diff options
author | Graham Bloice <graham.bloice@trihedral.com> | 2015-11-21 18:09:33 +0000 |
---|---|---|
committer | Graham Bloice <graham.bloice@trihedral.com> | 2015-11-21 18:20:55 +0000 |
commit | f1efeb1eba8329fdd8a1021fdc7bdb327203a8b5 (patch) | |
tree | 93828f30d4266fcbab0611da2385cb2fe7ab097d /tools/Get-HardenFlags.ps1 | |
parent | 65528108c3b583ca47c0987767ecedee5fd186ec (diff) |
Fix Windows hardening check
The hardening check runs on all binaries and quite a few third party binaries
are not hardened, thus leading to a warning on the buildslave.
The change reduces the noise by not counting the binaries that are known to be
"soft". They are still printed in the output though, for reference.
Also fixed the search directory passed to the script.
Change-Id: I1619066c687c9ba934ab38fccbbf2011108328e4
Reviewed-on: https://code.wireshark.org/review/12016
Reviewed-by: Graham Bloice <graham.bloice@trihedral.com>
Tested-by: Graham Bloice <graham.bloice@trihedral.com>
Diffstat (limited to 'tools/Get-HardenFlags.ps1')
-rw-r--r-- | tools/Get-HardenFlags.ps1 | 58 |
1 files changed, 56 insertions, 2 deletions
diff --git a/tools/Get-HardenFlags.ps1 b/tools/Get-HardenFlags.ps1 index fcb3edf73a..a5b300eb33 100644 --- a/tools/Get-HardenFlags.ps1 +++ b/tools/Get-HardenFlags.ps1 @@ -70,8 +70,59 @@ Param( $BinaryDir ) +# Create a list of 3rd party binaries that are not hardened +$SoftBins = ( + "libpixmap.dll", + "libwimp.dll", + "libgail.dll", + "airpcap.dll", + "comerr32.dll", + "gspawn-win32-helper-console.exe", + "gspawn-win32-helper.exe", + "k5sprt32.dll", + "krb5_32.dll", + "libatk-1.0-0.dll", + "libcairo-2.dll", + "libffi-6.dll", + "libfontconfig-1.dll", + "libfreetype-6.dll", + "libgcc_s_sjlj-1.dll", + "libgcrypt-20.dll", + "libgdk-win32-2.0-0.dll", + "libgdk_pixbuf-2.0-0.dll", + "libGeoIP-1.dll", + "libgio-2.0-0.dll", + "libglib-2.0-0.dll", + "libgmodule-2.0-0.dll", + "libgmp-10.dll", + "libgnutls-28.dll", + "libgobject-2.0-0.dll", + "libgpg-error-0.dll", + "libgtk-win32-2.0-0.dll", + "libharfbuzz-0.dll", + "libhogweed-2-4.dll", + "libintl-8.dll", + "libjasper-1.dll", + "libjpeg-8.dll", + "liblzma-5.dll", + "libnettle-4-6.dll", + "libp11-kit-0.dll", + "libpango-1.0-0.dll", + "libpangocairo-1.0-0.dll", + "libpangoft2-1.0-0.dll", + "libpangowin32-1.0-0.dll", + "libpixman-1-0.dll", + "libpng15-15.dll", + "libtasn1-6.dll", + "libtiff-5.dll", + "libxml2-2.dll", +# Unfortunately the nsis uninstaller is not hardened. + "uninstall.exe" +) + # CD into the bindir, allows Resolve-Path to work in relative mode. -Push-Location $BinDir +Push-Location $BinaryDir +[Console]::Error.WriteLine("Checking in $BinaryDir for unhardened binaries:") # Retrieve the list of binaries. -Filter is quicker than -Include, but can only handle one item $Binaries = Get-ChildItem -Path $BinaryDir -Recurse -Include *.exe,*.dll @@ -92,7 +143,10 @@ $Binaries | ForEach-Object { # Write-Error outputs error records, we simply want the filename [Console]::Error.WriteLine((Resolve-Path $_ -Relative)) - $Count++ + # Don't count files that won't ever be OK + if ($SoftBins -notcontains (Split-Path $_ -Leaf)) { + $Count++ + } } } |