Jump to content

Systemd/Hardening: Difference between revisions

From NixOS Wiki
← Older edit
Visual
imported>Erdnaxe
Add links to hardening examples
Kiri (talk | contribs)
2 edits
m Fix small typo
 
(8 intermediate revisions by 5 users not shown)
Line 1: Line 1:
{{Systemd/breadcrumb}}
<translate>
<!--T:1-->
Systemd's service options are quite lax by default, and so it is often desirable to look at ways to harden systemd services.
Systemd's service options are quite lax by default, and so it is often desirable to look at ways to harden systemd services.
 
</translate>
<translate>
<!--T:2-->
A good way to get started on a given service is to look at the output of the command <code>systemd-analyze security myService</code>. From there, you can look at the documentation for the options you see in the output, often in <code>man systemd.exec</code> or <code>man systemd.resource-control</code>, and set the appropriate options for your service.
A good way to get started on a given service is to look at the output of the command <code>systemd-analyze security myService</code>. From there, you can look at the documentation for the options you see in the output, often in <code>man systemd.exec</code> or <code>man systemd.resource-control</code>, and set the appropriate options for your service.
 
</translate>
== Accessing the network with a different RootDirectory ==
<translate>
 
== Accessing the network with a different RootDirectory == <!--T:3-->
</translate>
<translate>
<!--T:4-->
To be able to access the network while having a RootDirectory specified, you need to give access to <code>/etc/ssl</code>, <code>/etc/static/ssl</code> and <code>/etc/resolv.conf</code>. The simplest way of doing this is by simply putting <code>/etc</code> in the <code>BindReadOnlyPaths</code> option.
To be able to access the network while having a RootDirectory specified, you need to give access to <code>/etc/ssl</code>, <code>/etc/static/ssl</code> and <code>/etc/resolv.conf</code>. The simplest way of doing this is by simply putting <code>/etc</code> in the <code>BindReadOnlyPaths</code> option.
 
</translate>
<translate>
<!--T:5-->
A more granular way, would be to put these 3 paths into <code>BindReadOnlyPaths</code>, and wait for the creation of <code>/etc/resolv.conf</code> through a <code>systemd.path</code> unit.
A more granular way, would be to put these 3 paths into <code>BindReadOnlyPaths</code>, and wait for the creation of <code>/etc/resolv.conf</code> through a <code>systemd.path</code> unit.
 
</translate>
== Dropping a shell inside a systemd service ==
<translate>
 
== Dropping a shell inside a systemd service == <!--T:6-->
While hardening a service, it often happens that you want a shell inside a hardened systemd unit, for exemple to check access to files, or check the network connectivity. One way to do this is to use tmux to create a session inside the service, and attaching to it outside of the service.
</translate>
 
<translate>
<!--T:7-->
While hardening a service, it often happens that you want a shell inside a hardened systemd unit, for example to check access to files, or check the network connectivity. One way to do this is to use tmux to create a session inside the service, and attaching to it outside of the service.
</translate>
<translate>
<!--T:8-->
Simple example:
Simple example:
 
</translate>
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">


Line 30: Line 46:
}
}
</syntaxhighlight>
</syntaxhighlight>
 
<translate>
<!--T:9-->
Example with a <code>RootDirectory</code> specified:
Example with a <code>RootDirectory</code> specified:
 
</translate>
<translate>
<!--T:10-->
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
{ pkgs }:
{ pkgs }:
Line 42: Line 61:
       Type = "forking";
       Type = "forking";


       # Used as root directory
       <!--T:11-->
# Used as root directory
       RuntimeDirectory = "myService";
       RuntimeDirectory = "myService";
       RootDirectory = "/run/myService";
       RootDirectory = "/run/myService";


       BindReadOnlyPaths = [
       <!--T:12-->
BindReadOnlyPaths = [
         "/nix/store"
         "/nix/store"


         # So tmux uses /bin/sh as shell
         <!--T:13-->
# So tmux uses /bin/sh as shell
         "/bin"
         "/bin"
       ];
       ];


       # This sets up a private /dev/tty
       <!--T:14-->
# This sets up a private /dev/tty
       # The tmux server would crash without this
       # The tmux server would crash without this
       # since there would be nothing in /dev
       # since there would be nothing in /dev
Line 61: Line 84:
}
}
</syntaxhighlight>
</syntaxhighlight>
 
</translate>
<translate>
<!--T:15-->
To attach to the shell, simply execute <code>tmux -S /path/to/tmux.socket attach</code>.
To attach to the shell, simply execute <code>tmux -S /path/to/tmux.socket attach</code>.
 
