On his TRAPKIT website, Tobias Klein published a shell script named checksec.sh, which goes through all running processes using readelf to produces a nicely formatted list indicating which processes eventually don't have support for relro, stack canaries (-fno-stack-protector) etc. compiled in. I think it's worth of consideration. I was really baffled when the script revealed that none of the processes running on a hardened x86 had stack canaries compiled in by default, except init and sshd. Isn't is at least now possible to include -fstackprotector in hardened toolchain's specs?
This script it not really ideal and as it's written now gives an inaccurate feeling of security. It needs to be editing for real hardened and pax.
(In reply to comment #1) > This script it not really ideal and as it's written now gives an inaccurate > feeling of security. It needs to be editing for real hardened and pax. Would you mind to share some of your thoughts about what needs to be amended? One point re stack canaries is, that the script apparently doesn't check how the shared libraries the program uses had been compiled.
# git show --stat | sed 's,@gentoo.org,@g.o,' commit bc5a59eb44d1bdc7186dfca7a32758c9d50b5caa Author: Sebastian Pipping <sping@g.o> Date: Wed Jan 6 17:37:04 2016 +0100 app-admin/checksec: 1.7.2, new package (bug #295687) Package-Manager: portage-2.2.26 app-admin/checksec/Manifest | 1 + app-admin/checksec/checksec-1.7.2.ebuild | 30 ++++++++++++++++++++++ app-admin/checksec/files/checksec-1.7.2-path.patch | 24 +++++++++++++++++ app-admin/checksec/metadata.xml | 8 ++++++ 4 files changed, 63 insertions(+)
