{"id":46870789,"url":"https://github.com/nstarke/embedded_linux_audit","last_synced_at":"2026-04-01T18:49:00.224Z","repository":{"id":342708123,"uuid":"1174690476","full_name":"nstarke/embedded_linux_audit","owner":"nstarke","description":"A Set of tools for Auditing Embedded Linux Hosts","archived":false,"fork":false,"pushed_at":"2026-03-24T18:14:48.000Z","size":26084,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-28T02:34:26.292Z","etag":null,"topics":["embedded","environment-variables","linux-security","reverse-engineering","u-boot","uboot"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nstarke.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-06T18:20:51.000Z","updated_at":"2026-03-24T16:03:54.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/nstarke/embedded_linux_audit","commit_stats":null,"previous_names":["nstarke/u-boot-fw_env_scan","nstarke/uboot_audit","nstarke/embedded_linux_audit"],"tags_count":128,"template":false,"template_full_name":null,"purl":"pkg:github/nstarke/embedded_linux_audit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nstarke%2Fembedded_linux_audit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nstarke%2Fembedded_linux_audit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nstarke%2Fembedded_linux_audit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nstarke%2Fembedded_linux_audit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nstarke","download_url":"https://codeload.github.com/nstarke/embedded_linux_audit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nstarke%2Fembedded_linux_audit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31290952,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T13:12:26.723Z","status":"ssl_error","status_checked_at":"2026-04-01T13:12:25.102Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["embedded","environment-variables","linux-security","reverse-engineering","u-boot","uboot"],"created_at":"2026-03-10T20:00:38.819Z","updated_at":"2026-04-01T18:49:00.218Z","avatar_url":"https://github.com/nstarke.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# embedded_linux_audit\n\n[![Build](https://github.com/nstarke/embedded_linux_audit/actions/workflows/release-cross-static.yml/badge.svg?branch=main)](https://github.com/nstarke/embedded_linux_audit/actions/workflows/release-cross-static.yml)\n[![Agent Tests](https://github.com/nstarke/embedded_linux_audit/actions/workflows/agent-tests.yml/badge.svg?branch=main)](https://github.com/nstarke/embedded_linux_audit/actions/workflows/agent-tests.yml)\n[![Coverity Scan Build Status](https://scan.coverity.com/projects/32974/badge.svg)](https://scan.coverity.com/projects/32974)\n[![codecov](https://codecov.io/gh/nstarke/embedded_linux_audit/branch/main/graph/badge.svg)](https://codecov.io/gh/nstarke/embedded_linux_audit)\n[![CodeQL](https://github.com/nstarke/embedded_linux_audit/actions/workflows/codeql.yml/badge.svg?branch=main)](https://github.com/nstarke/embedded_linux_audit/actions/workflows/codeql.yml)\n[![cppcheck](https://github.com/nstarke/embedded_linux_audit/actions/workflows/cppcheck.yml/badge.svg?branch=main)](https://github.com/nstarke/embedded_linux_audit/actions/workflows/cppcheck.yml)\n[![npm audit](https://github.com/nstarke/embedded_linux_audit/actions/workflows/npm-audit.yml/badge.svg?branch=main)](https://github.com/nstarke/embedded_linux_audit/actions/workflows/npm-audit.yml)\n[![Dependabot enabled](https://img.shields.io/badge/dependabot-enabled-025e8c?logo=dependabot)](https://github.com/nstarke/embedded_linux_audit/blob/main/.github/dependabot.yml)\n\n![embedded_linux_audit logo](images/logo.png)\n\n`embedded_linux_audit` (`ela`) is a static C binary for security assessment of embedded Linux devices. It runs directly on the target — no runtime dependencies, no package manager, no installation required — and covers U-Boot analysis, Linux system introspection, EFI/BIOS option ROM inspection, TPM 2.0 interrogation, and remote exfiltration of collected data.