mirror of
https://github.com/foo-dogsquared/wiki.git
synced 2025-01-31 01:57:54 +00:00
36 lines
15 KiB
HTML
36 lines
15 KiB
HTML
|
<!DOCTYPE html><html><head><meta name="viewport" content="width=device-width"/><meta charSet="utf-8"/><title>systemd unit hardening</title><script src="https://polyfill.io/v3/polyfill.min.js?features=es6"></script><script id="MathJax-script" async="" src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js"></script><script type="text/x-mathjax-config">
|
||
|
|
MathJax = {
|
||
|
|
tex: {
|
||
|
|
inlineMath: [ ['$','$'], ['\(','\)'] ],
|
||
|
|
displayMath: [ ['$$','$$'], ['[',']'] ]
|
||
|
|
},
|
||
|
|
options = {
|
||
|
|
processHtmlClass = "math"
|
||
|
|
}
|
||
|
|
}
|
||
|
|
</script><meta name="next-head-count" content="6"/><link rel="preload" href="/wiki/_next/static/css/52fc2ba29703df73922c.css" as="style"/><link rel="stylesheet" href="/wiki/_next/static/css/52fc2ba29703df73922c.css" data-n-g=""/><noscript data-n-css=""></noscript><link rel="preload" href="/wiki/_next/static/chunks/main-ae4733327bd95c4ac325.js" as="script"/><link rel="preload" href="/wiki/_next/static/chunks/webpack-50bee04d1dc61f8adf5b.js" as="script"/><link rel="preload" href="/wiki/_next/static/chunks/framework.9d524150d48315f49e80.js" as="script"/><link rel="preload" href="/wiki/_next/static/chunks/commons.0e1c3f9aa780c2dfe9f0.js" as="script"/><link rel="preload" href="/wiki/_next/static/chunks/pages/_app-8e3d0c58a60ec788aa69.js" as="script"/><link rel="preload" href="/wiki/_next/static/chunks/940643274e605e7596ecea1f2ff8d83317a3fb76.4841a16762f602a59f00.js" as="script"/><link rel="preload" href="/wiki/_next/static/chunks/pages/%5B%5B...slug%5D%5D-1aa198f87ede1cd0e1dc.js" as="script"/></head><body><div id="__next"><main><h1>systemd unit hardening</h1><section class="post-metadata"><span>Date: <!-- -->2022-04-19 20:19:26 +08:00</span><span>Date modified: <!-- -->2022-04-22 18:10:16 +08:00</span></section><nav class="toc"><ol class="toc-level toc-level-1"></ol></nav><ul><li><p>main command to interact is <code class="inline-code">systemd-analyze security</code>;
|
||
|
|
this will give a list of units along with their exposure score (lower is better);
|
||
|
|
</p><ul><li><p>take note the goal to a 1.0 score shouldn't be taken as a goal since not all units need are the same;
|
||
|
|
security, after all, is about mitigating against your threat model
|
||
|
|
</p></li><li><p>the only unit possible to attain the lowest score is a simple "Hello world" program or similar so don't go for a 1.0
|
||
|
|
</p></li></ul></li><li><p>several systemd unit options are only available in certain units such as system services
|
||
|
|
</p></li><li><p>here is a list of sandboxing-related options;
|
||
|
|
for more information, see <code class="inline-verbatim">systemd.exec.5</code> manual page
|
||
|
|
</p><ul><li><p><code class="inline-verbatim">ProtectHome</code> will restrict process to interact with <code class="inline-verbatim">/home</code>, <code class="inline-verbatim">/root</code>, and <code class="inline-verbatim">/run/user</code>;
|
||
|
|
can accept a boolean or certain values: <code class="inline-verbatim">read-only</code> will set certain directories to read-only and <code class="inline-verbatim">tmpfs</code> will mount the temporary filesystems to the directories as read-only;
|
||
|
|
</p></li><li><p><code class="inline-verbatim">ProtectControlGroups</code> will make the control group filesystem (i.e., <code class="inline-verbatim">/sys/fs/cgroup</code>) to read-only
|
||
|
|
</p></li><li><p><code class="inline-verbatim">PrivateUsers</code>, if enabled, will run the processes through another user
|
||
|
|
</p></li><li><p><code class="inline-verbatim">ProtectClock</code> prohibits interacting with the system clock
|
||
|
|
</p></li><li><p><code class="inline-verbatim">ProtectKernelModules</code> restricts loading of kernel modules
|
||
|
|
</p></li><li><p><code class="inline-verbatim">ProtectKernelLogs</code> prevents logging into the kernel ring buffer
|
||
|
|
</p></li><li><p><code class="inline-verbatim">PrivateTmp</code> will create a new temporary filesystem for the unit
|
||
|
|
