[Openvas-distro] Hardening OpenVAS
bitdealer at gmail.com
Wed Aug 19 17:25:52 CEST 2009
I would love it if you fix your code to comply with those. E.g.
Mandriva 2009.1 uses "-Werror=format-security" by default and
currently all builds for it are broken (see
Also most newer distros already use -D_FORTIFY_SOURCE=2 and
-fstack-protector so those shouldn't be a problem.
Regarding -fPIE -pie, ld -z relro & ld -z now I have no idea but just
would like to ask you to only use them __additionally__ to the distros
compilation flags in $RPM_OPT_FLAGS (and whatever Debian uses) instead
of trying to replace them.
PS: Sent two times cause it didn't get send to the list. Sorry Tim.
> On Wed, Aug 19, 2009 at 4:11 PM, Tim Brown<timb at openvas.org> wrote:
>> Hey all,
>> So as a security related project I think we should take a lead with respect to
>> hardening our code. I've just taken the latest openvas* source packages and
>> rebuilt them using DEB_BUILD_HARDENING=1 (http://wiki.debian.org/Hardening).
>> I will run it for a week or two on x86_64 to see if it shows any bugs up but
>> if not, I would like to apply it to the official packaging. Does anyone have
>> any issues with such a plan?
>> PS Anyone compiling for other platforms is welcome to join in this exercise...
>> and in fact we should consider moving the hardening into the mainline build
>> tree in due course?
>> Tim Brown
>> <mailto:timb at openvas.org>
>> Openvas-distro mailing list
>> Openvas-distro at wald.intevation.org
More information about the Openvas-distro