wiki/_next/data/Ie9t5zutrXP6Of75Cb5xF/linux.systemd.unit-hardening.json

{"pageProps":{"metadata":{"date":"2022-04-19 20:19:26 +08:00","date_modified":"2022-04-22 18:10:16 +08:00","language":"en","source":""},"title":"systemd unit hardening","hast":{"type":"root","children":[{"type":"element","tagName":"nav","properties":{"className":"toc"},"children":[{"type":"element","tagName":"ol","properties":{"className":"toc-level toc-level-1"},"children":[]}]},{"type":"element","tagName":"ul","properties":{},"children":[{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"main command to interact is "},{"type":"element","tagName":"code","properties":{"className":["inline-code"]},"children":[{"type":"text","value":"systemd-analyze security"}]},{"type":"text","value":";\n  this will give a list of units along with their exposure score (lower is better);\n"}]},{"type":"element","tagName":"ul","properties":{},"children":[{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"take note the goal to a 1.0 score shouldn't be taken as a goal since not all units need are the same;\n    security, after all, is about mitigating against your threat model\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"the only unit possible to attain the lowest score is a simple \"Hello world\" program or similar so don't go for a 1.0\n"}]}]}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"several systemd unit options are only available in certain units such as system services\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"here is a list of sandboxing-related options;\n  for more information, see "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"systemd.exec.5"}]},{"type":"text","value":" manual page\n"}]},{"type":"element","tagName":"ul","properties":{},"children":[{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"ProtectHome"}]},{"type":"text","value":" will restrict process to interact with "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"/home"}]},{"type":"text","value":", "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"/root"}]},{"type":"text","value":", and "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"/run/user"}]},{"type":"text","value":";\n    can accept a boolean or certain values: "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"read-only"}]},{"type":"text","value":" will set certain directories to read-only and "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"tmpfs"}]},{"type":"text","value":" will mount the temporary filesystems to the directories as read-only;\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"ProtectControlGroups"}]},{"type":"text","value":" will make the control group filesystem (i.e., "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"/sys/fs/cgroup"}]},{"type":"text","value":") to read-only\n"}]}]},{"type":"element","tagName":"li","proper