</p></li><li><p><code class="inline-verbatim">PrivateNetwork</code> will create a new set of network devices only composing of a loopback network device;
|
||
|
|
this will disallow network access and thus should only use for processes with no business with network access
|
||
|
|
</p></li><li><p><code class="inline-verbatim">PrivateDevices</code> will create a new set of devices with only the pseudo-devices (e.g., <code class="inline-verbatim">/dev/null</code>, <code class="inline-verbatim">/dev/zero</code>);
|
||
|
|
this will restrict device access and should be used for processes with no device access
|
||
|
|
</p></li><li><p><code class="inline-verbatim">SystemCallFilter</code> takes a space-separated list of system calls to be filtered to the unit;
|
||
|
|
if the unit is detected to call one of the listed syscall, systemd will terminate them;
|
||
|
|
while listing them individually is possible, systemd has predefined set of calls putting them into categories;
|
||
|
|
to see them, use <code class="inline-code">systemd-analyze syscall-filters</code></p></li></ul></li><li><p>extra resources
|
||
|
|
</p><ul><li><p><a href="https://www.ctrl.blog/entry/systemd-service-hardening.html">systemd service hardening</a> from ctrl.blog
|
||
|
|
</p></li><li><p>also, a <a href="https://www.ctrl.blog/entry/systemd-opensmtpd-hardening.html">follow-up post that uses a real-life example for service hardening a web server with recent exploits</a></p></li></ul></li></ul><section><h2>Backlinks</h2><ul><li><a href="/wiki/linux.systemd">systemd</a></li></ul></section></main></div><script id="__NEXT_DATA__" type="application/json">{"props":{"pageProps":{"metadata":{"date":"2022-04-19 20:19:26 +08:00","date_modified":"2022-04-22 18:10:16 +08:00","language":"en","source":""},"title":"systemd unit hardening","hast":{"type":"root","children":[{"type":"element","tagName":"nav","properties":{"className":"toc"},"children":[{"type":"element","tagName":"ol","properties":{"className":"toc-level toc-level-1"},"children":[]}]},{"type":"element","tagName":"ul","properties":{},"children":[{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"main command to interact is "},{"type":"element","tagName":"code","properties":{"className":["inline-code"]},"children":[{"type":"text","value":"systemd-analyze security"}]},{"type":"text","value":";\n this will give a list of units along with their exposure score (lower is better);\n"}]},{"type":"element","tagName":"ul","properties":{},"children":[{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"take note the goal to a 1.0 score shouldn't be taken as a goal since not all units need are the same;\n security, after all, is about mitigating against your threat model\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"the only unit possible to attain the lowest score is a simple \"Hello world\" program or similar so don't go for a 1.0\n"}]}]}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"several systemd unit options are only available in certain units such as system services\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"here is a list of sandboxing-related options;\n for more information, see "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"systemd.exec.5"}]},{"type":"text","value":" manual page\n"}]},{"type":"element","tagName":"ul","properties":{},"children":[{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"ProtectHome"}]},{"type":"text","value":" will restrict process to interact with "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"/home"}]},{"type":"text","value":", "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"/root"}]},{"type":"text","value":", and "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"/run/user"}]},{"type":"text","value":";\n can accept a boolean or certain values: "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"read-only"}]},{"type":"text","value":" will set certain directories to read-only and "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"tmpfs"}]},{"type":"text","value":" will mount the temporary filesystems to the directories as read-only;\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"code","properties":{
|