Systemd/Hardening: Difference between revisions

Line 1:

Systemd's service options are quite lax by default, and so it is often desirable to look at ways to harden systemd services.

</translate>

A good way to get started on a given service is to look at the output of the command <code>systemd-analyze security myService</code>. From there, you can look at the documentation for the options you see in the output, often in <code>man systemd.exec</code> or <code>man systemd.resource-control</code>, and set the appropriate options for your service.

</translate>

== Accessing the network with a different RootDirectory ==

</translate>

To be able to access the network while having a RootDirectory specified, you need to give access to <code>/etc/ssl</code>, <code>/etc/static/ssl</code> and <code>/etc/resolv.conf</code>. The simplest way of doing this is by simply putting <code>/etc</code> in the <code>BindReadOnlyPaths</code> option.

</translate>

A more granular way, would be to put these 3 paths into <code>BindReadOnlyPaths</code>, and wait for the creation of <code>/etc/resolv.conf</code> through a <code>systemd.path</code> unit.

</translate>

== Dropping a shell inside a systemd service ==

</translate>

While hardening a service, it often happens that you want a shell inside a hardened systemd unit, for exemple to check access to files, or check the network connectivity. One way to do this is to use tmux to create a session inside the service, and attaching to it outside of the service.

</translate>

Simple example:

</translate>

Line 32:

Line 40:

}

</syntaxhighlight>

Example with a <code>RootDirectory</code> specified:

</translate>

{ pkgs }:

Line 63:

Line 72:

}

</syntaxhighlight>

</translate>

To attach to the shell, simply execute <code>tmux -S /path/to/tmux.socket attach</code>.

</translate>

== Hardening examples ==

</translate>

This list contains proposed hardening options that are not yet upstreamed. Please use with caution, and please notify the author of the change if something breaks:

</translate>

* Chrony: https://github.com/NixOS/nixpkgs/pull/104944/files

* Isso: https://github.com/NixOS/nixpkgs/pull/140840/files

Line 75:

Line 88:

* Postfix: https://github.com/NixOS/nixpkgs/pull/93305/files

* TheLounge: https://github.com/thelounge/thelounge-deb/pull/78

</translate>

== Related links ==

</translate>

* SHH, systemd hardening helper: [https://www.synacktiv.com/en/publications/systemd-hardening-made-easy-with-shh systemd hardening made easy with SHH]

* SHH, systemd hardening helper: [https://www.synacktiv.com/en/publications/systemd-hardening-made-easy-with-shh systemd hardening made easy with SHH]

</translate>

[[Category:NixOS]]

@@ Line 1: / Line 1: @@
 {{Systemd/breadcrumb}}
+<translate>
 Systemd's service options are quite lax by default, and so it is often desirable to look at ways to harden systemd services.
+</translate>
+<translate>
 A good way to get started on a given service is to look at the output of the command <code>systemd-analyze security myService</code>. From there, you can look at the documentation for the options you see in the output, often in <code>man systemd.exec</code> or <code>man systemd.resource-control</code>, and set the appropriate options for your service.
+</translate>
+<translate>
 == Accessing the network with a different RootDirectory ==
+</translate>
+<translate>
 To be able to access the network while having a RootDirectory specified, you need to give access to <code>/etc/ssl</code>, <code>/etc/static/ssl</code> and <code>/etc/resolv.conf</code>. The simplest way of doing this is by simply putting <code>/etc</code> in the <code>BindReadOnlyPaths</code> option.
+</translate>
+<translate>
 A more granular way, would be to put these 3 paths into <code>BindReadOnlyPaths</code>, and wait for the creation of <code>/etc/resolv.conf</code> through a <code>systemd.path</code> unit.
+</translate>
+<translate>
 == Dropping a shell inside a systemd service ==
+</translate>
+<translate>
 While hardening a service, it often happens that you want a shell inside a hardened systemd unit, for exemple to check access to files, or check the network connectivity. One way to do this is to use tmux to create a session inside the service, and attaching to it outside of the service.
+</translate>
+<translate>
 Simple example:
+</translate>
 <syntaxhighlight lang="nix">
@@ Line 32: / Line 40: @@
 }
 </syntaxhighlight>
+<translate>
 Example with a <code>RootDirectory</code> specified:
+</translate>
+<translate>
 <syntaxhighlight lang="nix">
 { pkgs }:
@@ Line 63: / Line 72: @@
 }
 </syntaxhighlight>
+</translate>
+<translate>
 To attach to the shell, simply execute <code>tmux -S /path/to/tmux.socket attach</code>.
+</translate>
+<translate>
 == Hardening examples ==
+</translate>
+<translate>
 This list contains proposed hardening options that are not yet upstreamed. Please use with caution, and please notify the author of the change if something breaks:
+</translate>
+<translate>
 * Chrony: https://github.com/NixOS/nixpkgs/pull/104944/files
 * Isso: https://github.com/NixOS/nixpkgs/pull/140840/files
@@ Line 75: / Line 88: @@
 * Postfix: https://github.com/NixOS/nixpkgs/pull/93305/files
 * TheLounge: https://github.com/thelounge/thelounge-deb/pull/78
+</translate>
+<translate>
 == Related links ==
+</translate>
-* SHH, systemd hardening helper: [https://www.synacktiv.com/en/publications/systemd-hardening-made-easy-with-shh systemd hardening made easy with SHH]
+<translate>
+* SHH, systemd hardening helper:  [https://www.synacktiv.com/en/publications/systemd-hardening-made-easy-with-shh systemd hardening made easy with SHH]
+</translate>
 [[Category:NixOS]]