OTE-01-005 WP1: Linux Binary Hardening Recommendations

[mx-psi]

From the security audit:

Testing confirmed that the OpenTelemetry Collector Linux binaries do not leverage a number of compiler flags to mitigate potential memory corruption vulnerabilities, which is a common issue of all Golang-compiled binaries. As a result, the application remains unnecessarily prone to the associated risks. Linux binaries fail to leverage the following memory corruption prevention flags:

• Stack canaries: This defense mechanism is used to detect and prevent exploits from overwriting the return address.
• RELRO: This leaves the GOT section writable. Without the RELRO flag, buffer overflows on a global variable can overwrite GOT entries.
• PIE: The Position Independent Executable (PIE) flag is a security mechanism that enables Address Space Layout Randomization (ASLR), which randomizes the location where system executables are loaded into memory.

Since we do not use CGO, I think this should be as easy as adding -buildmode=pie.

[!NOTE]
2024 OpenTelemetry security audit finding reference: OTE-01-005 WP1: Linux Binary Hardening Recommendations

[jackgopack4]

seems like buildmode=pie doesn't necessarily do anything if CGO is disabled

[mx-psi]

@jackgopack4 I believe some platforms do support it and others do not (at least that's what I get from this comment: https://github.com/golang/go/issues/64875#issuecomment-1874249860 ). We could pass the option only in those platforms

[jackgopack4]

@mx-psi you're right; the error message is exactly the same and only happens on unsupported platforms. will add conditional logic and test again.

[mx-psi]

I think the actual PR that fixes this is #726, reopening until we merge that one

[jackgopack4]

apologies for the confusion