--skip-test[=funcname]Disable the test called test. If the optional funcname argument is supplied then the test is only disabled for the named function (and by implication it is enabled for other functions). This extended version of the option can be used multiple times to allow the test to be skipped for multiple functions.
--skip-allDisable all tests. Not really useful unless followed by one or more options to enable specific tests.
Note - using this option also sets the profile to none. If the enabling of profile specific tests is desired the --profile option must appear after the --skip-all on the command line.
--test-nameEnable test name.
--test-allEnable all the tests.
--test-future--skip-futureReport future fail tests. These are tests for security features which are not yet implemented or widely adopted, but which are planned for the future. The --skip-future option can be used to restore the default behaviour of skipping these tests.
--test-unicode-all--test-unicode-suspiciousThe --test-unicode test checks for the presence of multibyte characters in symbol names, which are unusual and potentially dangerous. The test has two modes of operation. In one mode, enabled by --test-unicode-all, any multibyte character is considered suspicious. This mode is good for code bases where multibyte characters are not expected to appear at all.
In the other mode, enabled by --test-unicode-suspicious, only potentially dangerous unicode characters trigger a failure. See The unicode test for more details on which characters are considered suspicious.
If neither of these options is specified, the default depends upon the profile selected. If a profile is not selected then the default is only fail upon the detection of suspicious characters.
--profile=el7--profile=rhel-7--profile=el8--profile=rhel-8--profile=el9--profile=rhel-9--profile=el10--profile=rhel-10--profile=rawhide--profile=f40--profile=f39--profile=f38--profile=f37--profile=f36--profile=f35--profile=rhivos--profile=default--profile=none--profile=autoRather than enabling and disabling specific tests a selection can be chosen via a profile option. The --profile=el7 and --profile=rhel-7 options will select the tests suitable for RHEL-7 binaries. Similarly --profile=el8 or --profile=rhel-8 configures the tests for RHEL-8 and so on.
The --profile=rawhide option will select tests suitable for Fedora rawhide binaries, whilst --profile=f38 selects tests suitable for Fedora F38, and so on for the other Fedora releases.
Other profiles may be added in the future.
The --profile=rhivos option enables tests mandated for RHIVOS development.
The --profile=auto option will attempt to determine the profile to use, based upon the input filename. This only works with rpms, which include the OS as part of their name. This option is the default. The --profile=default option is a synonym for the --profile=auto option.
Using --profile=none will disable the profiling.
For backwards compatibility the form --profile-<name> can be used instead of --profile=<name>.
Currently the profiles enable and disable the following tests:
el9f35Disables the The branch-protection test and The dynamic-tags test tests and enables their inverse, ie The not-branch-protection test and The not-dynamic-tags test.
Also enables The unicode test and sets the default to fail for any multibyte character.
el8Like el9 but also disables the The lto test test.
el7Like el8 but also disables the The pie test, The bind-now test, The fortify test and The stack-clash test tests.
el10Enables the The branch-protection test and The dynamic-tags test tests and disables their inverse, ie The not-branch-protection test and The not-dynamic-tags test.
rawhidef36Like el10 but also disables the See The FIPS test test.
In addition the The unicode test test is enabled for all of the RHEL profiles, but disabled for the Fedora profiles.
--disable-hardenedDisable the tool.
--enable-hardenedEnable the tool if it was previously disabled. The option is also the default.
--ignore-gapsDo not complain about gaps in the note data.
--report-gapsDo complain about gaps in the note data.
--fixed-format-messagesDisplay messages in a fixed, machine parseable format. The format is:
Hardened: <result>: test: <test-name> file: <file-name>
Where <result> is PASS or FAIL and
<test-name> is the name of the test, which is the same as the
name used in the --test-<test-name> option. The
<filename> is the name of the input file, but with any special
characters replaced so that it always fits on one line.
Here is an example:
Hardened: FAIL: test: pie file: a.out.
--disable-colour--enable-colour--disable-color--enable-colorDo not use colour to enhance FAIL, MAYB and WARN messages. By default annocheck will add colour to these messages so that they stand out when displayed by a terminal emulator. This option can be used in order to turn this feature off. The feature can be re-enabled with --enable-colour. The American spelling of color is also supported.
--full-filenames--base-filenamesUse the full pathname for files. Useful when recursing into directories. By default this feature is disabled in normal mode and enabled in verbose mode. This option and its inverse --base-filenames can be used to set a fixed choice.
--suppress-version-warningsDo not issue warning messages about version mismatches between the version of the compiler used to build the annobin plugin and the version of the compiler used to run the annobin plugin.
--no-urls--provide-urlsBy default when a FAIL or MAYB result is displayed by the hardened checker and --verbose is enabled, a URL to the online version of the relevant section in this document is also displayed. (Unless the --fixed-format-messages option has been enabled). The --no-urls option disables the display of the URLs and the --provide-urls re-enables the display (even in non-verbose mode).