1HARDENED(1) RPM Development Tools HARDENED(1)
2
3
4
6 hardened - Hardening Checks
7
9 hardened
10 [--help]
11 [--version]
12 [--verbose]
13 [--quiet]
14 [--ignore-unknown]
15 [--silent]
16 [--vulnerable]
17 [--not-hardened]
18 [--all]
19 [--file-type=auto|lib|exec|obj]
20 [--skip=opt|stack|fort|now|relro|pic|operator|clash|cf|cet|realign]
21 [--readelf=path]
22 [--tmpdir=dir]
23 [--]
24 file...
25
27 The hardened script reports on the hardening status of the specified
28 file(s). In particular it checks that the whole file was compiled with
29 -O2 or higher and the -fstack-protector-strong, -D_FORTIFY_SOURCE=2,
30 -Wl,-z,now, -Wl,-z,relro, -fPIE, -Wp,-D_GLIBCXX_ASSERTIONS,
31 -fstack-clash-protection -fcf-protection=full and -mcet options.
32
33 The script accepts the following command line options:
34
35 --help
36 -h Displays the usage of the script and then exits.
37
38 --version
39 -v Displays the version of the script.
40
41 --verbose
42 -V Enables verbose mode, causing the script to detail each action it
43 takes.
44
45 --quiet
46 -q Do not include the name of script in the out generated by the
47 script.
48
49 --ignore-unknown
50 -i Do not report file types that are not supported or recognised.
51
52 --tmpdir=dir
53 -t=dir
54 Directory to use to store temporary files.
55
56 --silent
57 -s Produce no output. Just return an exit status.
58
59 --vulnerable
60 -u Only report files that are known to be vulnerable. Ie files that
61 record all of the necessary information about how they were built,
62 but which were built with an incorrect set of options.
63
64 This option is the default behaviour of the script.
65
66 --not-hardened
67 -n Report any file that cannot be proven to be hardened. This is like
68 the --vulnerable option, except that it will also report files that
69 do not record all of the necessary information.
70
71 --all
72 -a Report the hardening status of all of the files examined.
73
74 --file-type=auto|lib|exec|obj
75 -f=auto|lib|exec|obj
76 Specifies the type of file being examined. Possible values are:
77
78 auto
79 Automatically determine the file type from its extension. This
80 is the default.
81
82 lib Assume all files are shared libraries. Checks that the -fPIC
83 option was used.
84
85 exec
86 Assume all files are executables. Checks that the -fPIE option
87 was used.
88
89 obj Assume all files are object files. Skips checks of the bind
90 now status.
91
92 --skip=opt|stack|fort|now|relro|pic|operator|clash|cf|cet
93 -k=opt|stack|fort|now|relro|pic|operator|clash|cf|cet
94 Disables checks of various different hardening features. This
95 option can be repeated multiple times, and the values accumulate.
96 Possible values are:
97
98 opt Disables checks of the optimization level used.
99
100 stack
101 Disables checks of the stack protection level.
102
103 fort
104 Disables checks for -D_FORTIFY_SOURCE.
105
106 now Disables checks for BIND NOW status.
107
108 relro
109 Disables checks for relro or read-only-relocs.
110
111 pic Disables checks for -fPIC/-fPIE.
112
113 operator
114 Disables checks for -D_GLIBCXX_ASSERTIONS.
115
116 clash
117 Disables checks for stack clash protection.
118
119 cf Disables checks for control flow protection. Note - these
120 checks are only run on x86_64 binaries.
121
122 cet Disables checks for control flow enforcement. Note - these
123 checks are only run on x86_64 binaries.
124
125 realign
126 Disable checks for stack realignment. Note - these checks are
127 only run on i686 binaries.
128
129 --readelf=path
130 -r=path
131 Use the specified program to read the notes from the files.
132
133 -- Stop accumulating command line options. This allows the script to
134 be run on files whose names starts with a dash.
135
138 Copyright (c) 2018 Red Hat.
139
140 Permission is granted to copy, distribute and/or modify this document
141 under the terms of the GNU Free Documentation License, Version 1.3 or
142 any later version published by the Free Software Foundation; with no
143 Invariant Sections, with no Front-Cover Texts, and with no Back-Cover
144 Texts. A copy of the license is included in the section entitled "GNU
145 Free Documentation License".
146
147
148
149annobin-1 2018-09-12 HARDENED(1)