What platform OSes for compiled binaries are supported or considered to scan by annocheck? Any platforms? I want to see a document about this topic. The context is as follows. In the Ruby language project, I added annocheck test to test ruby binaries. https://github.com/ruby/ruby/commit/dccfff943c3ea9defd91647cfa3fd8714041bb5a I am interested in using annocheck to scan binaries compiled on several platforms. My goal is to find proper compiler flag options to pass annocheck for each platform. ## Binaries built on Fedora and Ubuntu For gcc 11 on host OS Fedora and Ubuntu, here are the steps. annocheck passes currently with 2 skip options. Note `make test-annocheck` calls `annocheck` in a Fedora container, and test binaries built on a host environment. ``` $ git clone https://github.com/ruby/ruby.git $ cd ruby $ ./autogen.sh $ ./configure --enable-shared --with-gcc="gcc -fcf-protection -Wl,-z,now" $ make $ TEST_ANNOCHECK_OPTS="--skip-pie --skip-notes" make test-annocheck ... + /bin/docker run --rm -t -v /home/jaruga/git/ruby/ruby:/work ruby-fedora-annocheck annocheck --verbose --skip-pie --skip-notes ruby ... Hardened: ruby: Overall: PASS. ``` ## Binaries built on Mac OSX I executed `annocheck` on my Fedora 35 for binaries built on gcc 11.3.0 on Mac OSX 10.13.6. And here is the result. On the Mac, the ruby binaries are built like this. ``` $ ./autogen.sh $ ./configure --enable-shared --with-gcc="gcc-11" $ make ``` Here is the result on Fedora 35. ``` $ annocheck ruby annocheck: Version 10.66. annocheck: Warning: ruby: is not an ELF format file. ``` ## Binaries built on FreeBSD 12 I executed `annocheck` on my Fedora 35 for binaries built on gcc 10.3.0 on FreeBSD 12. And here is the result. On the FreeBSD 12, the ruby binaries are built like this. ``` $ ./autogen.sh $ ./configure --enable-shared --with-gcc="gcc -fcf-protection -Wl,-z,now" $ make ``` Here is the result on Fedora 35. Unlike "Binaries built on Fedora and Ubuntu" case above, the binaries built with `-fcf-protection` still shows "FAIL: cf-protection test because .note.gnu.property section did not contain the necessary flags" message. ``` $ annocheck ruby annocheck: Version 10.66. Hardened: ruby: FAIL: entry test because instruction at entry is not ENDBR64 Hardened: ruby: FAIL: notes test because annobin notes were not found Hardened: ruby: FAIL: cf-protection test because .note.gnu.property section did not contain the necessary flags Hardened: ruby: FAIL: gnu-relro test because not linked with -Wl,-z,relro Hardened: ruby: FAIL: pie test because not built with '-Wl,-pie' Hardened: Rerun annocheck with --verbose to see more information on the tests. Hardened: ruby: Overall: FAIL. ``` So, these differences between platforms are intentional? Thank you. Related PR on Ruby project: https://github.com/ruby/ruby/pull/5916
(In reply to Jun Aruga from comment #0) > What platform OSes for compiled binaries are supported or considered to scan > by annocheck? In theory annocheck supports ELF format binaries compiled for any OS and for any architecture. In practice it has only really been used with Linux or BSD type OS and only for the usual architectures on these OSes (Arm, AArch64, PowerPC, s390x, RiscV, x86, x86_64). That is not to say that it cannot work with other architectures or OSes, just that - to my knowledge at least - it has not done so. In addition annocheck is designed to be independent of the host OS and architecture. So it can be run on any kind of machine (assuming that it can be compiled) and it can be used to check any ELF format file from any source - as long as a path to the file exists. Also - as a convenience, annocheck also understands the rpm file format, and can unpack such files into a temporary directory before scanning their contents. Similarly annocheck also supports the ar archive file format and scan such files too. Currently it does not support other file formats, including tarballs, fat object files, PE format files or the like. Support for such formats could be added though, if there is a need. > In the Ruby language project, I am not familiar with Ruby per se, but the hardening checker built in to annocheck does have some heuristics to enable and disable certain tests based upon the compiled language. For example the stack protection test is disabled for GO built binaries, since GO does not support/need stack protection. > ## Binaries built on Mac OSX > > I executed `annocheck` on my Fedora 35 for binaries built on gcc 11.3.0 on > Mac OSX 10.13.6. And here is the result. > > annocheck: Warning: ruby: is not an ELF format file. Mac OSX binaries use a different file format - Mach-O - one which is not, currently, supported by annocheck. :-( > On the