Hardened checking - how?

Björn Esser bjoern.esser at gmail.com
Wed Jun 12 08:04:26 UTC 2013

Am Montag, den 10.06.2013, 09:32 -0500 schrieb Troy Dawson:
> On 06/06/2013 03:36 PM, Troy Dawson wrote:
> > Hi,
> > Is there an official Fedora way for telling is something is hardened
> > correctly?
> > I'm working on hardening mongodb, and I think I have it right, but I'd
> > really like to check.
> >
> > I was given a couple of scripts, which had dependencies not in Fedora,
> > which then had dependencies not in Fedora, and so forth.  At the third
> > level of dependencies, I figured there had to be a more official way.
> >
> > If I missed a Fedora web page on it, or it was in the recent hardening
> > discussion, feel free to point me to it.
> >
> > Thanks
> > Troy Dawson
> Hi,
> Thanks for all the suggestions and help.  Since there were a couple of 
> threads that came off of this, I'm going to give a summary here.
> Programs:
> http://people.redhat.com/sgrubb/files/rpm-chksec
>    (what I ended up using)
> http://packages.debian.org/sid/hardening-includes
>    (packaged into rpm, see below)
> https://nohats.ca/checksec.sh
>    (works)
> https://github.com/kholia/checksec
>    (had fedora dependency problems that are being worked on)
> rpm:
> hardening-check - 
> http://koji.fedoraproject.org/koji/packageinfo?packageID=16362
> Articles:
> http://lwn.net/Articles/454532/
> Summary:
> I ended up using rpm-chksec because it did everything I needed and all 
> it's requirements were already installed on my machine.
> Why I chose that?
> While the other would check files, rpm-chksec took an rpm as an argument 
> and then checked all the binaries in it, giving a nice output.
> Again, thanks to everyone who replied.  I am glad I checked it.  The 
> mongodb scons stuff wasn't accepting arguments as I originally thought, 
> and I found out that I hadn't really hardened mongodb.
> I'm still working on it.  My next patch hardens it, but fails on a few 
> platforms in ways I'm totally not expecting.  So, the work goes on, but 
> having a check helps.
> Thanks
> Troy

checksec is available as rpm now, too:

If you want to give some karma:

karma for hardening-check:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130612/37617eb4/attachment.sig>

More information about the devel mailing list