\n\n## Command groups\n\n### `uboot` — Boot environment and image analysis\n\n| Subcommand | Description |\n|---|---|\n| `uboot env` | Scan MTD/UBI/block devices for U-Boot environment partitions; emit `fw_env.config` entries and raw variable dumps |\n| `uboot image` | Detect uImage and FIT headers on flash/block devices; resolve load addresses and extract image bytes |\n| `uboot audit` | Run compiled security rules against U-Boot environment data to check Secure Boot posture, environment write-protection, and command-line integrity |\n\n### `linux` — Operating system introspection\n\n| Subcommand | Description |\n|---|---|\n| `linux dmesg` | Capture the kernel ring buffer; `dmesg watch` for continuous streaming |\n| `linux execute-command` | Run an arbitrary shell command and collect output |\n| `linux list-files` | Enumerate files under a path (optionally recursive) |\n| `linux list-symlinks` | Enumerate symbolic links under a path (optionally recursive) |\n| `linux grep` | Search file contents under a directory for a pattern |\n| `linux download-file` | Fetch a file from an HTTP(S) URL to a local path |\n| `linux remote-copy` | Upload a local file to a remote HTTP(S) endpoint |\n| `linux ssh client` | Open an interactive SSH session (via libssh) |\n| `linux ssh copy` | Transfer files over SFTP |\n| `linux ssh tunnel` | Establish a reverse SSH tunnel |\n| `linux ssh socks` | Set up a SOCKS proxy over SSH |\n| `linux process watch on \u003cneedle\u003e` | Start watching for processes whose command line matches `\u003cneedle\u003e`; emits a record each time the matching PID set changes (restart detected) |\n| `linux process watch off \u003cneedle\u003e` | Stop watching a previously registered needle |\n| `linux process watch list` | List all active needles and their current matching PIDs |\n| `linux gdbserver \u003cPID\u003e \u003cPORT\u003e` | Attach to a running process and expose a GDB remote stub on the given TCP port; connect with `target remote \u003cagent-ip\u003e:\u003cPORT\u003e` in `gdb-multiarch` |\n\n### `efi` — EFI/UEFI inspection\n\n| Subcommand | Description |\n|---|---|\n| `efi dump-vars` | Enumerate all EFI runtime variables with attributes and decoded values |\n| `efi orom` | List and extract EFI PCI option ROMs |\n\n### `bios` — Legacy BIOS inspection\n\n| Subcommand | Description |\n|---|---|\n| `bios orom` | List and extract legacy PCI option ROMs |\n\n### `tpm2` — TPM 2.0 interrogation\n\n| Subcommand | Description |\n|---|---|\n| `tpm2 getcap` | Query TPM capabilities and properties |\n| `tpm2 pcrread` | Read PCR values |\n| `tpm2 nvreadpublic` | Read NV index metadata |\n| `tpm2 createprimary` | Create a primary object and serialize the context |\n\n### `transfer` — Remote terminal and data exfiltration\n\n| Subcommand | Description |\n|---|---|\n| `transfer --remote \u003chost:port\u003e` | Connect to a TCP listener, transfer the agent binary, and drop into an interactive session |\n| `transfer --remote ws[s]://...` | Connect over WebSocket (plain or TLS) to the ELA terminal server and start an interactive session |\n\n## Interactive shell\n\nRunning `ela` with no arguments starts a REPL that exposes all command groups above, supports tab completion (when built with readline), maintains command history, and provides a `set` built-in for configuring per-session environment variables (`ELA_API_URL`, `ELA_OUTPUT_FORMAT`, `ELA_QUIET`, etc.).\n\n## Global flags\n\n| Flag | Description |\n|---|---|\n| `--output-format \u003ctxt\\|csv\\|json\u003e` | Output encoding (default: `txt`) |\n| `--output-tcp \u003cip:port\u003e` | Stream command output to a TCP listener |\n| `--output-http \u003curl\u003e` | POST command output to an HTTP(S) endpoint |\n| `--script \u003cpath\\|url\u003e` | Execute commands from a local or remote script file |\n| `--remote \u003ctarget\u003e` | Connect to a reverse-shell/WebSocket terminal before starting |\n| `--api-key \u003ckey\u003e` | Bearer token for API server authentication |\n| `--insecure` | Disable TLS certificate and hostname verification |\n| `--quiet` | Suppress informational output |\n\nAPI keys are also read from the `ELA_API_KEY` environment variable or `/tmp/ela.key`.