Harden services with systemd

A Hard Nut to Crack

Capabilities

Finally, you can limit the capabilities that will be available to the process. These are rights that can be granted to unprivileged processes in small chunks, which makes it unnecessary to give a process completely unrestricted superuser rights just because it needs a single special right.

You can take a fairly restrictive approach here and define

CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH

which excludes, for example, the assignment of CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, or CAP_SYS_PTRACE to the process and deducts many points. The exposure value now drops to 5.7 (Figure 4). The rating now confirms a MEDIUM level of security, and for the first time the emoji now looks neutral and no longer unhappy about the situation.

Figure 4: For the first time, the emoji is not dissatisfied: You have achieved a medium level of security.

Conclusions

Quite a few options are yet left to provide additional security. A good compilation of all systemd options suitable for hardening services and that open up a wide field for further optimizations is provided in a description on GitHub [1]. With systemd-analyze as a measuring tool, you can track your progress in each case.

Infos

  1. Hardening options for systemd services: https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus