mirror of
https://github.com/foo-dogsquared/wiki.git
synced 2025-01-31 07:57:57 +00:00
1 line
8.6 KiB
JSON
1 line
8.6 KiB
JSON
{"pageProps":{"metadata":{"date":"2022-04-19 20:19:26 +08:00","date_modified":"2022-04-22 18:10:16 +08:00","language":"en","source":""},"title":"systemd unit hardening","hast":{"type":"root","children":[{"type":"element","tagName":"nav","properties":{"className":"toc"},"children":[{"type":"element","tagName":"ol","properties":{"className":"toc-level toc-level-1"},"children":[]}]},{"type":"element","tagName":"ul","properties":{},"children":[{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"main command to interact is "},{"type":"element","tagName":"code","properties":{"className":["inline-code"]},"children":[{"type":"text","value":"systemd-analyze security"}]},{"type":"text","value":";\n this will give a list of units along with their exposure score (lower is better);\n"}]},{"type":"element","tagName":"ul","properties":{},"children":[{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"take note the goal to a 1.0 score shouldn't be taken as a goal since not all units need are the same;\n security, after all, is about mitigating against your threat model\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"the only unit possible to attain the lowest score is a simple \"Hello world\" program or similar so don't go for a 1.0\n"}]}]}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"several systemd unit options are only available in certain units such as system services\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"here is a list of sandboxing-related options;\n for more information, see "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"systemd.exec.5"}]},{"type":"text","value":" manual page\n"}]},{"type":"element","tagName":"ul","properties":{},"children":[{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"ProtectHome"}]},{"type":"text","value":" will restrict process to interact with "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"/home"}]},{"type":"text","value":", "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"/root"}]},{"type":"text","value":", and "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"/run/user"}]},{"type":"text","value":";\n can accept a boolean or certain values: "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"read-only"}]},{"type":"text","value":" will set certain directories to read-only and "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"tmpfs"}]},{"type":"text","value":" will mount the temporary filesystems to the directories as read-only;\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"ProtectControlGroups"}]},{"type":"text","value":" will make the control group filesystem (i.e., "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"/sys/fs/cgroup"}]},{"type":"text","value":") to read-only\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"PrivateUsers"}]},{"type":"text","value":", if enabled, will run the processes through another user\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"ProtectClock"}]},{"type":"text","value":" prohibits interacting with the system clock\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"ProtectKernelModules"}]},{"type":"text","value":" restricts loading of kernel modules\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"ProtectKernelLogs"}]},{"type":"text","value":" prevents logging into the kernel ring buffer\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"PrivateTmp"}]},{"type":"text","value":" will create a new temporary filesystem for the unit\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"PrivateNetwork"}]},{"type":"text","value":" will create a new set of network devices only composing of a loopback network device;\n this will disallow network access and thus should only use for processes with no business with network access\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"PrivateDevices"}]},{"type":"text","value":" will create a new set of devices with only the pseudo-devices (e.g., "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"/dev/null"}]},{"type":"text","value":", "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"/dev/zero"}]},{"type":"text","value":");\n this will restrict device access and should be used for processes with no device access\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"SystemCallFilter"}]},{"type":"text","value":" takes a space-separated list of system calls to be filtered to the unit;\n if the unit is detected to call one of the listed syscall, systemd will terminate them;\n while listing them individually is possible, systemd has predefined set of calls putting them into categories;\n to see them, use "},{"type":"element","tagName":"code","properties":{"className":["inline-code"]},"children":[{"type":"text","value":"systemd-analyze syscall-filters"}]}]}]}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"extra resources\n"}]},{"type":"element","tagName":"ul","properties":{},"children":[{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"a","properties":{"href":"https://www.ctrl.blog/entry/systemd-service-hardening.html"},"children":[{"type":"text","value":"systemd service hardening"}]},{"type":"text","value":" from ctrl.blog\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"also, a "},{"type":"element","tagName":"a","properties":{"href":"https://www.ctrl.blog/entry/systemd-opensmtpd-hardening.html"},"children":[{"type":"text","value":"follow-up post that uses a real-life example for service hardening a web server with recent exploits"}]}]}]}]}]}]}]},"backlinks":[{"path":"/linux.systemd","title":"systemd"}]},"__N_SSG":true} |