hardened - Man Page

Hardening Checks

Synopsis

hardened
 [--help]
 [--version]
 [--verbose]
 [--quiet]
 [--ignore-unknown]
 [--silent]
 [--vulnerable]
 [--not-hardened]
 [--all]
 [--file-type=auto|lib|exec|obj]
 [--skip=opt|stack|fort|now|relro|pic|operator|clash|cf|cet|realign]
 [--readelf=path]
 [--tmpdir=dir]
 [--]
 file...

Description

The hardened script reports on the hardening status of the specified file(s).  In particular it checks that the whole file was compiled with -O2 or higher and the -fstack-protector-strong, -D_FORTIFY_SOURCE=2, -Wl,-z,now, -Wl,-z,relro, -fPIE,  -Wp,-D_GLIBCXX_ASSERTIONS, -fstack-clash-protection -fcf-protection=full and -mcet options.

The script accepts the following command line options:

--help
-h

Displays the usage of the script and then exits.

--version
-v

Displays the version of the script.

--verbose
-V

Enables verbose mode, causing the script to detail each action it takes.

--quiet
-q

Do not include the name of script in the out generated by the script.

--ignore-unknown
-i

Do not report file types that are not supported or recognised.

--tmpdir=dir
-t=dir

Directory to use to store temporary files.

--silent
-s

Produce no output.  Just return an exit status.

--vulnerable
-u

Only report files that are known to be vulnerable.  Ie files that record all of the necessary information about how they were built, but which were built with an incorrect set of options.

This option is the default behaviour of the script.

--not-hardened
-n

Report any file that cannot be proven to be hardened.  This is like the --vulnerable option, except that it will also report files that do not record all of the necessary information.

--all
-a

Report the hardening status of all of the files examined.

--file-type=auto|lib|exec|obj
-f=auto|lib|exec|obj

Specifies the type of file being examined.  Possible values are:

auto

Automatically determine the file type from its extension. This is the default.

lib

Assume all files are shared libraries.  Checks that the -fPIC option was used.

exec

Assume all files are executables.  Checks that the -fPIE option was used.

obj

Assume all files are object files.  Skips checks of the bind now status.

--skip=opt|stack|fort|now|relro|pic|operator|clash|cf|cet
-k=opt|stack|fort|now|relro|pic|operator|clash|cf|cet

Disables checks of various different hardening features.    This option can be repeated multiple times, and the values accumulate. Possible values are:

opt

Disables checks of the optimization level used.

stack

Disables checks of the stack protection level.

fort

Disables checks for -D_FORTIFY_SOURCE.

now

Disables checks for BIND NOW status.

relro

Disables checks for relro or read-only-relocs.

pic

Disables checks for -fPIC/-fPIE.

operator

Disables checks for -D_GLIBCXX_ASSERTIONS.

clash

Disables checks for stack clash protection.

cf

Disables checks for control flow protection. Note - these checks are only run on x86_64 binaries.

cet

Disables checks for control flow enforcement. Note - these checks are only run on x86_64 binaries.

realign

Disable checks for stack realignment. Note - these checks are only run on i686 binaries.

--readelf=path
-r=path

Use the specified program to read the notes from the files.

--

Stop accumulating command line options.  This allows the script to be run on files whose names starts with a dash.

Options

Info

2020-01-31 annobin-1 RPM Development Tools