Compiler and Toolchain
- glibc malloc heap corruption checking to avoid double-free and similar attacks. These checks have existed in glibc for several years now and are active for all our distributions starting with SUSE Linux Enterprise Server 9.
- The "Fortify Source" extensions in gcc and glibc are enabled for all packages by default (using -D_FORTIFY_SOURCE=2) since SUSE Linux 10.0 and SUSE Linux Enterprise 10. This extension brings:
- Compile buffer overflow checking for various C string / memory functions. On a overflow of a buffer that is already provable at compile time a warning is emitted by the compiler and caught by our build processes.
- Runtime buffer overflow checking for the C string / memory functions for destination buffers whose size is known at compile time. An overflow here triggers a controlled abort of the program.
- Exploitation of format string problems trigger a controlled abort of the program.
- Specific warnings on missing return value checks of dangerous library functions.
- Runtime stack overflow checking using -fstack-protector is used in some critical packages in SUSE Linux 10.1 and SUSE Linux Enterprise 10 and enabled by default for all packages starting with openSUSE 10.2.
- Marking stack and heap non-executable to make NX possible is done for nearly all packages for some time now.
- -z relro is enabled by default since SUSE Linux 10.1, which makes attacks on specific ELF sections no longer work.
- While a number of selected binaries were built as Position Independend Executables (PIE) for a while, on May 2017 Tumbleweed was switched to enabling PIE per default for all binaries. SUSE Linux Enterprise 15 and openSUSE Leap 15.0 and later have all binaries built with PIE enabled.
- Stack Clash Protection ( -fstack-clash-protection) is enabled in SUSE Linux Enterprise 15 and later and also on Leap 15.0 and later, and for freshly released updates in SUSE Linux Enterprise 12 and openSUSE Leap 42.3.
- Hardware based NX (No eXecute, also known as DEP) support is enabled for Stack and Heap since SUSE Linux Enterprise Server 9 on:
- all AMD64/EM64T processors.
- on x86 machines using the "bigsmp" or "pae" kernel and the processor being able to support the NX bit.
- We do not include Software NX at this time, since it is not in the mainline kernel and likely never will be.
- Address Space Randomization is used for the stack and library mappings since SUSE Linux Enterprise 10 and SUSE Linux 10.1.
- Address Space Randomization for PIE binaries and their heaps since openSUSE 11.1 and SUSE Linux Enterprise 11. (randomize_va_space=1)
- Address Space Randomization for binaries seperated from heaps and for the VDSO segment starting with openSUSE 12.2. (COMPAT_VDSO and COMPAT_BRK turned off, randomize_va_space=2)
- "ExecShield" and "PAX" contain several features including the ones listed above. This means that we implement parts of the "ExecShield" and "PAX" functions already at this time.
We included the Mandatory Access Control System AppArmor to confine potentially endangered applications.
SELinux is enabled in the kernel, though there is no default policy provided.
Since SUSE Linux 9.3 the iptables based SuSEfirewall2 is enabled by default, including a very restrictive inbound filtering.
nftables is available for installation starting with 13.2 onwards.
Starting with openSUSE 15 SuSEFirewall2 has been replaced by firewalld as the default firewall package.
We chose to run only a minimal set of daemons in the default configuration. Only the following are listening to the network:
- SSH daemon
- portmap daemon
- cups print server
All of them are blocked by the firewall by default though.
Setuid/setgid binaries are:
- kept to a minimum. We try to replace them by more secure methods of user - root privilege passing or even get rid of them at all.
- new ones are required to be source audited by the Security Team, old ones are audited again after some time.
Source code audits
System services, setuid binaries, PAM modules, DBUS Services and other security relevant software is audited by the security team and the findings reported to the upstream maintainers and fixed.
crypt(3) algorithm: DES until ..., Blowfish since ..., SHA512 since ...