foodogsquared/wiki
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/wiki.git synced 2025-01-31 01:57:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
gh-pages
wiki/linux.systemd.unit-hardening.html
github-actions[bot] ae43040901 Deploy to GitHub pages
2022-07-29 15:41:17 +00:00

36 lines
15 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE html><html><head><meta name="viewport" content="width=device-width"/><meta charSet="utf-8"/><title>systemd unit hardening</title><script src="https://polyfill.io/v3/polyfill.min.js?features=es6"></script><script id="MathJax-script" async="" src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js"></script><script type="text/x-mathjax-config">
MathJax = {
tex: {
inlineMath: [ [&#x27;$&#x27;,&#x27;$&#x27;], [&#x27;\(&#x27;,&#x27;\)&#x27;] ],
displayMath: [ [&#x27;$$&#x27;,&#x27;$$&#x27;], [&#x27;[&#x27;,&#x27;]&#x27;] ]
},
options = {
processHtmlClass = &quot;math&quot;
}
}
</script><meta name="next-head-count" content="6"/><link rel="preload" href="/wiki/_next/static/css/52fc2ba29703df73922c.css" as="style"/><link rel="stylesheet" href="/wiki/_next/static/css/52fc2ba29703df73922c.css" data-n-g=""/><noscript data-n-css=""></noscript><link rel="preload" href="/wiki/_next/static/chunks/main-ae4733327bd95c4ac325.js" as="script"/><link rel="preload" href="/wiki/_next/static/chunks/webpack-50bee04d1dc61f8adf5b.js" as="script"/><link rel="preload" href="/wiki/_next/static/chunks/framework.9d524150d48315f49e80.js" as="script"/><link rel="preload" href="/wiki/_next/static/chunks/commons.0e1c3f9aa780c2dfe9f0.js" as="script"/><link rel="preload" href="/wiki/_next/static/chunks/pages/_app-8e3d0c58a60ec788aa69.js" as="script"/><link rel="preload" href="/wiki/_next/static/chunks/940643274e605e7596ecea1f2ff8d83317a3fb76.4841a16762f602a59f00.js" as="script"/><link rel="preload" href="/wiki/_next/static/chunks/pages/%5B%5B...slug%5D%5D-1aa198f87ede1cd0e1dc.js" as="script"/></head><body><div id="__next"><main><h1>systemd unit hardening</h1><section class="post-metadata"><span>Date: <!-- -->2022-04-19 20:19:26 +08:00</span><span>Date modified: <!-- -->2022-04-22 18:10:16 +08:00</span></section><nav class="toc"><ol class="toc-level toc-level-1"></ol></nav><ul><li><p>main command to interact is <code class="inline-code">systemd-analyze security</code>;
this will give a list of units along with their exposure score (lower is better);
</p><ul><li><p>take note the goal to a 1.0 score shouldn&#x27;t be taken as a goal since not all units need are the same;
security, after all, is about mitigating against your threat model
</p></li><li><p>the only unit possible to attain the lowest score is a simple &quot;Hello world&quot; program or similar so don&#x27;t go for a 1.0
</p></li></ul></li><li><p>several systemd unit options are only available in certain units such as system services
</p></li><li><p>here is a list of sandboxing-related options;
for more information, see <code class="inline-verbatim">systemd.exec.5</code> manual page
</p><ul><li><p><code class="inline-verbatim">ProtectHome</code> will restrict process to interact with <code class="inline-verbatim">/home</code>, <code class="inline-verbatim">/root</code>, and <code class="inline-verbatim">/run/user</code>;
can accept a boolean or certain values: <code class="inline-verbatim">read-only</code> will set certain directories to read-only and <code class="inline-verbatim">tmpfs</code> will mount the temporary filesystems to the directories as read-only;
</p></li><li><p><code class="inline-verbatim">ProtectControlGroups</code> will make the control group filesystem (i.e., <code class="inline-verbatim">/sys/fs/cgroup</code>) to read-only
</p></li><li><p><code class="inline-verbatim">PrivateUsers</code>, if enabled, will run the processes through another user
</p></li><li><p><code class="inline-verbatim">ProtectClock</code> prohibits interacting with the system clock
</p></li><li><p><code class="inline-verbatim">ProtectKernelModules</code> restricts loading of kernel modules
</p></li><li><p><code class="inline-verbatim">ProtectKernelLogs</code> prevents logging into the kernel ring buffer
</p></li><li><p><code class="inline-verbatim">PrivateTmp</code> will create a new temporary filesystem for the unit
</p></li><li><p><code class="inline-verbatim">PrivateNetwork</code> will create a new set of network devices only composing of a loopback network device;
this will disallow network access and thus should only use for processes with no business with network access
</p></li><li><p><code class="inline-verbatim">PrivateDevices</code> will create a new set of devices with only the pseudo-devices (e.g., <code class="inline-verbatim">/dev/null</code>, <code class="inline-verbatim">/dev/zero</code>);
this will restrict device access and should be used for processes with no device access
</p></li><li><p><code class="inline-verbatim">SystemCallFilter</code> takes a space-separated list of system calls to be filtered to the unit;
if the unit is detected to call one of the listed syscall, systemd will terminate them;
while listing them individually is possible, systemd has predefined set of calls putting them into categories;
to see them, use <code class="inline-code">systemd-analyze syscall-filters</code></p></li></ul></li><li><p>extra resources
</p><ul><li><p><a href="https://www.ctrl.blog/entry/systemd-service-hardening.html">systemd service hardening</a> from ctrl.blog
