/nixpkgs

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Harden and update to use the new features in systemd-232 #20186

Open
spacekitteh opened this Issue Nov 5, 2016 · 2 comments

Comments

Assignees
No one assigned
Labels
Projects
TODO in Security
Milestone
  18.09
5 participants
@spacekitteh @peterhoeg @globin @grahamc @matthewbauer
@spacekitteh
Contributor

spacekitteh commented Nov 5, 2016
edited by Profpatsch
Edited 1 time
  • @Profpatsch Profpatsch edited Mar 3, 2017 (most recent)

Once systemd-232 is merged (#20156) and things are working, we have a bunch of tasks:

  • Set defaults for services to abide by the principle of least privilege (#14645)
    • ProtectKernelModules = true;
    • ProtectSystem = "strict";
    • ProtectKernelTunables = true;
    • ProtectControlGroups = true;
    • DynamicUser = true; (#11908) Requires enabling the new nss-systemd.so module. Also means going through all current services to remove now-unrequired users.
    • NoNewPrivileges = true;
    • RestrictAddressFamilies. This takes a list of address families to whitelist, but the default should be empty.
  • RemoveIPC option to remove assigned IPC objects after service exit
  • Include the two new user targets: "graphical-session.target" and "graphical-session-pre.target"
  • Ensure Journald's SplitMode has been changed to "uid", as "login" is now deprecated
  • Update cryptsetup/crypttab to enable enable VeraCrypt partitions

@grahamc grahamc added 0.kind: enhancement 6.topic: nixos 1.severity: security labels Nov 5, 2016

@peterhoeg

This comment has been minimized.

Show comment
Hide comment
@peterhoeg

peterhoeg Jan 12, 2017

Member

This is the best practice list from the mailing list:

CapabilityBoundingSet=...
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_NETLINK AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources
Member

peterhoeg commented Jan 12, 2017

This is the best practice list from the mailing list:

CapabilityBoundingSet=...
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_NETLINK AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources

@globin globin added this to the 17.03 milestone Jan 26, 2017

@globin

This comment has been minimized.

Show comment
Hide comment
@globin

globin Jan 26, 2017

Member

systemd 232 is on staging (a38f191)
Member

globin commented Jan 26, 2017
edited
Edited 1 time
  • @globin globin edited Jan 29, 2017 (most recent)

systemd 232 is on staging (a38f191)

@peterhoeg peterhoeg referenced this issue Feb 26, 2017

Merged

mcelog: init Machine Check Exception Logging Daemon service #23214

5 of 7 tasks complete

@teh teh referenced this issue Mar 3, 2017

Merged

04 weekly news #26

4 of 4 tasks complete

@globin globin modified the milestones: 17.09, 17.03 Mar 14, 2017

@matthewbauer matthewbauer modified the milestones: 17.09, 18.09 Apr 17, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment