Man Linux: Main Page and Category List

NAME

       hardening-check - check binaries for security hardening features

SYNOPSIS

       Examine a given set of ELF binaries and check for several security
       hardening features, failing if they are not all found.

DESCRIPTION

       This utility checks a given list of ELF binaries for several security
       hardening features that can be compiled into an executable.  These
       features are:

       Position Independent Executable
               This indicates that the executable was built in such a way
               (PIE) that the "text" section of the program can be relocated
               in memory.  To take full advantage of this feature, the
               executing kernel must support text Address Space Layout
               Randomization (ASLR).

       Stack Protected
               This indicates that the executable was compiled with the gcc(1)
               option -fstack-protector.  The program will be resistant to
               have its stack overflowed.

       Fortify Source functions
               This indicates that the executable was compiled with
               -D_FORTIFY_SOURCE=2 and -O2 or higher.  This causes certain
               unsafe glibc functions with their safer counterparts (e.g.
               strncpy instead of strcpy).

       Read-only relocations
               This indicates that the executable was build with -Wl,-z,relro
               to have ELF markings (RELRO) that ask the runtime linker to
               mark any regions of the relocation table as "read-only" if they
               were resolved before execution begins.  This reduces the
               possible areas of memory in a program that can be used by an
               attacker that performs a successful memory corruption exploit.

       Immediate binding
               This indicates that the executable was built with -Wl,-z,now to
               have ELF markings (BIND_NOW) that ask the runtime linker to
               resolve all relocations before starting program execution.
               When combined with RELRO above, this further reduces the
               regions of memory available to memory corruption attacks.

OPTIONS

       -p      No not require that the checked binaries be built as PIE.

       -s      No not require that the checked binaries be built with the
               stack protector.

       -f      No not require that the checked binaries be built with Fority
               Source.

       -r      No not require that the checked binaries be built with RELRO.

       -b      No not require that the checked binaries be built with
               BIND_NOW.

       -q      Only report failures.

RETURN VALUE

       When all checked binaries have all checkable hardening features
       detected, this program will finish with an exit code of 0.  If any
       check fails, the exit code with be 1.  Individual checks can be
       disabled via command line options.

AUTHOR

       Kees Cook <kees@debian.org>

COPYRIGHT AND LICENSE

       Copyright 2009 Kees Cook <kees@debian.org>.

       This program is free software; you can redistribute it and/or modify it
       under the terms of the GNU General Public License as published by the
       Free Software Foundation; version 2 or later.

SEE ALSO

       gcc(1), hardening-wrapper(1)