Problem: Development for the RHIVOS environment requires that some
extra hardening features be enabled.
Fix By: Follow the requirements for RHIVOS delveopment.
Waive If: The application is not going to be used in the RHIVOS environment.
Example: FAIL: INITFIRST dynamic flag seen
Example: FAIL: SONAME includes a directory separator character
Example: FAIL: SONAME not the same as the filename
Example: FAIL: the DT_AUDIT dynamic tag is present
Example: FAIL: the DT_AUXILIARY dynamic tag is present
Example: FAIL: the DT_DEPAUDIT dynamic tag is present
Example: FAIL: the DT_FILTER dynamic tag is present
Example: FAIL: the DT_PREINIT_ARRAY dynamic tag is present
Example: FAIL: RHIVOS does not support the use of the .hash section. Please use --hash-style=gnu
Example: FAIL: not linked with -Wl,-z,now
Example: FAIL: dlopen/dlclose found in symbol table
Example: FAIL: GNU TLS version 1 functions found in symbol table
Example: FAIL: LOAD segment with Write and Execute permissions seen
Example: FAIL: Building with Clang/LLVM is not supported for RHIVOS
Deleopment for the RHIVOS environment requires that some extra hardening measures are applied. This test attempts to check for most of these requirements.
Enabling this test automatically enables the --test-bind-now, --test-gnu-relro, --test-gnu-stack. --test-load-segments and --test-run-path tests. In addition the following extra checks are run:
Clang/LLVM is not used.The linker option --initfirst has not been used.The linker option --audit has not been used.The linker option --depaudit has not been used.The linker option --auxiliary has not been used.The linker option --filter has not been used.Shared libraries names match their filenames and do not includethe directory separator character.
The binary does not have a pre-init array.The linker option --hash-style=hash or--hash-style=both has been used.
Dynamically loaded code is used.Loadable segments with both the Write and Execute permissionsare found in the binary.
This test is normally only enabled if the --profile=rhivos option is used to select the RHIVOS profile. But it can be enabled independently by the --test-rhivos option.