Hardened checking - how?

Troy Dawson tdawson at redhat.com
Mon Jun 10 14:32:22 UTC 2013

On 06/06/2013 03:36 PM, Troy Dawson wrote:
> Hi,
> Is there an official Fedora way for telling is something is hardened
> correctly?
> I'm working on hardening mongodb, and I think I have it right, but I'd
> really like to check.
> I was given a couple of scripts, which had dependencies not in Fedora,
> which then had dependencies not in Fedora, and so forth.  At the third
> level of dependencies, I figured there had to be a more official way.
> If I missed a Fedora web page on it, or it was in the recent hardening
> discussion, feel free to point me to it.
> Thanks
> Troy Dawson

Thanks for all the suggestions and help.  Since there were a couple of 
threads that came off of this, I'm going to give a summary here.

   (what I ended up using)
   (packaged into rpm, see below)
   (had fedora dependency problems that are being worked on)

hardening-check - 


I ended up using rpm-chksec because it did everything I needed and all 
it's requirements were already installed on my machine.
Why I chose that?
While the other would check files, rpm-chksec took an rpm as an argument 
and then checked all the binaries in it, giving a nice output.

Again, thanks to everyone who replied.  I am glad I checked it.  The 
mongodb scons stuff wasn't accepting arguments as I originally thought, 
and I found out that I hadn't really hardened mongodb.
I'm still working on it.  My next patch hardens it, but fails on a few 
platforms in ways I'm totally not expecting.  So, the work goes on, but 
having a check helps.


More information about the devel mailing list