[Openvas-distro] Hardening OpenVAS
Stephan Kleine
bitdealer at gmail.com
Wed Aug 19 17:25:52 CEST 2009
I would love it if you fix your code to comply with those. E.g.
Mandriva 2009.1 uses "-Werror=format-security" by default and
currently all builds for it are broken (see
http://wald.intevation.org/tracker/index.php?func=detail&aid=1051&group_id=29&atid=220
)
Also most newer distros already use -D_FORTIFY_SOURCE=2 and
-fstack-protector so those shouldn't be a problem.
Regarding -fPIE -pie, ld -z relro & ld -z now I have no idea but just
would like to ask you to only use them __additionally__ to the distros
compilation flags in $RPM_OPT_FLAGS (and whatever Debian uses) instead
of trying to replace them.
My $0,02.
Cheers,
Stephan
PS: Sent two times cause it didn't get send to the list. Sorry Tim.
> On Wed, Aug 19, 2009 at 4:11 PM, Tim Brown<timb at openvas.org> wrote:
>> Hey all,
>>
>> So as a security related project I think we should take a lead with respect to
>> hardening our code. I've just taken the latest openvas* source packages and
>> rebuilt them using DEB_BUILD_HARDENING=1 (http://wiki.debian.org/Hardening).
>> I will run it for a week or two on x86_64 to see if it shows any bugs up but
>> if not, I would like to apply it to the official packaging. Does anyone have
>> any issues with such a plan?
>>
>> Tim
>>
>> PS Anyone compiling for other platforms is welcome to join in this exercise...
>> and in fact we should consider moving the hardening into the mainline build
>> tree in due course?
>> --
>> Tim Brown
>> <mailto:timb at openvas.org>
>> <http://www.openvas.org/>
>> _______________________________________________
>> Openvas-distro mailing list
>> Openvas-distro at wald.intevation.org
>> http://lists.wald.intevation.org/mailman/listinfo/openvas-distro
>>
>
More information about the Openvas-distro
mailing list