Skip to content

Commit

Permalink
Improve security of rest-server.service by restricting network access
Browse files Browse the repository at this point in the history 
This patch improves the overall security assessment score given by
`systemd-analyze security rest-server.service` from "1.3 OK" to "0.6 SAFE"
(when using systemd-analyze version 253)

* Remove `AF_INET AF_INET6` from RestrictAddressFamilies.
  Sockets originating from socket activation are not affected by the
  systemd directive RestrictAddressFamilies.
  See systemd.exec man page.

* Add `PrivateNetwork=yes`
  as recommended for socket-activated services in the systemd.socket man page

* Add dependency on rest-server.socket

Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
  • Loading branch information
@eriksjolund
eriksjolund committed Jul 15, 2023
1 parent c38e18b commit 1b08bf8
Showing 1 changed file with 12 additions and 8 deletions.
20 changes: 12 additions & 8 deletions examples/systemd/rest-server.service
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,8 @@
Description=Rest Server
After=syslog.target
After=network.target

# if you want to use socket activation, make sure to require the socket here
#Requires=rest-server.socket
Requires=rest-server.socket
After=rest-server.socket

[Service]
Type=simple
Expand All @@ -15,10 +14,8 @@ ExecStart=/usr/local/bin/rest-server --path /path/to/backups
Restart=always
RestartSec=5

# The following options are available (in systemd v247) to restrict the
# actions of the rest-server.

# As a whole, the purpose of these are to provide an additional layer of
# The following options restricts the actions of the rest-server.
# As a whole, the purpose of them is to provide an additional layer of
# security by mitigating any unknown security vulnerabilities which may exist
# in rest-server or in the libraries, tools and operating system components
# which it relies upon.
Expand All @@ -37,6 +34,13 @@ CapabilityBoundingSet=
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=yes

# See the paragraph "All network sockets allocated ..." in the systemd.socket man page
# as to why it is good practice to run a socket-activated service
# with PrivateNetwork=yes
# See https://www.freedesktop.org/software/systemd/man/systemd.socket.html
PrivateNetwork=yes

PrivateTmp=yes
PrivateDevices=true
PrivateUsers=true
Expand All @@ -51,7 +55,7 @@ ProtectProc=invisible
ProtectHostname=true
RemoveIPC=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_INET AF_INET6
RestrictAddressFamilies=none
RestrictSUIDSGID=true
RestrictRealtime=true
# if your service crashes with "code=killed, status=31/SYS", you probably tried to run linux_i386 (32bit) binary on a amd64 host
Expand Down

0 comments on commit 1b08bf8

Please sign in to comment.