Systemd/Hardening/ru: Difference between revisions
Created page with "Systemd/Hardening" Tags: Mobile edit Mobile web edit |
Updating to match new version of source page |
||
| (5 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
{{Systemd/breadcrumb}} | {{Systemd/breadcrumb}} | ||
Опции служб Systemd по умолчанию довольно слабые по защищённости, поэтому часто бывает желательно рассмотреть способы усиления безопасности служб Systemd. | |||
Systemd | |||
<div lang="en" dir="ltr" class="mw-content-ltr"> | <div lang="en" dir="ltr" class="mw-content-ltr"> | ||
A good way to get started on a given service is to look at the output of the command <code>systemd-analyze security myService</code>. From there, you can look at the documentation for the options you see in the output, often in <code>man systemd.exec</code> or <code>man systemd.resource-control</code>, and set the appropriate options for your service. | A good way to get started on a given service is to look at the output of the command <code>systemd-analyze security myService</code>. From there, you can look at the documentation for the options you see in the output, often in <code>man systemd.exec</code> or <code>man systemd.resource-control</code>, and set the appropriate options for your service. | ||
| Line 20: | Line 18: | ||
</div> | </div> | ||
<div lang="en" dir="ltr" class="mw-content-ltr"> | <div lang="en" dir="ltr" class="mw-content-ltr"> | ||
While hardening a service, it often happens that you want a shell inside a hardened systemd unit, for | While hardening a service, it often happens that you want a shell inside a hardened systemd unit, for example to check access to files, or check the network connectivity. One way to do this is to use tmux to create a session inside the service, and attaching to it outside of the service. | ||
</div> | </div> | ||
Простой пример: | |||
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
| Line 43: | Line 39: | ||
Example with a <code>RootDirectory</code> specified: | Example with a <code>RootDirectory</code> specified: | ||
</div> | </div> | ||
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
{ pkgs }: | { pkgs }: | ||
| Line 52: | Line 47: | ||
ExecStop = "${pkgs.tmux}/bin/tmux -S /run/myService/tmux.socket kill-session -t my-session"; | ExecStop = "${pkgs.tmux}/bin/tmux -S /run/myService/tmux.socket kill-session -t my-session"; | ||
Type = "forking"; | Type = "forking"; | ||
<div lang="en" dir="ltr" class="mw-content-ltr"> | <div lang="en" dir="ltr" class="mw-content-ltr"> | ||
| Line 60: | Line 54: | ||
</div> | </div> | ||
BindReadOnlyPaths = [ | |||
BindReadOnlyPaths = [ | |||
"/nix/store" | "/nix/store" | ||
<div lang="en" dir="ltr" class="mw-content-ltr"> | <div lang="en" dir="ltr" class="mw-content-ltr"> | ||
| Line 97: | Line 89: | ||
* TheLounge: https://github.com/thelounge/thelounge-deb/pull/78 | * TheLounge: https://github.com/thelounge/thelounge-deb/pull/78 | ||
</div> | </div> | ||
< | <span id="Related_links"></span> | ||
== | == См. Также == | ||
<div lang="en" dir="ltr" class="mw-content-ltr"> | <div lang="en" dir="ltr" class="mw-content-ltr"> | ||
* SHH, systemd hardening helper: [https://www.synacktiv.com/en/publications/systemd-hardening-made-easy-with-shh systemd hardening made easy with SHH] | * SHH, systemd hardening helper: [https://www.synacktiv.com/en/publications/systemd-hardening-made-easy-with-shh systemd hardening made easy with SHH] | ||