Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Harden and update to use the new features in systemd-232 #20186

Open
spacekitteh opened this issue Nov 5, 2016 · 4 comments
Open

Harden and update to use the new features in systemd-232 #20186

spacekitteh opened this issue Nov 5, 2016 · 4 comments

Comments

@spacekitteh
Copy link
Contributor

@spacekitteh spacekitteh commented Nov 5, 2016

Once systemd-232 is merged (#20156) and things are working, we have a bunch of tasks:

  • Set defaults for services to abide by the principle of least privilege (#14645)
    • ProtectKernelModules = true;
    • ProtectSystem = "strict";
    • ProtectKernelTunables = true;
    • ProtectControlGroups = true;
    • DynamicUser = true; (#11908) Requires enabling the new nss-systemd.so module. Also means going through all current services to remove now-unrequired users.
    • NoNewPrivileges = true;
    • RestrictAddressFamilies. This takes a list of address families to whitelist, but the default should be empty.
  • RemoveIPC option to remove assigned IPC objects after service exit
  • Include the two new user targets: "graphical-session.target" and "graphical-session-pre.target"
  • Ensure Journald's SplitMode has been changed to "uid", as "login" is now deprecated
  • Update cryptsetup/crypttab to enable enable VeraCrypt partitions
@peterhoeg
Copy link
Member

@peterhoeg peterhoeg commented Jan 12, 2017

This is the best practice list from the mailing list:

CapabilityBoundingSet=...
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_NETLINK AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources
@globin globin added this to the 17.03 milestone Jan 26, 2017
@globin
Copy link
Member

@globin globin commented Jan 26, 2017

systemd 232 is on staging (a38f191)

@teh teh mentioned this issue Mar 3, 2017
4 of 4 tasks complete
@globin globin modified the milestones: 17.09, 17.03 Mar 14, 2017
@matthewbauer matthewbauer modified the milestones: 17.09, 18.09 Apr 17, 2018
@matthewbauer matthewbauer modified the milestones: 18.09, 19.03 Nov 5, 2018
@ckauhaus
Copy link
Contributor

@ckauhaus ckauhaus commented Nov 27, 2018

We are on systemd-239 now. Is this still relevant?

@peterhoeg
Copy link
Member

@peterhoeg peterhoeg commented Dec 1, 2018

Very much so - we are not really making use of the various capabilities to lock things down (yet).

@Infinisil Infinisil self-assigned this Jan 30, 2019
@lheckemann lheckemann modified the milestones: 19.03, 19.09 Apr 1, 2019
@gazally gazally mentioned this issue Jul 5, 2019
4 of 10 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
8 participants
You can’t perform that action at this time.