foodogsquared/wiki
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/wiki.git synced 2025-01-31 01:57:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
b493aa91e8
wiki/notebook/linux.systemd.unit-hardening.org
Gabriel Arazas a5b3c7a8a1 Update various notes on things 
Still cannot make up a good note-taking habit especially that I archive
more than taking notes. Though, this same cannot be said for my course
notes so that's a plus.
2022-05-22 22:47:20 +08:00

37 lines
2.6 KiB
Org Mode
Raw Blame History

:PROPERTIES:
:ID: 7fce893f-418f-42aa-b2b1-59d9f0993406
:END:
#+title: systemd unit hardening
#+date: 2022-04-19 20:19:26 +08:00
#+date_modified: 2022-04-22 18:10:16 +08:00
#+language: en
- main command to interact is ~systemd-analyze security~;
this will give a list of units along with their exposure score (lower is better);
- take note the goal to a 1.0 score shouldn't be taken as a goal since not all units need are the same;
security, after all, is about mitigating against your threat model
- the only unit possible to attain the lowest score is a simple "Hello world" program or similar so don't go for a 1.0
- several systemd unit options are only available in certain units such as system services
- here is a list of sandboxing-related options;
for more information, see =systemd.exec.5= manual page
- =ProtectHome= will restrict process to interact with =/home=, =/root=, and =/run/user=;
can accept a boolean or certain values: =read-only= will set certain directories to read-only and =tmpfs= will mount the temporary filesystems to the directories as read-only;
- =ProtectControlGroups= will make the control group filesystem (i.e., =/sys/fs/cgroup=) to read-only
- =PrivateUsers=, if enabled, will run the processes through another user
- =ProtectClock= prohibits interacting with the system clock
- =ProtectKernelModules= restricts loading of kernel modules
- =ProtectKernelLogs= prevents logging into the kernel ring buffer
- =PrivateTmp= will create a new temporary filesystem for the unit
- =PrivateNetwork= will create a new set of network devices only composing of a loopback network device;
this will disallow network access and thus should only use for processes with no business with network access
- =PrivateDevices= will create a new set of devices with only the pseudo-devices (e.g., =/dev/null=, =/dev/zero=);
this will restrict device access and should be used for processes with no device access
- =SystemCallFilter= takes a space-separated list of system calls to be filtered to the unit;
if the unit is detected to call one of the listed syscall, systemd will terminate them;
while listing them individually is possible, systemd has predefined set of calls putting them into categories;
to see them, use ~systemd-analyze syscall-filters~
- extra resources
- [[https://www.ctrl.blog/entry/systemd-service-hardening.html][systemd service hardening]] from ctrl.blog
- also, a [[https://www.ctrl.blog/entry/systemd-opensmtpd-hardening.html][follow-up post that uses a real-life example for service hardening a web server with recent exploits]]
Reference in New Issue View Git Blame Copy Permalink