HARDENED

Section: RPM Development Tools (1)
Updated: 2019-01-24
Page Index
 

NAME

hardened - Hardening Checks  

SYNOPSIS

hardened
  [--help]
  [--version]
  [--verbose]
  [--quiet]
  [--ignore-unknown]
  [--silent]
  [--vulnerable]
  [--not-hardened]
  [--all]
  [--file-type=auto|lib|exec|obj]
  [--skip=opt|stack|fort|now|relro|pic|operator|clash|cf|cet|realign]
  [--readelf=path]
  [--tmpdir=dir]
  [--]
  file...  

DESCRIPTION

The hardened script reports on the hardening status of the specified file(s). In particular it checks that the whole file was compiled with -O2 or higher and the -fstack-protector-strong, -D_FORTIFY_SOURCE=2, -Wl,-z,now, -Wl,-z,relro, -fPIE, -Wp,-D_GLIBCXX_ASSERTIONS, -fstack-clash-protection -fcf-protection=full and -mcet options.

The script accepts the following command line options:

--help
-h
Displays the usage of the script and then exits.
--version
-v
Displays the version of the script.
--verbose
-V
Enables verbose mode, causing the script to detail each action it takes.
--quiet
-q
Do not include the name of script in the out generated by the script.
--ignore-unknown
-i
Do not report file types that are not supported or recognised.
--tmpdir=dir
-t=dir
Directory to use to store temporary files.
--silent
-s
Produce no output. Just return an exit status.
--vulnerable
-u
Only report files that are known to be vulnerable. Ie files that record all of the necessary information about how they were built, but which were built with an incorrect set of options.

This option is the default behaviour of the script.

--not-hardened
-n
Report any file that cannot be proven to be hardened. This is like the --vulnerable option, except that it will also report files that do not record all of the necessary information.
--all
-a
Report the hardening status of all of the files examined.
--file-type=auto|lib|exec|obj
-f=auto|lib|exec|obj
Specifies the type of file being examined. Possible values are:
auto
Automatically determine the file type from its extension. This is the default.
lib
Assume all files are shared libraries. Checks that the -fPIC option was used.
exec
Assume all files are executables. Checks that the -fPIE option was used.
obj
Assume all files are object files. Skips checks of the bind now status.
--skip=opt|stack|fort|now|relro|pic|operator|clash|cf|cet
-k=opt|stack|fort|now|relro|pic|operator|clash|cf|cet
Disables checks of various different hardening features. This option can be repeated multiple times, and the values accumulate. Possible values are:
opt
Disables checks of the optimization level used.
stack
Disables checks of the stack protection level.
fort
Disables checks for -D_FORTIFY_SOURCE.
now
Disables checks for BIND NOW status.
relro
Disables checks for relro or read-only-relocs.
pic
Disables checks for -fPIC/-fPIE.
operator
Disables checks for -D_GLIBCXX_ASSERTIONS.
clash
Disables checks for stack clash protection.
cf
Disables checks for control flow protection. Note - these checks are only run on x86_64 binaries.
cet
Disables checks for control flow enforcement. Note - these checks are only run on x86_64 binaries.
realign
Disable checks for stack realignment. Note - these checks are only run on i686 binaries.
--readelf=path
-r=path
Use the specified program to read the notes from the files.
--
Stop accumulating command line options. This allows the script to be run on files whose names starts with a dash.
 

OPTIONS

 

COPYRIGHT

Copyright (c) 2018 - 2019 Red Hat.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included in the section entitled ``GNU Free Documentation License''.


 

Index

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
COPYRIGHT
LinuxReviews : manual page archive : man1