</p></li><li><p>also, a <a href="https://www.ctrl.blog/entry/systemd-opensmtpd-hardening.html">follow-up post that uses a real-life example for service hardening a web server with recent exploits</a></p></li></ul></li></ul><section><h2>Backlinks</h2><ul><li><a href="/wiki/linux.systemd">systemd</a></li></ul></section></main></div><script id="__NEXT_DATA__" type="application/json">{"props":{"pageProps":{"metadata":{"date":"2022-04-19 20:19:26 +08:00","date_modified":"2022-04-22 18:10:16 +08:00","language":"en","source":""},"title":"systemd unit hardening","hast":{"type":"root","children":[{"type":"element","tagName":"nav","properties":{"className":"toc"},"children":[{"type":"element","tagName":"ol","properties":{"className":"toc-level toc-level-1"},"children":[]}]},{"type":"element","tagName":"ul","properties":{},"children":[{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"main command to interact is "},{"type":"element","tagName":"code","properties":{"className":["inline-code"]},"children":[{"type":"text","value":"systemd-analyze security"}]},{"type":"text","value":";\n this will give a list of units along with their exposure score (lower is better);\n"}]},{"type":"element","tagName":"ul","properties":{},"children":[{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"take note the goal to a 1.0 score shouldn't be taken as a goal since not all units need are the same;\n security, after all, is about mitigating against your threat model\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"the only unit possible to attain the lowest score is a simple \"Hello world\" program or similar so don't go for a 1.0\n"}]}]}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"several systemd unit options are only available in certain units such as system services\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"here is a list of sandboxing-related options;\n for more information, see "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"systemd.exec.5"}]},{"type":"text","value":" manual page\n"}]},{"type":"element","tagName":"ul","properties":{},"children":[{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"ProtectHome"}]},{"type":"text","value":" will restrict process to interact with "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"/home"}]},{"type":"text","value":", "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"/root"}]},{"type":"text","value":", and "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"/run/user"}]},{"type":"text","value":";\n can accept a boolean or certain values: "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"read-only"}]},{"type":"text","value":" will set certain directories to read-only and "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"tmpfs"}]},{"type":"text","value":" will mount the temporary filesystems to the directories as read-only;\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"ProtectControlGroups"}]},{"type":"text","value":" will make the control group filesystem (i.e., "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"/sys/fs/cgroup"}]},{"type":"text","value":") to read-only\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"PrivateUsers"}]},{"type":"text","value":", if enabled, will run the processes through another user\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"ProtectClock"}]},{"type":"text","value":" prohibits interacting with the system clock\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"ProtectKernelModules"}]},{"type":"text","value":" restricts loading of kernel modules\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"ProtectKernelLogs"}]},{"type":"text","value":" prevents logging into the kernel ring buffer\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"PrivateTmp"}]},{"type":"text","value":" will create a new temporary filesystem for the unit\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"PrivateNetwork"}]},{"type":"text","value":" will create a new set of network devices only composing of a loopback network device;\n this will disallow network access and thus should only use for processes with no business with network access\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"PrivateDevices"}]},{"type":"text","value":" will create a new set of devices with only the pseudo-devices (e.g., "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"/dev/null"}]},{"type":"text","value":", "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"/dev/zero"}]},{"type":"text","value":");\n this will restrict device access and should be used for processes with no device access\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"SystemCallFilter"}]},{"type":"text","value":" takes a space-separated list of system calls to be filtered to the unit;\n if the unit is detected to call one of the listed syscall, systemd will terminate them;\n while listing them individually is possible, systemd has predefined set of calls putting them into categories;\n to see them, use "},{"type":"element","tagName":"code","properties":{"className":["inline-code"]},"children":[{"type":"text","value":"systemd-analyze syscall-filters"}]}]}]}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"extra resources\n"}]},{"type":"element","tagName":"ul","properties":{},"children":[{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"a","properties":{"href":"https://www.ctrl.blog/entry/systemd-service-hardening.html"},"children":[{"type":"text","value":"systemd service hardening"}]},{"type":"text","value":" from ctrl.blog\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"also, a "},{"type":"element","tagName":"a","properties":{"href":"https://www.ctrl.blog/entry/systemd-opensmtpd-hardening.html"},"children":[{"type":"text","value":"follow-up post that uses a real-life example for service hardening a web server with recent exploits"}]}]}]}]}]}]}]},"backlinks":[{"path":"/linux.systemd","title":"systemd"}]},"__N_SSG":true},"page":"/[[...slug]]","query":{"slug":["linux.systemd.unit-hardening"]},"buildId":"Ie9t5zutrXP6Of75Cb5xF","assetPrefix":"/wiki","nextExport":false,"isFallback":false,"gsp":true}</script><script nomodule="" src="/wiki/_next/static/chunks/polyfills-99d808df29361cf7ffb1.js"></script><script src="/wiki/_next/static/chunks/main-ae4733327bd95c4ac325.js" async=""></script><script src="/wiki/_next/static/chunks/webpack-50bee04d1dc61f8adf5b.js" async=""></script><script src="/wiki/_next/static/chunks/framework.9d524150d48315f49e80.js" async=""></script><script src="/wiki/_next/static/chunks/commons.0e1c3f9aa780c2dfe9f0.js" async=""></script><script src="/wiki/_next/static/chunks/pages/_app-8e3d0c58a60ec788aa69.js" async=""></script><script src="/wiki/_next/static/chunks/940643274e605e7596ecea1f2ff8d83317a3fb76.4841a16762f602a59f00.js" async=""></script><script src="/wiki/_next/static/chunks/pages/%5B%5B...slug%5D%5D-1aa198f87ede1cd0e1dc.js" async=""></script><script src="/wiki/_next/static/Ie9t5zutrXP6Of75Cb5xF/_buildManifest.js" async=""></script><script src="/wiki/_next/static/Ie9t5zutrXP6Of75Cb5xF/_ssgManifest.js" async=""></script></body></html>
Reference in New Issue View Git Blame Copy Permalink