The annocheck program is able to scan inside rpm files and libraries. It will automatically recurse into any directories that are specified on the command line. In addition annocheck knows how to find debug information held in separate debug files, and it will search for these whenever it needs the resources that they contain.
New tools can be added to the annocheck framework by creating a new source file and including it in the Makefile used to build annocheck. The modular nature of annocheck means that nothing else needs to be updated.
New tools must fill out a "struct checker" structure (defined in annocheck.h) and they must define a constructor function that calls "annocheck_add_checker" to register their presence at program start-up.
The annocheck program supports some generic command line options that are used regardless of which tools are enabled.
The built-by tool is disabled by default, but it can be enabled by the command line option --enable-builtby. The tool checks the specified files to see if any information is stored about how the file was built.
Since the hardening checker is enabled by default it may also be useful to add the --disable-hardened option to the command line.
The tool supports a few command line options to customise its behaviour:
The hardened tool checks that the specified files were compiled with the required security hardening options, as outlined in the elf-policy document. It runs a series of tests checking compilation options and link time options. These tests are outlined below, along with the command line option that can be used to disable each test.
New tests can be added to the hardened checker by adding an entry in the tests array defined in hardened.c and then creating the necessary code to support the test.
Dynamic executables must have been compiled with -fPIE and linked with -pie. This check can be disabled by --skip-pie.
The tool does support a couple of other command line options as well:
The notes tool displays the contents of any annobin notes inside the specified files. It groups the notes by address range, which can help locate missing details.
The notes tool is disabled by default, but it can be enabled by the command line option --enable-notes. Since the hardening checker is enabled by default it may also be useful to add the --disable-hardened option to the command line.
The section-size tool records the size of named sections within a list of files and then reports the accumulated size at the end. Since it is part of the annocheck framework, it is able to handle directories and rpms files as well as ordinary binary files.
The --size-sec=name option enables the tool and tells it to record the size of section name. The option can be repeated multiple times to record the sizes of multiple sections. It may also be useful to add the --disable-hardened option to the command line as otherwise the security hardening will be run at the same time.
Instead of searching for named sections, it is also possible to search for sections with specific flags. The --size-sec-flags=<flags> option will search for any section that has all of the specified <flags> set. Currently only W, A and X are recognised as flags, indicating that the section must have the Write, Alloc or Execute flags set respectively. If the ! exclamation mark character is present then it negates the meaning of the following flags. Thus --section-sec-flags=W option will search for any writeable section whereas the --size-sec-flags=W!A option will search only for sections that are writeable but not allocated.
Instead of searching for sections by flags it is also possible to search for segments by flags using the --size-seg-flags=<flags> option. The flags recognised for segments are W for writeable, R for readable and X for executable. Again the ! character can be used to invert the meaning of the flags that follow it.
If the --verbose option is enabled, then the tool will also report the size of the named section(s) in each file it encounters. If the --size-human option is enabled then sizes will be rounded down to the nearest byte, kibibyte, mebibyte or gibibyte, as appropriate.
The timing tool reports on the time taken by other tools to scan the list of files. The tool is disabled by default, but it can be enabled by the command line option --enable-timing.
By default the tool will report times in microseconds, but you can change this to reporting in seconds with the --sec or in nanoseconds with the --nsec. The default can be restored with the --usec option.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included in the section entitled ``GNU Free Documentation License''.