FreeBSD 12, the ruby binaries are built like this. > $ annocheck ruby > annocheck: Version 10.66. > Hardened: ruby: FAIL: entry test because instruction at entry is not ENDBR64 > Hardened: ruby: FAIL: notes test because annobin notes were not found > Hardened: ruby: FAIL: cf-protection test because .note.gnu.property section > did not contain the necessary flags > Hardened: ruby: FAIL: gnu-relro test because not linked with -Wl,-z,relro > Hardened: ruby: FAIL: pie test because not built with '-Wl,-pie' > So, these differences between platforms are intentional? Yes. Well sort-of. The differences are due to the platforms having different default security settings. From the results above it would appear that FreeBSD 12 (for x86_64) does not support Intel's CET security feature (this explains the 'entry' and 'cf-protection' fails) nor does it default to linking with the '-z relro' and '-pie' options (which explains the gnu-relro and pie test failures). This is not necessarily wrong, but rather choices that have been made by the FreeBSD development community. The individual tests concerned can be disabled by the use of --skip-XXX options, and the hardening checker does also support a --profile=<OS-NAME> option which selects the tests appropriate to <OS-NAME>. At the moment only Fedora and various flavors of RHEL are recognised as OS-NAMEs, but this could easily be extended. Anyway the point is that annocheck's behaviour is intentional in the sense that it is running the tests that are built into it and reporting the results. But it is also a failure in that there is no --profile=freebsd12 option to configure the tests to suit the target OS. I hope that this helps. Cheers Nick
> I hope that this helps. This helps a lot! Thanks! > In addition annocheck is designed to be independent of the host OS and architecture. This is good to know it! > I am not familiar with Ruby per se, but the hardening checker built in to annocheck does have some heuristics to enable and disable certain tests based upon the compiled language. For example the stack protection test is disabled for GO built binaries, since GO does not support/need stack protection. I see. It's good to know it. > Yes. Well sort-of. The differences are due to the platforms having different default security settings. From the results above it would appear that FreeBSD 12 (for x86_64) does not support Intel's CET security feature (this explains the 'entry' and 'cf-protection' fails) nor does it default to linking with the '-z relro' and '-pie' options (which explains the gnu-relro and pie test failures). What controls the security settings on the OS? OS settings or kernel parameters or compiler settings? > The individual tests concerned can be disabled by the use of --skip-XXX options, and the hardening checker does also support a --profile=<OS-NAME> option which selects the tests appropriate to <OS-NAME>. At the moment only Fedora and various flavors of RHEL are recognised as OS-NAMEs, but this could easily be extended. How to know the <OS-NAME>? Is it a value of ID in `/etc/os-release`? I could not find the option `--profile=` by `annocheck --help`. E.g. on my Fedora 36. ``` $ cat /etc/os-release | grep ^ID ID=fedora ```
(In reply to Jun Aruga from comment #2) >> From the results above it would appear that FreeBSD 12 (for x86_64) does not >> support Intel's CET security feature (this explains the 'entry' and 'cf- >> protection' fails) [...] > What controls the security settings on the OS? OS settings or kernel > parameters or compiler settings? Compiler settings. Well mostly. In reality it is compiler settings in conjunction with the program loader (usually ld.so) and the kernel. All three need to cooperate and be in sync for most security features to work properly. The compiler settings depend upon how packages are built. For example in Fedora the default compiler settings for most packages are controlled by the macros provided by the redhat-rpm-config package. I do not know how FreeBSD sets up its default compiler options, but there probably is a mechanism to do so. >> the hardening checker does also support a --profile=<OS-NAME> option which >> selects the tests appropriate to <OS-NAME>. At the moment only Fedora and >> various flavors of RHEL are recognized as OS-NAMEs, > How to know the <OS-NAME>? Is it a value of ID in `/etc/os-release`? No - currently it is just a short list built in to annocheck. > I could not find the option `--profile=` by `annocheck --help`. Try running: annocheck --help-hardened That should give you the list of options supported by the hardening checker. In addition the profile names are in the annobin documentation, in the section on the hardening checker.