\n\n## Companion server components\n\n### Agent helper API (`api/agent/`)\n\nA Node.js HTTP(S) server that acts as a collection point for agent data and a distribution server for binaries and test scripts.\n\n- Accepts `POST /:mac/upload/:type` for command output, dmesg, file contents, EFI variables, option ROM data, U-Boot images, and environment dumps\n- Normalizes uploads into a PostgreSQL schema and stores raw payloads alongside relational records\n- Optionally keeps runtime file artifacts under timestamped per-device directories in `api/agent/data/`\n- Serves release binaries (with optional auto-download from GitHub), test scripts, and U-Boot environment files\n- Optional bearer token authentication (`--validate-key`)\n- Optional HTTPS with self-signed certificate (`--https`)\n\n```bash\ncd api/agent \u0026\u0026 npm install \u0026\u0026 npm start -- --host 0.0.0.0 --port 5000\n```\n\nTo reuse the latest timestamped artifact directory instead of creating a new one on startup:\n\n```bash\ncd api/agent \u0026\u0026 npm start -- --reuse-last-data-dir\n```\n\nSee [docs/api/agent/helper-server.md](docs/api/agent/helper-server.md) for full options.\n\n### WebSocket terminal server (`api/terminal/`)\n\nA Node.js WebSocket server with a terminal TUI for managing multiple simultaneous agent sessions. Each agent that connects via `transfer --remote ws://...` appears as a named session the operator can attach to, send commands to, and detach from without dropping the connection.\n\n- Persists terminal connection events in PostgreSQL\n- Stores operator-assigned device aliases in PostgreSQL and maps them to upload records by MAC address\n\n```bash\ncd api/terminal \u0026\u0026 npm install \u0026\u0026 npm start\n```\n\nSee [docs/api/terminal/index.md](docs/api/terminal/index.md).\n\n### nginx reverse proxy (`nginx/ela.conf`)\n\nAn example nginx configuration that exposes both server components behind a single frontend — HTTP on port 80 and HTTPS on port 443 — routing `/terminal/\u003cmac\u003e` to the WebSocket terminal server and everything else to the agent helper API.\n\nSee [docs/api/nginx.md](docs/api/nginx.md).\n\n## Docker Deployment\n\nThe repository now includes a containerized deployment path with PostgreSQL, the agent API, the terminal WebSocket API, and nginx fronting both services.\n\n```bash\ndocker compose up --build\n```\n\nThe default stack exposes:\n\n- `http://localhost/` → agent helper API\n- `http://localhost/terminal/\u003cmac\u003e` → terminal WebSocket endpoint\n\nThe agent API container runs database migrations automatically on startup. Compose defaults target the bundled PostgreSQL container using the `ela`/`ela` credentials defined in `docker-compose.yml`.\n\nFor operational details, see [docs/api/docker-operations.md](/home/nick/Documents/git/embedded_linux_audit/docs/api/docker-operations.md).\n\n## Portable static release builds\n\nGitHub Releases contain fully static binaries for the following architectures, compiled via Zig + musl cross-compilation:\n\n`x86_64` · `x86` · `arm32-le` · `arm32-be` · `aarch64-le` · `aarch64-be` · `mips-le` · `mips-be` · `mips64-le` · `mips64-be` · `powerpc-le` · `powerpc64-be` · `powerpc-be` · `riscv32` · `riscv64`\n\nNo target-side dependencies. Drop the binary on the device and run it.\n\nSee [docs/agent/getting-started/build.md](docs/agent/getting-started/build.md) for the full build matrix and local build instructions.\n\n## Documentation\n\n- [Documentation index](docs/index.md)\n- [Manual assessment checklist](docs/manual-checklist.md)\n\n## Licensing\n\n- The `embedded_linux_audit` agent and associated build/test material: **GPL-3.0-or-later** ([COPYING](COPYING))\n- The helper API under `api/` and other non-agent files: **MIT** ([LICENSE.api](LICENSE.api))\n- Third-party code under `third_party/`: each component's own license\n\nSee [LICENSE](LICENSE) for the full breakdown.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnstarke%2Fembedded_linux_audit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnstarke%2Fembedded_linux_audit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnstarke%2Fembedded_linux_audit/lists"}