wiki/notebook/linux.systemd.unit-hardening.org

:PROPERTIES:
:ID:       7fce893f-418f-42aa-b2b1-59d9f0993406
:END:
#+title: systemd unit hardening
#+date: 2022-04-19 20:19:26 +08:00
#+date_modified: 2022-04-22 18:10:16 +08:00
#+language: en


- main command to interact is ~systemd-analyze security~;
  this will give a list of units along with their exposure score (lower is better);
  - take note the goal to a 1.0 score shouldn't be taken as a goal since not all units need are the same;
    security, after all, is about mitigating against your threat model
  - the only unit possible to attain the lowest score is a simple "Hello world" program or similar so don't go for a 1.0
- several systemd unit options are only available in certain units such as system services
- here is a list of sandboxing-related options;
  for more information, see =systemd.exec.5= manual page
  - =ProtectHome= will restrict process to interact with =/home=, =/root=, and =/run/user=;
    can accept a boolean or certain values: =read-only= will set certain directories to read-only and =tmpfs= will mount the temporary filesystems to the directories as read-only;
  - =ProtectControlGroups= will make the control group filesystem (i.e., =/sys/fs/cgroup=) to read-only
  - =PrivateUsers=, if enabled, will run the processes through another user
  - =ProtectClock= prohibits interacting with the system clock
  - =ProtectKernelModules= restricts loading of kernel modules
  - =ProtectKernelLogs= prevents logging into the kernel ring buffer
  - =PrivateTmp= will create a new temporary filesystem for the unit
  - =PrivateNetwork= will create a new set of network devices only composing of a loopback network device;
    this will disallow network access and thus should only use for processes with no business with network access
  - =PrivateDevices= will create a new set of devices with only the pseudo-devices (e.g., =/dev/null=, =/dev/zero=);
    this will restrict device access and should be used for processes with no device access
  - =SystemCallFilter= takes a space-separated list of system calls to be filtered to the unit;
    if the unit is detected to call one of the listed syscall, systemd will terminate them;
    while listing them individually is possible, systemd has predefined set of calls putting them into categories;
    to see them, use ~systemd-analyze syscall-filters~
- extra resources
  - [[https://www.ctrl.blog/entry/systemd-service-hardening.html][systemd service hardening]] from ctrl.blog
  - also, a [[https://www.ctrl.blog/entry/systemd-opensmtpd-hardening.html][follow-up post that uses a real-life example for service hardening a web server with recent exploits]]
Update systemd- and Neovim-related notes 2022-04-20 11:05:37 +00:00			`:PROPERTIES:`
			`:ID: 7fce893f-418f-42aa-b2b1-59d9f0993406`
			`:END:`
			`#+title: systemd unit hardening`
			`#+date: 2022-04-19 20:19:26 +08:00`
Update various notes on things Still cannot make up a good note-taking habit especially that I archive more than taking notes. Though, this same cannot be said for my course notes so that's a plus. 2022-05-22 14:47:20 +00:00			`#+date_modified: 2022-04-22 18:10:16 +08:00`
Update systemd- and Neovim-related notes 2022-04-20 11:05:37 +00:00			`#+language: en`


			`- main command to interact is ~systemd-analyze security~;`
			`this will give a list of units along with their exposure score (lower is better);`
			`- take note the goal to a 1.0 score shouldn't be taken as a goal since not all units need are the same;`
			`security, after all, is about mitigating against your threat model`
			`- the only unit possible to attain the lowest score is a simple "Hello world" program or similar so don't go for a 1.0`
			`- several systemd unit options are only available in certain units such as system services`
			`- here is a list of sandboxing-related options;`
Update various notes on things Still cannot make up a good note-taking habit especially that I archive more than taking notes. Though, this same cannot be said for my course notes so that's a plus. 2022-05-22 14:47:20 +00:00			`for more information, see =systemd.exec.5= manual page`
			`- =ProtectHome= will restrict process to interact with =/home=, =/root=, and =/run/user=;`
			`can accept a boolean or certain values: =read-only= will set certain directories to read-only and =tmpfs= will mount the temporary filesystems to the directories as read-only;`
			`- =ProtectControlGroups= will make the control group filesystem (i.e., =/sys/fs/cgroup=) to read-only`
			`- =PrivateUsers=, if enabled, will run the processes through another user`
			`- =ProtectClock= prohibits interacting with the system clock`
			`- =ProtectKernelModules= restricts loading of kernel modules`
			`- =ProtectKernelLogs= prevents logging into the kernel ring buffer`
			`- =PrivateTmp= will create a new temporary filesystem for the unit`
			`- =PrivateNetwork= will create a new set of network devices only composing of a loopback network device;`
Update systemd- and Neovim-related notes 2022-04-20 11:05:37 +00:00			`this will disallow network access and thus should only use for processes with no business with network access`
Update various notes on things Still cannot make up a good note-taking habit especially that I archive more than taking notes. Though, this same cannot be said for my course notes so that's a plus. 2022-05-22 14:47:20 +00:00			`- =PrivateDevices= will create a new set of devices with only the pseudo-devices (e.g., =/dev/null=, =/dev/zero=);`
Update systemd- and Neovim-related notes 2022-04-20 11:05:37 +00:00			`this will restrict device access and should be used for processes with no device access`
Update various notes on things Still cannot make up a good note-taking habit especially that I archive more than taking notes. Though, this same cannot be said for my course notes so that's a plus. 2022-05-22 14:47:20 +00:00			`- =SystemCallFilter= takes a space-separated list of system calls to be filtered to the unit;`
			`if the unit is detected to call one of the listed syscall, systemd will terminate them;`
			`while listing them individually is possible, systemd has predefined set of calls putting them into categories;`
			`to see them, use ~systemd-analyze syscall-filters~`
Update systemd- and Neovim-related notes 2022-04-20 11:05:37 +00:00			`- extra resources`
			`- [[https://www.ctrl.blog/entry/systemd-service-hardening.html][systemd service hardening]] from ctrl.blog`
			`- also, a [[https://www.ctrl.blog/entry/systemd-opensmtpd-hardening.html][follow-up post that uses a real-life example for service hardening a web server with recent exploits]]`