(In reply to Nick Clifton from comment #3) > Compiler settings. Well mostly. In reality it is compiler settings in [...] All right. Thanks for the explanation. > >> the hardening checker does also support a --profile=<OS-NAME> option which > >> selects the tests appropriate to <OS-NAME>. At the moment only Fedora and > >> various flavors of RHEL are recognized as OS-NAMEs, > > > How to know the <OS-NAME>? Is it a value of ID in `/etc/os-release`? > > No - currently it is just a short list built in to annocheck. > > > I could not find the option `--profile=` by `annocheck --help`. > > Try running: annocheck --help-hardened > > That should give you the list of options supported by the hardening checker. > In addition the profile names are in the annobin documentation, in the > section on the hardening checker. Oh I found it. Is the `--help-hardened` is a hidden option? I could not find the option by `man 1 annocheck` on Fedora 36 too. ``` $ rpm -qf /bin/annocheck annobin-annocheck-10.73-1.fc36.x86_64 $ annocheck --help-hardened [...] Hardened: To enable/disable tests for a specific environment use: Hardened: --profile=[default|el7|el8|el9|rawhide]. Hardened: Ensure that only tests suitable for a specific OS are run. [...] ``` I understood the answer for my initial question. I would close this ticket. Thanks!
(In reply to Jun Aruga from comment #4) >> Try running: annocheck --help-hardened > Oh I found it. Is the `--help-hardened` is a hidden option? I could not find > the option by `man 1 annocheck` on Fedora 36 too. Hidden: no ? Obscure: yes ... The man page includes these lines: "--help-tool" Display the usage information for tool and then exits. (Not shown here, but the word 'tool' in the above text is underlined as it is intended to be replaced with the name of the tool for which help is needed).
(In reply to Nick Clifton from comment #5) [...] > Hidden: no ? Obscure: yes ... The man page includes these lines: > > "--help-tool" > Display the usage information for tool and then exits. > > (Not shown here, but the word 'tool' in the above text is underlined as it > is intended to be replaced with the name of the tool for which help is > needed). I see. I want to know a list of the "tool". Could you tell me any other "--help-*" options?
(In reply to Jun Aruga from comment #6) > I see. I want to know a list of the "tool". Could you tell me any other > "--help-*" options? They are listed at the end of the "annocheck --help" output. In theory any number of tools can be built into annocheck - it is based upon an extensible framework - but in practice there are five tools which are usually present. So: annocheck --help-timing annocheck --help-size annocheck --help-notes annocheck --help-hardened annocheck --help-builtby
> They are listed at the end of the "annocheck --help" output. [...] Okay, thanks for sharing! I found it in the "annocheck --help" output. ``` annocheck: If an option is unique to a tool then it can be passed without the --tool prefix. annocheck: For example the hardened tool's test skipping options can be passed as either. annocheck: --hardened-skip-<test> or just --skip-<test>. annocheck: The following scanning tools are available: annocheck: Timing annocheck: Size annocheck: Notes annocheck: Hardened annocheck: BuiltBy ```