HARDENED
Section: RPM Development Tools (1)
Updated: 2020-01-31
Page Index
NAME
hardened - Hardening Checks
SYNOPSIS
hardened
[
--help]
[
--version]
[
--verbose]
[
--quiet]
[
--ignore-unknown]
[
--silent]
[
--vulnerable]
[
--not-hardened]
[
--all]
[
--file-type=auto|lib|exec|obj]
[
--skip=opt|stack|fort|now|relro|pic|operator|clash|cf|cet|realign]
[
--readelf=path]
[
--tmpdir=dir]
[
--]
file...
DESCRIPTION
The
hardened script reports on the hardening status of the
specified file(s). In particular it checks that the whole file was
compiled with
-O2 or higher and the
-fstack-protector-strong,
-D_FORTIFY_SOURCE=2,
-Wl,-z,now,
-Wl,-z,relro,
-fPIE,
-Wp,-D_GLIBCXX_ASSERTIONS,
-fstack-clash-protection
-fcf-protection=full and
-mcet
options.
The script accepts the following command line options:
- --help
-
- -h
-
Displays the usage of the script and then exits.
- --version
-
- -v
-
Displays the version of the script.
- --verbose
-
- -V
-
Enables verbose mode, causing the script to detail each action it
takes.
- --quiet
-
- -q
-
Do not include the name of script in the out generated by the script.
- --ignore-unknown
-
- -i
-
Do not report file types that are not supported or recognised.
- --tmpdir=dir
-
- -t=dir
-
Directory to use to store temporary files.
- --silent
-
- -s
-
Produce no output. Just return an exit status.
- --vulnerable
-
- -u
-
Only report files that are known to be vulnerable. Ie files that
record all of the necessary information about how they were built,
but which were built with an incorrect set of options.
This option is the default behaviour of the script.
- --not-hardened
-
- -n
-
Report any file that cannot be proven to be hardened. This is like
the --vulnerable option, except that it will also report
files that do not record all of the necessary information.
- --all
-
- -a
-
Report the hardening status of all of the files examined.
- --file-type=auto|lib|exec|obj
-
- -f=auto|lib|exec|obj
-
Specifies the type of file being examined. Possible values are:
-
- auto
-
Automatically determine the file type from its extension.
This is the default.
- lib
-
Assume all files are shared libraries. Checks that the -fPIC
option was used.
- exec
-
Assume all files are executables. Checks that the -fPIE
option was used.
- obj
-
Assume all files are object files. Skips checks of the bind now status.
-
- --skip=opt|stack|fort|now|relro|pic|operator|clash|cf|cet
-
- -k=opt|stack|fort|now|relro|pic|operator|clash|cf|cet
-
Disables checks of various different hardening features. This
option can be repeated multiple times, and the values accumulate.
Possible values are:
-
- opt
-
Disables checks of the optimization level used.
- stack
-
Disables checks of the stack protection level.
- fort
-
Disables checks for -D_FORTIFY_SOURCE.
- now
-
Disables checks for BIND NOW status.
- relro
-
Disables checks for relro or read-only-relocs.
- pic
-
Disables checks for -fPIC/-fPIE.
- operator
-
Disables checks for -D_GLIBCXX_ASSERTIONS.
- clash
-
Disables checks for stack clash protection.
- cf
-
Disables checks for control flow protection.
Note - these checks are only run on x86_64 binaries.
- cet
-
Disables checks for control flow enforcement.
Note - these checks are only run on x86_64 binaries.
- realign
-
Disable checks for stack realignment.
Note - these checks are only run on i686 binaries.
-
- --readelf=path
-
- -r=path
-
Use the specified program to read the notes from the files.
- --
-
Stop accumulating command line options. This allows the script to be
run on files whose names starts with a dash.
OPTIONS
COPYRIGHT
Copyright (c) 2018 - 2020 Red Hat.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3
or any later version published by the Free Software Foundation;
with no Invariant Sections, with no Front-Cover Texts, and with no
Back-Cover Texts. A copy of the license is included in the
section entitled ``GNU Free Documentation License''.