undefined | Better HN

0 pointschasil4y ago0 comments

EPEL has this package:

    $ rpm -q hardening-check
    hardening-check-2.6-1.el7.noarch

    $ rpm -qi hardening-check | grep URL
    URL         : http://packages.debian.org/hardening-wrapper

It will tell you basic protections in ELF binaries.

    $ hardening-check /bin/ls
    /bin/ls:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no, not found!

This is the configure directive for new software to pass all of the above tests:

    CFLAGS='-O2 -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpic -pie' \
    LDFLAGS='-Wl,-z,relro,-z,now -Wl,-z,now' ./configure

The package comes with a manual page with basic explanations of each test.

0 comments

DyslexicAtheist4y ago

I checked the debian package for hardening-wrapper and it seems deprecated [1], but fwiw still useful imo.

your configure directives are more up2date from what I posted by moving -pie -fpic to cflags:

    CFLAGS='-O2 -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpic -pie' \
    LDFLAGS='-Wl,-z,relro,-z,now -Wl,-z,now' ./configure

[1] https://wiki.debian.org/HardeningWalkthrough#My_package_alre...

sillystuff4y ago

In Debian, the perl script, "hardening-check" is included in the package "devscripts".

j / k navigate · click thread line to collapse