feat: Enable hardening in produced telegraf binaries about telegraf HOT 3 CLOSED

Hi,

Some of the hardening options require the use of cgo. Telegraf builds are static binaries and do not use cgo today. This is not something we would change.

Any changes would be done in a new minor release and not a bug fix release as well.

@jdstrand pointed out that PIE has potential for performance impact depending on arch (see https://wiki.ubuntu.com/Security/Features#Built_as_PIE). We would probably want this enable only in amd64, arm64, s390x, riscv64, ppc64el builds. Additionally, we would want to do some testing of sorts to ensure we do not greatly regress performance, particularly in the parsers.

The other changes would generally require the use of CGO to pass flags to the C compiler.

As a result, I think the change required then is to add GOFLAGS="-buildmode=pie" to the specific architectures listed above. That would enable PIE and RELRO would report as partial.

from telegraf.

-buildmode=pie requires external (cgo) linking, but cgo is not enabled

Apparently, PIE requires cgo as well... in which case I'm not sure we would enable any of these. This led me to golang/go#64875 which seems to have a been a recent change and this list of supported PIE OS+Arch combos.

from telegraf.

I am going to close as this as something we won't change. Because we do not use cgo and do not wish to turn it on, then it doesn't make sense to enable anything further. If I am mistaken then feel free to comment or even put up a PR with a fix/change.

Thanks!

from telegraf.