NixOS Wiki

Systemd/Hardening/ru: Difference between revisions

← Older edit
VisualWikitext
Unabomberlive (talk | contribs)
trusted
1,173 edits
Created page with "== См. Также =="
Tags: Mobile edit Mobile web edit
Unabomberlive (talk | contribs)
trusted
1,173 edits
Created page with "Опции служб Systemd по умолчанию довольно слабые по защищённости, поэтому часто бывает желательно рассмотреть способы усиления безопасности служб Systemd."
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{Systemd/breadcrumb}}
{{Systemd/breadcrumb}}


<div lang="en" dir="ltr" class="mw-content-ltr">
Опции служб Systemd по умолчанию довольно слабые по защищённости, поэтому часто бывает желательно рассмотреть способы усиления безопасности служб Systemd.
Systemd's service options are quite lax by default, and so it is often desirable to look at ways to harden systemd services.
</div>
<div lang="en" dir="ltr" class="mw-content-ltr">
<div lang="en" dir="ltr" class="mw-content-ltr">
A good way to get started on a given service is to look at the output of the command <code>systemd-analyze security myService</code>. From there, you can look at the documentation for the options you see in the output, often in <code>man systemd.exec</code> or <code>man systemd.resource-control</code>, and set the appropriate options for your service.
A good way to get started on a given service is to look at the output of the command <code>systemd-analyze security myService</code>. From there, you can look at the documentation for the options you see in the output, often in <code>man systemd.exec</code> or <code>man systemd.resource-control</code>, and set the appropriate options for your service.
Line 22: Line 20:
While hardening a service, it often happens that you want a shell inside a hardened systemd unit, for exemple to check access to files, or check the network connectivity. One way to do this is to use tmux to create a session inside the service, and attaching to it outside of the service.
While hardening a service, it often happens that you want a shell inside a hardened systemd unit, for exemple to check access to files, or check the network connectivity. One way to do this is to use tmux to create a session inside the service, and attaching to it outside of the service.
</div>
</div>
<div lang="en" dir="ltr" class="mw-content-ltr">
Простой пример:
Simple example:
</div>
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">


Line 43: Line 39:
Example with a <code>RootDirectory</code> specified:
Example with a <code>RootDirectory</code> specified:
</div>
</div>
<div lang="en" dir="ltr" class="mw-content-ltr">
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
{ pkgs }:
{ pkgs }:
Line 52: Line 47:
       ExecStop = "${pkgs.tmux}/bin/tmux -S /run/myService/tmux.socket kill-session -t my-session";
       ExecStop = "${pkgs.tmux}/bin/tmux -S /run/myService/tmux.socket kill-session -t my-session";
       Type = "forking";
       Type = "forking";
</div>


       <div lang="en" dir="ltr" class="mw-content-ltr">
       <div lang="en" dir="ltr" class="mw-content-ltr">
Line 60: Line 54:
</div>
</div>


       <div lang="en" dir="ltr" class="mw-content-ltr">
       BindReadOnlyPaths = [
BindReadOnlyPaths = [
         "/nix/store"
         "/nix/store"
</div>


         <div lang="en" dir="ltr" class="mw-content-ltr">
         <div lang="en" dir="ltr" class="mw-content-ltr">
Retrieved from "https://wiki.nixos.org/wiki/Systemd/Hardening/ru"