</translate>
== Hardening examples ==
<translate>
 
== Hardening examples == <!--T:16-->
</translate>
<translate>
<!--T:17-->
This list contains proposed hardening options that are not yet upstreamed. Please use with caution, and please notify the author of the change if something breaks:
This list contains proposed hardening options that are not yet upstreamed. Please use with caution, and please notify the author of the change if something breaks:
 
</translate>
<translate>
<!--T:18-->
* Chrony: https://github.com/NixOS/nixpkgs/pull/104944/files
* Chrony: https://github.com/NixOS/nixpkgs/pull/104944/files
* Galène: https://github.com/NixOS/nixpkgs/pull/156163/files
* Isso: https://github.com/NixOS/nixpkgs/pull/140840/files
* Isso: https://github.com/NixOS/nixpkgs/pull/140840/files
* Libreddit: https://github.com/NixOS/nixpkgs/pull/133771/files
* Mautrix-based bridge: https://github.com/mautrix/docs/pull/18/files
* Mautrix-based bridge: https://github.com/mautrix/docs/pull/18/files
* Postfix: https://github.com/NixOS/nixpkgs/pull/93305/files
* Postfix: https://github.com/NixOS/nixpkgs/pull/93305/files
* TheLounge: https://github.com/thelounge/thelounge-deb/pull/78
</translate>
<translate>
== Related links == <!--T:19-->
</translate>
<translate>
<!--T:20-->
* SHH, systemd hardening helper:  [https://www.synacktiv.com/en/publications/systemd-hardening-made-easy-with-shh systemd hardening made easy with SHH]
</translate>


[[Category:NixOS]]
[[Category:NixOS]]
[[Category:Cookbook]]
[[Category:Cookbook]]
[[Category:Security]]
[[Category:Security]]
[[Category:systemd]]

Latest revision as of 09:51, 20 January 2025

Systemd's service options are quite lax by default, and so it is often desirable to look at ways to harden systemd services. A good way to get started on a given service is to look at the output of the command systemd-analyze security myService. From there, you can look at the documentation for the options you see in the output, often in man systemd.exec or man systemd.resource-control, and set the appropriate options for your service.

Accessing the network with a different RootDirectory

To be able to access the network while having a RootDirectory specified, you need to give access to /etc/ssl, /etc/static/ssl and /etc/resolv.conf. The simplest way of doing this is by simply putting /etc in the BindReadOnlyPaths option. A more granular way, would be to put these 3 paths into BindReadOnlyPaths, and wait for the creation of /etc/resolv.conf through a systemd.path unit.

Dropping a shell inside a systemd service

While hardening a service, it often happens that you want a shell inside a hardened systemd unit, for example to check access to files, or check the network connectivity. One way to do this is to use tmux to create a session inside the service, and attaching to it outside of the service. Simple example: 

{ pkgs, ... }:
{
  systemd.services.myService = {
    serviceConfig = {
      ExecStart = "${pkgs.tmux}/bin/tmux -S /tmp/tmux.socket new-session -s my-session -d";
      ExecStop = "${pkgs.tmux}/bin/tmux -S /tmp/tmux.socket kill-session -t my-session";
      Type = "forking";

      # ...
    };
  };
}

Example with a RootDirectory specified: 

{ pkgs }:
{
  systemd.services.myService = {
    serviceConfig = {
      ExecStart = "${pkgs.tmux}/bin/tmux -S /run/myService/tmux.socket new-session -s my-session -d";
      ExecStop = "${pkgs.tmux}/bin/tmux -S /run/myService/tmux.socket kill-session -t my-session";
      Type = "forking";

      # Used as root directory
      RuntimeDirectory = "myService";
      RootDirectory = "/run/myService";

      BindReadOnlyPaths = [
        "/nix/store"

        # So tmux uses /bin/sh as shell
        "/bin"
      ];

      # This sets up a private /dev/tty
      # The tmux server would crash without this
      # since there would be nothing in /dev
      PrivateDevices = true;
    };
  };
}

To attach to the shell, simply execute tmux -S /path/to/tmux.socket attach.

Hardening examples

This list contains proposed hardening options that are not yet upstreamed. Please use with caution, and please notify the author of the change if something breaks:

Retrieved from "https://wiki.nixos.org/w/index.php?title=Systemd/Hardening&oldid=19764"