foodogsquared/wiki
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/wiki.git synced 2025-02-07 12:19:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
8c378fc029
wiki/notebook/linux.systemd.unit-hardening.org
Gabriel Arazas 8c378fc029 Update systemd- and Neovim-related notes
2022-04-20 19:05:37 +08:00

33 lines
2.2 KiB
Org Mode
Raw Blame History

:PROPERTIES:
:ID: 7fce893f-418f-42aa-b2b1-59d9f0993406
:END:
#+title: systemd unit hardening
#+date: 2022-04-19 20:19:26 +08:00
#+date_modified: 2022-04-19 20:21:27 +08:00
#+language: en
- main command to interact is ~systemd-analyze security~;
this will give a list of units along with their exposure score (lower is better);
- take note the goal to a 1.0 score shouldn't be taken as a goal since not all units need are the same;
security, after all, is about mitigating against your threat model
- the only unit possible to attain the lowest score is a simple "Hello world" program or similar so don't go for a 1.0
- several systemd unit options are only available in certain units such as system services
- here is a list of sandboxing-related options;
for more information, see ~systemd.exec.5~ manual page
- ~ProtectHome~ will restrict process to interact with ~/home~, ~/root~, and ~/run/user~;
can accept a boolean or certain values: ~read-only~ will set certain directories to read-only and ~tmpfs~ will mount the temporary filesystems to the directories as read-only;
- ~ProtectControlGroups~ will make the control group filesystem (i.e., ~/sys/fs/cgroup~) to read-only
- ~PrivateUsers~, if enabled, will run the processes through another user
- ~ProtectClock~ prohibits interacting with the system clock
- ~ProtectKernelModules~ restricts loading of kernel modules
- ~ProtectKernelLogs~ prevents logging into the kernel ring buffer
- ~PrivateTmp~ will create a new temporary filesystem for the unit
- ~PrivateNetwork~ will create a new set of network devices only composing of a loopback network device;
this will disallow network access and thus should only use for processes with no business with network access
- ~PrivateDevices~ will create a new set of devices with only the pseudo-devices (e.g., ~/dev/null~, ~/dev/zero~);
this will restrict device access and should be used for processes with no device access
- extra resources
- [[https://www.ctrl.blog/entry/systemd-service-hardening.html][systemd service hardening]] from ctrl.blog
- also, a [[https://www.ctrl.blog/entry/systemd-opensmtpd-hardening.html][follow-up post that uses a real-life example for service hardening a web server with recent exploits]]
Reference in New Issue View Git Blame Copy Permalink