1HARDENED(1)                  RPM Development Tools                 HARDENED(1)
2
3
4

NAME

6       hardened - Hardening Checks
7

SYNOPSIS

9       hardened
10         [--help]
11         [--version]
12         [--verbose]
13         [--quiet]
14         [--ignore-unknown]
15         [--silent]
16         [--vulnerable]
17         [--not-hardened]
18         [--all]
19         [--file-type=auto|lib|exec|obj]
20         [--skip=opt|stack|fort|now|relro|pic|operator|clash|cf|cet|realign]
21         [--readelf=path]
22         [--tmpdir=dir]
23         [--]
24         file...
25

DESCRIPTION

27       The hardened script reports on the hardening status of the specified
28       file(s).  In particular it checks that the whole file was compiled with
29       -O2 or higher and the -fstack-protector-strong, -D_FORTIFY_SOURCE=2,
30       -Wl,-z,now, -Wl,-z,relro, -fPIE, -Wp,-D_GLIBCXX_ASSERTIONS,
31       -fstack-clash-protection -fcf-protection=full and -mcet options.
32
33       The script accepts the following command line options:
34
35       --help
36       -h  Displays the usage of the script and then exits.
37
38       --version
39       -v  Displays the version of the script.
40
41       --verbose
42       -V  Enables verbose mode, causing the script to detail each action it
43           takes.
44
45       --quiet
46       -q  Do not include the name of script in the out generated by the
47           script.
48
49       --ignore-unknown
50       -i  Do not report file types that are not supported or recognised.
51
52       --tmpdir=dir
53       -t=dir
54           Directory to use to store temporary files.
55
56       --silent
57       -s  Produce no output.  Just return an exit status.
58
59       --vulnerable
60       -u  Only report files that are known to be vulnerable.  Ie files that
61           record all of the necessary information about how they were built,
62           but which were built with an incorrect set of options.
63
64           This option is the default behaviour of the script.
65
66       --not-hardened
67       -n  Report any file that cannot be proven to be hardened.  This is like
68           the --vulnerable option, except that it will also report files that
69           do not record all of the necessary information.
70
71       --all
72       -a  Report the hardening status of all of the files examined.
73
74       --file-type=auto|lib|exec|obj
75       -f=auto|lib|exec|obj
76           Specifies the type of file being examined.  Possible values are:
77
78           auto
79               Automatically determine the file type from its extension.  This
80               is the default.
81
82           lib Assume all files are shared libraries.  Checks that the -fPIC
83               option was used.
84
85           exec
86               Assume all files are executables.  Checks that the -fPIE option
87               was used.
88
89           obj Assume all files are object files.  Skips checks of the bind
90               now status.
91
92       --skip=opt|stack|fort|now|relro|pic|operator|clash|cf|cet
93       -k=opt|stack|fort|now|relro|pic|operator|clash|cf|cet
94           Disables checks of various different hardening features.    This
95           option can be repeated multiple times, and the values accumulate.
96           Possible values are:
97
98           opt Disables checks of the optimization level used.
99
100           stack
101               Disables checks of the stack protection level.
102
103           fort
104               Disables checks for -D_FORTIFY_SOURCE.
105
106           now Disables checks for BIND NOW status.
107
108           relro
109               Disables checks for relro or read-only-relocs.
110
111           pic Disables checks for -fPIC/-fPIE.
112
113           operator
114               Disables checks for -D_GLIBCXX_ASSERTIONS.
115
116           clash
117               Disables checks for stack clash protection.
118
119           cf  Disables checks for control flow protection.  Note - these
120               checks are only run on x86_64 binaries.
121
122           cet Disables checks for control flow enforcement.  Note - these
123               checks are only run on x86_64 binaries.
124
125           realign
126               Disable checks for stack realignment.  Note - these checks are
127               only run on i686 binaries.
128
129       --readelf=path
130       -r=path
131           Use the specified program to read the notes from the files.
132
133       --  Stop accumulating command line options.  This allows the script to
134           be run on files whose names starts with a dash.
135

OPTIONS

138       Copyright (c) 2018 - 2020 Red Hat.
139
140       Permission is granted to copy, distribute and/or modify this document
141       under the terms of the GNU Free Documentation License, Version 1.3 or
142       any later version published by the Free Software Foundation; with no
143       Invariant Sections, with no Front-Cover Texts, and with no Back-Cover
144       Texts.  A copy of the license is included in the section entitled "GNU
145       Free Documentation License".
146
147
148
149annobin-1                         2020-01-31                       HARDENED(1)
Impressum