hardening-check

hardening-check [OPTIONS] [FILE | DIRECTORY]

-b, --bin FILE
    Checks the hardening status of a specific binary or a list of binaries. This is the default behavior if arguments are provided as files.

-p, --pie-libs
    Also checks PIE (Position-Independent Executable) support for shared libraries.

-q, --quiet
    Suppresses output for checks that pass, only showing failures or warnings.

-v, --verbose
    Shows more detailed output for each check, including successful ones.

-a, --all
    Checks all executables currently running on the system.

-s, --status
    Checks the general system hardening status, including kernel parameters (e.g., ASLR effectiveness, kernel module loading restrictions).

-r, --run
    Checks hardening for running processes. This option implies --all.

-k, --kernel-modules
    Checks the hardening status of loaded kernel modules.

-c, --config-files
    Checks the hardening status of important system configuration files.

-d, --debug
    Enables debug output, providing more information for troubleshooting.

-x, --xml
    Outputs the results in XML format.

-j, --json
    Outputs the results in JSON format.

-t, --text
    Outputs the results in human-readable text format (default).

-V, --version
    Displays the version information and exits.

-h, --help
    Displays a help message and exits.

hardening-check is a utility designed to audit the security hardening status of a Linux system, focusing on both the system-wide configuration and individual executables. It verifies the presence of various exploit mitigation technologies such as Address Space Layout Randomization (ASLR), Non-Executable (NX) stack/heap, Position-Independent Executables (PIE), Fortify Source, and Stack Smashing Protector (SSP).

Beyond executables, it can assess kernel parameters related to security, loaded kernel modules, important configuration files, and running processes to identify potential weaknesses. Its primary goal is to help administrators identify areas where system security can be improved by ensuring that compiled binaries utilize modern security features and that the system configuration aligns with security best practices. It supports various output formats, including text, XML, and JSON, making it suitable for automated security auditing.

hardening-check relies on information gathered from the system (e.g., /proc filesystem, readelf output). While comprehensive, it cannot guarantee absolute security and should be used as one component of a broader security auditing strategy. False positives or negatives might occur depending on specific system configurations or custom compilation flags. It primarily focuses on compile-time and kernel-level hardening features, not application-level vulnerabilities or network security.

The output typically indicates YES for enabled features, NO for disabled features, and N/A for checks not applicable to a specific binary or system.
For executables, it checks properties like No EXECUTE, Position Independent Executable (PIE), Stack Smashing Protector, Fortify Source, and Read-Only GOT.

hardening-check can be easily integrated into CI/CD pipelines or automated security scanning tools due to its support for machine-readable output formats (XML, JSON).

hardening-check is part of the hardening-wrapper package, primarily maintained within the Debian/Ubuntu ecosystem. It was developed to help users and package maintainers ensure that software packages and the underlying system adhere to modern security best practices regarding exploit mitigation. Its evolution has been driven by new compiler features (like PIE by default, ASLR improvements) and kernel security enhancements.

readelf(1), sysctl(8), lynis(8)