinger
124ce8e27a Recognize 'kaiser' flag in /proc/cpuinfo 2018-01-08 14:38:43 +01:00
Vincent Brillault
a792348928
RedHat uses a different configuration name 2018-01-08 12:59:12 +01:00
Vincent Brillault
66f7708095
Refactor RedHat support:
- Isolate file check to different elif (allowing to add more)
- Do the PTI debugfs check first (faster and supposed to be dynamic)
- If pti_enable is 0, don't trust dmesg (supposed to be dynamic)
2018-01-08 12:59:03 +01:00
Vincent Brillault
34ef5ef21b
Delay umount (for RedHat access to pti_enable) 2018-01-08 12:58:22 +01:00
Stéphane Lesimple
edbdf0da1f push the lfence opcodes threshold to 70 2018-01-08 12:49:23 +01:00
Alkorin
47c30babf1 Avoid 'cat: /sys/kernel/debug/x86/pti_enabled: Permission denied' 2018-01-08 12:41:28 +01:00
Stéphane Lesimple
ef7a5c4cf6 adding uname -v to get potential additional vendor information 2018-01-08 12:22:56 +01:00
Vincent Brillault
b7197d6f54
Fix debugfs mount check 2018-01-08 12:15:51 +01:00
Stéphane Lesimple
c792fa35bf add kernel version information to the output 2018-01-08 12:14:12 +01:00
Stéphane Lesimple
d1498fe03f
Merge pull request #5 from fccagou/centos
fix(centos): check according to redhat patch.
2018-01-08 12:10:07 +01:00
Stéphane Lesimple
12bdd0e412 root check is now more visible 2018-01-08 11:31:19 +01:00
fccagou
0f50e04dab fix(centos): check according to redhat patch. https://access.redhat.com/articles/3311301 2018-01-08 11:14:22 +01:00
David Guglielmi
bf056ae73d Add support for Gentoo genkernel image path 2018-01-08 11:08:53 +01:00
Frederik Schreiber
40a9d43c44 add arch linux bootimage path 2018-01-08 10:36:29 +01:00
Stéphane Lesimple
c1004d5171 fix extract-vmlinux for non-gzip 2018-01-08 09:56:29 +01:00
Stéphane Lesimple
fa0850466e add some comments, enhance pti detection 2018-01-08 09:37:54 +01:00
Thibault Nélis
1aaca63dcf Improve "running as root" check
Small issue with the USER environment variable:

  $ echo $USER
  thib
  $ sudo sh -c 'echo $USER'
  thib
  $ sudo -i sh -c 'echo $USER'
  root

Rather than recommending users to use sudo --login / -i, use the (very
widespread/portable) id program to retrieve the effective user ID
instead and don't change the recommendation.

  $ id -u
  1000
  $ sudo id -u
  0
  $ sudo -i id -u
  0
2018-01-08 01:22:14 +01:00
Stéphane Lesimple
96dfa03c00 fix for uncompressed vmlinux case 2018-01-08 00:45:12 +01:00
Stéphane Lesimple
05c79425ab detect kpti directly in vmlinux if option is not there 2018-01-07 22:47:41 +01:00
Stéphane Lesimple
64eb1d005c add couple missing elses 2018-01-07 18:49:15 +01:00
Stéphane Lesimple
bffda8b3e7 remove dependency on rdmsr 2018-01-07 18:36:56 +01:00
Stéphane Lesimple
13f2133a97 cosmetic fix 2018-01-07 18:14:08 +01:00
Stéphane Lesimple
8c2fd0f0bb fix MSR reading, need rdmsr for now 2018-01-07 18:13:25 +01:00
Stéphane Lesimple
761c2b80e4 cosmetic fix 2018-01-07 17:19:37 +01:00
Stéphane Lesimple
d6977928e5 msg fix 2018-01-07 17:15:08 +01:00
Stéphane Lesimple
bd4c74331e add retpolines check 2018-01-07 16:57:14 +01:00
Stéphane Lesimple
82972f8790 fix status unknown for variant 1 2018-01-07 16:32:34 +01:00
Stéphane Lesimple
30de4f6336 remove hardcoded kernel image path 2018-01-07 16:25:50 +01:00
Stéphane Lesimple
9ed1fcd98a cosmetic + v0.02 2018-01-07 16:22:30 +01:00
Stéphane Lesimple
ef7c0d7ec5 add variant 1 check 2018-01-07 16:16:11 +01:00
Stéphane Lesimple
3b760822ff fix echo under some shells 2018-01-07 16:00:01 +01:00
Stéphane Lesimple
0201b02313 typofix 2018-01-07 15:37:50 +01:00
Stéphane Lesimple
c937e6603b add System.map way of detecting kpti build 2018-01-07 15:36:05 +01:00
Stéphane Lesimple
4211178b3a v0.01 2018-01-07 15:00:59 +01:00