foodogsquared/wiki
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/wiki.git synced 2025-01-30 22:57:59 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
master
wiki/notebook/linux.systemd.unit-hardening.org
Gabriel Arazas a5b3c7a8a1 Update various notes on things 
Still cannot make up a good note-taking habit especially that I archive
more than taking notes. Though, this same cannot be said for my course
notes so that's a plus.
2022-05-22 22:47:20 +08:00

2.6 KiB
Raw Permalink Blame History

systemd unit hardening

  • main command to interact is systemd-analyze security; this will give a list of units along with their exposure score (lower is better);

    • take note the goal to a 1.0 score shouldn't be taken as a goal since not all units need are the same; security, after all, is about mitigating against your threat model
    • the only unit possible to attain the lowest score is a simple "Hello world" program or similar so don't go for a 1.0
  • several systemd unit options are only available in certain units such as system services

  • here is a list of sandboxing-related options; for more information, see systemd.exec.5 manual page

    • ProtectHome will restrict process to interact with /home, /root, and /run/user; can accept a boolean or certain values: read-only will set certain directories to read-only and tmpfs will mount the temporary filesystems to the directories as read-only;
    • ProtectControlGroups will make the control group filesystem (i.e., /sys/fs/cgroup) to read-only
    • PrivateUsers, if enabled, will run the processes through another user
    • ProtectClock prohibits interacting with the system clock
    • ProtectKernelModules restricts loading of kernel modules
    • ProtectKernelLogs prevents logging into the kernel ring buffer
    • PrivateTmp will create a new temporary filesystem for the unit
    • PrivateNetwork will create a new set of network devices only composing of a loopback network device; this will disallow network access and thus should only use for processes with no business with network access
    • PrivateDevices will create a new set of devices with only the pseudo-devices (e.g., /dev/null, /dev/zero); this will restrict device access and should be used for processes with no device access
    • SystemCallFilter takes a space-separated list of system calls to be filtered to the unit; if the unit is detected to call one of the listed syscall, systemd will terminate them; while listing them individually is possible, systemd has predefined set of calls putting them into categories; to see them, use systemd-analyze syscall-filters

  • extra resources