I'm writing a C++ network daemon for Linux which by its nature will have to listen on the public internet.
Which GCC switches should I use to enable security features to make it harder for a possible attacker to exploit bugs in my program ?
Currently I'm using the stack protector. (GCC: -fstack-protector, LD: -Wl,-z,relro,-z,now).
Which other features should I enable (besides all warnings etc. about issues in my program) ? What about PIE ?
How do I check if the feature is actually active in the running process ? I found lsexec, but for example it doesn't show any process using PIE on my system, so I'm not sure how reliable it is.
Update:
So far I found the hardening guides from Debian and Ubuntu and this similar question. But nothing on how to check what is actually active in an executable, yet.