annocheck [--skip-name[=funcname]] [--test-name] [--skip-all] [--test-all] [--skip-future] [--test-future] [--test-unicode-all] [--test-unicode-suspicious] [--profile=release] [--ignore-gaps] [--report-gaps] [--fixed-format-messages] [--disable-colour] [--enable-colour] [--disable-hardened] [--enable-hardened] [--full-filenames] [--base-filenames] [--suppress-version-warnings] [--no-urls] [--provide-urls] file…
The hardened tool checks that the specified files were built with specific security hardening features enabled. The features that are tested can be controlled via command line options, but the default is to test for all of them.
The tool was originally built to assist in the implementation of security features for Fedora, although it does now check for more things than are described in that document: https://fedoraproject.org/wiki/Security_Features
New tests can be added to the hardened checker by adding an entry in the tests array defined in hardened.c and then creating the necessary code to support the test. There is more information on this process in this blog: https://developers.redhat.com/articles/2021/07/15/build-your-own-tool-search-code-sequences-binary-files
Currently the hardened tool can run the following tests. Each test listed here starts with a short section describing the reason for the test, a probable solution to fix the test, criteria for when the test can be ignored and some examples of the error messages that are produced by annocheck when the test goes wrong.