http://people.redhat.com/sgrubb/files/rpm-chksec
To check a typical install and only get the packages that do not meet policy,
./rpm-chksec --all | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" |
egrep -w 'no|PACKAGE'
A small sample on F18:
PACKAGE RELRO PIE CLASS
abrt-addon-ccpp.x86_64 yes no setuid
abrt.x86_64 yes no daemon
accountsservice.x86_64 yes no daemon
acpid.x86_64 yes no daemon
agave.x86_64 no yes exec
akonadi.x86_64 yes no network-local
alsa-lib.x86_64 yes no network-ip
alsa-utils.x86_64 yes no network-ip
apg.x86_64 yes no daemon
arpwatch.x86_64 yes no daemon
But it should be noted that the script does not identify parsers of untrusted
media. This would be stuff like: gnash, ooffice, evince, poppler, firefox,
konqueror, xchat, wireshark, eog, kmail, evolution, rpm, etc. I don't know how
to automate that
which raises the question again:
would it be not the better way to build the whole distribution hardened
by expierience that nearly anything is exploitable over the long and
performance comes after security
performance would be increaded by many developers learning what to do to
prevent wasting ressources much more as do not ANY technique to make
things more secure security is a concept of many pieces and each piece
makes the overall system better