diff options
Diffstat (limited to 'tags/h/hardening-no-bindnow.tag')
| -rw-r--r-- | tags/h/hardening-no-bindnow.tag | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/tags/h/hardening-no-bindnow.tag b/tags/h/hardening-no-bindnow.tag new file mode 100644 index 0000000..c12e705 --- /dev/null +++ b/tags/h/hardening-no-bindnow.tag @@ -0,0 +1,17 @@ +Tag: hardening-no-bindnow +Severity: info +Check: binaries/hardening +Explanation: This package provides an ELF binary that lacks the "bindnow" + linker flag. + . + This is needed (together with "relro") to make the "Global Offset + Table" (GOT) fully read-only. The bindnow feature trades startup + time for improved security. Please consider enabling this feature + or consider overriding the tag (possibly with a comment about why). + . + If you use <code>dpkg-buildflags</code>, you may have to add + <code>hardening=+bindnow</code> or <code>hardening=+all</code> to + <code>DEB_BUILD_MAINT_OPTIONS</code>. + . + The relevant compiler flags are set in <code>LDFLAGS</code>. +See-Also: https://wiki.debian.org/Hardening |