Security focused systemd configuration
systemd configuration examples, hopefully making your server and services a bit more secure.
Documentation
Logging
/etc/systemd/journald.conf
See journald.conf.
[Journal]
Compress=yes (1)
ForwardToSyslog=yes (2)
Storage=persistent (3)-
"data objects that shall be stored in the journal and are larger than a certain threshold are compressed before they are written to the file system."
-
"log messages received by the journal daemon shall be forwarded to a traditional syslog daemon"
-
"data will be stored preferably on disk, i.e. below the /var/log/journal hierarchy (which is created if needed), with a fallback to /run/log/journal (which is created if needed), during early boot and if the disk is not writable."
/etc/systemd/coredump.conf
See coredump.conf.
[Coredump]
Storage=none (1)-
"When "none", the core dumps will be logged but not stored permanently."
Mounts
See systemd.mount.
/etc/systemd/system/tmp.mount
[Unit]
Description=Temporary Directory
Documentation=man:hier(7)
Before=local-fs.target
[Mount]
What=tmpfs (1)
Where=/tmp (2)
Type=tmpfs (3)
Options=mode=1777,strictatime,nodev,nosuid (4)(5)-
"an absolute path of a device node, file or other resource to mount."
-
"an absolute path of a directory of the mount point."
-
"a string for the file system type."
-
"options to use when mounting."
-
add
noexecif possible.
/etc/systemd/system/var-tmp.mount
[Unit]
Description=Temporary Directory
Documentation=man:hier(7)
Before=local-fs.target
[Mount]
What=tmpfs
Where=/var/tmp
Type=tmpfs
Options=mode=1777,strictatime,nodev,nosuid (1)-
add
noexecif possible.
System
/etc/systemd/resolved.conf
See resolved.conf.
[Resolve]
DNS=127.0.0.1 (1)
FallbackDNS=8.8.8.8 8.8.4.4 (2)
DNSSEC=allow-downgrade (3)-
"space-separated list of IPv4 and IPv6 addresses to use as system DNS servers."
-
"space-separated list of IPv4 and IPv6 addresses to use as the fallback DNS servers."
-
"If set to "allow-downgrade" DNSSEC validation is attempted, but if the server does not support DNSSEC properly, DNSSEC mode is automatically disabled." Should be set to
trueif possible.
/etc/systemd/system.conf
See system.conf and systemd, init.
[Manager]
DumpCore=no (1)
CrashShell=no (2)
DefaultLimitCORE=0 (3)
DefaultLimitNOFILE=100 (4)
DefaultLimitNPROC=100 (5)
CtrlAltDelBurstAction=none (6)-
"If
yes, the systemd manager (PID 1) dumps core when it crashes. Otherwise, no core dump is created." -
"If
yes, the system manager (PID 1) spawns a shell when it crashes, after a 10s delay. Otherwise, no shell is spawned." -
Don’t allow daemons to core dump.
-
Default limit for number of open files.
-
Default limit for number of processes.
-
Defines what action will be performed if user presses Ctrl-Alt-Delete more than 7 times in 2s.
/etc/systemd/timesyncd.conf
See timesyncd.conf.
[Time]
NTP=0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org (1)
FallbackNTP=2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org (2)-
"space-separated list of NTP server host names or IP addresses."
-
"space-separated list of NTP server host names or IP addresses to be used as the fallback NTP servers."
Unit configuration
See systemd.exec.
PrivateTmp= (1)
ProtectSystem= (2)
ProtectHome= (3)
NoNewPrivileges= (4)
ReadWriteDirectories=, ReadOnlyDirectories=, InaccessibleDirectories= (5)
CapabilityBoundingSet= (6)
PrivateDevices= (7)
User=, Group= (8)-
"sets up a new file system namespace for the executed processes and mounts private /tmp and /var/tmp directories inside it that is not shared by processes outside of the namespace."
-
"If true, mounts the /usr and /boot directories read-only for processes invoked by this unit. If set to "full", the /etc directory is mounted read-only, too."
-
"If true, the directories /home, /root and /run/user are made inaccessible and empty for processes invoked by this unit. If set to "read-only", the three directories are made read-only instead."
-
"If true, ensures that the service process and all its children can never gain new privileges."
-
"Sets up a new file system namespace for executed processes."
-
"Controls which capabilities to include in the capability bounding set for the executed process."
-
"If true, sets up a new /dev namespace for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it"
-
"Sets the Unix user or group that the processes are executed as, respectively"
/etc/systemd/system/nginx.service example
[Unit]
Description=A high performance web server and a reverse proxy server
After=network.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid
TimeoutStopSec=5
KillMode=mixed
PrivateTmp=yes
ProtectSystem=full
ProtectHome=true
NoNewPrivileges=true
ReadOnlyDirectories=/var/www/html
CapabilityBoundingSet=~CAP_SYS_PTRACE
PrivateDevices=true
[Install]
WantedBy=multi-user.targetUsers
/etc/systemd/logind.conf
See logind.conf.
[Login]
KillUserProcesses=1 (1)
KillExcludeUsers=root (2)
IdleAction=lock (3)
IdleActionSec=15min (4)
RemoveIPC=yes (5)-
"the processes of a user should be killed when the user completely logs out (i.e. after the user’s last session ended)."
-
"Processes of users listed in
KillExcludeUsers=are excluded from being killed." -
"the action to take when the system is idle."
-
"the delay after which the action configured in
IdleAction=(see above) is taken after the system is idle." -
"the user may not consume IPC resources after the last of the user’s sessions terminated."
/etc/systemd/user.conf
See systemd-user.conf.
[Manager]
DefaultLimitCORE=0 (1)
DefaultLimitNOFILE=100 (2)
DefaultLimitNPROC=100 (3)
CapabilityBoundingSet=~CAP_SYS_PTRACE (4)-
Don’t allow core dumps.
-
Default limit for number of open files.
-
Default limit for number of processes.
-
"capabilities to include in the capability bounding set." See capabilities(7).