--- wikisrc/pkgsrc/hardening.mdwn 2016/03/17 03:19:17 1.4 +++ wikisrc/pkgsrc/hardening.mdwn 2016/03/17 03:41:21 1.5 @@ -91,3 +91,37 @@ for part or all of the build. Again, this feature may cause some programs to crash, usually indicating an actual bug in the program. Patching the original program is then required. +# Auditing the system + +The illusion of security is worse than having no security at all. This section +lists a number of ways to ensure the security features requested are actually +effective. + +_These instructions were obtained and tested on a system derived from NetBSD 7 +(amd64). YMMV._ + +## Checking for PIE + +The ELF executable type in use changes for binaries built as PIE; without: + + $ file /path/to/bin/ary + /path/to/bin/ary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped + +as opposed to the following binary, built as PIE: + + $ file /path/to/pie/bin/ary + /path/to/pie/bin/ary: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped + +The latter result is then what is expected. + +## Checking for RELRO + +The following command should list a section called `RELRO`: + + $ objdump -p /path/to/bin/ary + + /path/to/bin/ary: file format elf64-x86-64 + + Program Header: + [...] + RELRO off 0x0000000000000d78 vaddr 0x0000000000600d78 paddr 0x0000000000600d78 align 2**0