Reliability of hardening-check

I’m building some rpms of some c/c++ libraries I’m trying to confirm use the hardening flags in gcc. During compile time I see my binaries are properly calling -D_FORTIFY_SOURCE=2 but the hardening-check binary seems to return that the flag was not called. Is it possible that this is a false positive and is there any other tools for confirming the accuracy of the hardening flags?

1 Like