💾 Archived View for disconnect.wiki › operating-systems › linux › systemd-hardening.gmi captured on 2023-05-24 at 17:41:59. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2022-03-01)
-=-=-=-=-=-=-
Suggested tuning from hacker news
This is the example the user posted there:
DynamicUser=yes CapabilityBoundingSet= DevicePolicy=closed InaccessiblePaths=-/usr/bin /usr/sbin /mnt /media /var/www LockPersonality=yes NoNewPrivileges=yes PrivateDevices=yes PrivateMounts=yes PrivateTmp=yes PrivateUsers=yes ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectProc=invisible ProtectSystem=strict RemoveIPC=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=yes SystemCallArchitectures=native SystemCallFilter=~@clock @cpu-emulation @privileged @module @raw-io @reboot @mount @obsolete @swap @debug MemoryDenyWriteExecute=yes
You might want to throw away InaccessiblePaths if your application calls external binaries.
If your application needs to store anything locally, you can add some combination of these:
RuntimeDirectory=appname # adds /var/run/appname StateDirectory=appname # adds /var/lib/appname CacheDirectory=appname # adds /var/cache/appname LogsDirectory=appname # adds /var/log/appname ConfigurationDirectory=appname # adds /etc/appname
The paths are shown in the following variables:
systemd will make sure that your limited user can read and write these paths, including their content.
Add this if your application uses a JIT compiler:
MemoryDenyWriteExecute=no
And this to prevent it from listening on wrong ports in an event of misconfiguration.
SocketBindDeny=any SocketBindAllow=tcp:5000
These firewalling flags can be useful if your service controls most of the ingress/egress destinations.
IPAddressDeny=any IPAddressAllow=localhost IPAddressAllow=10.3.42.0/24