Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Harden and update to use the new features in systemd-232 #20186

Open
12 tasks
spacekitteh opened this issue Nov 5, 2016 · 4 comments
Open
12 tasks

Harden and update to use the new features in systemd-232 #20186

spacekitteh opened this issue Nov 5, 2016 · 4 comments

Comments

@spacekitteh
Copy link
Contributor

spacekitteh commented Nov 5, 2016

Once systemd-232 is merged (#20156) and things are working, we have a bunch of tasks:

  • Set defaults for services to abide by the principle of least privilege (The service interface should abide by the principle of least privilege #14645)
    • ProtectKernelModules = true;
    • ProtectSystem = "strict";
    • ProtectKernelTunables = true;
    • ProtectControlGroups = true;
    • DynamicUser = true; (Many of our NixOS services run as root and shouldn't #11908) Requires enabling the new nss-systemd.so module. Also means going through all current services to remove now-unrequired users.
    • NoNewPrivileges = true;
    • RestrictAddressFamilies. This takes a list of address families to whitelist, but the default should be empty.
  • RemoveIPC option to remove assigned IPC objects after service exit
  • Include the two new user targets: "graphical-session.target" and "graphical-session-pre.target"
  • Ensure Journald's SplitMode has been changed to "uid", as "login" is now deprecated
  • Update cryptsetup/crypttab to enable enable VeraCrypt partitions
@peterhoeg
Copy link
Member

This is the best practice list from the mailing list:

CapabilityBoundingSet=...
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_NETLINK AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources

@globin globin added this to the 17.03 milestone Jan 26, 2017
@globin
Copy link
Member

globin commented Jan 26, 2017

systemd 232 is on staging (a38f191)

@teh teh mentioned this issue Mar 3, 2017
4 tasks
@globin globin modified the milestones: 17.09, 17.03 Mar 14, 2017
@matthewbauer matthewbauer modified the milestones: 17.09, 18.09 Apr 17, 2018
@matthewbauer matthewbauer modified the milestones: 18.09, 19.03 Nov 5, 2018
@ckauhaus
Copy link
Contributor

We are on systemd-239 now. Is this still relevant?

@peterhoeg
Copy link
Member

Very much so - we are not really making use of the various capabilities to lock things down (yet).

@infinisil infinisil self-assigned this Jan 30, 2019
@lheckemann lheckemann modified the milestones: 19.03, 19.09 Apr 1, 2019
@veprbl veprbl removed this from the 19.09 milestone May 31, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Development

No branches or pull requests

9 participants