Systemd/Hardening/ru: Difference between revisions

(3 intermediate revisions by one other user not shown)

Line 1:

~~<div lang="en" dir="ltr" class="mw-content-ltr">~~

Опции служб Systemd по умолчанию довольно слабые по защищённости, поэтому часто бывает желательно рассмотреть способы усиления безопасности служб Systemd.

Systemd~~'s service options are quite lax by default~~, ~~and so it is often desirable to look at ways to harden systemd services~~.

~~</div>~~

A good way to get started on a given service is to look at the output of the command <code>systemd-analyze security myService</code>. From there, you can look at the documentation for the options you see in the output, often in <code>man systemd.exec</code> or <code>man systemd.resource-control</code>, and set the appropriate options for your service.

Line 20:

Line 18:

</div>

While hardening a service, it often happens that you want a shell inside a hardened systemd unit, for ~~exemple~~ to check access to files, or check the network connectivity. One way to do this is to use tmux to create a session inside the service, and attaching to it outside of the service.

While hardening a service, it often happens that you want a shell inside a hardened systemd unit, for example to check access to files, or check the network connectivity. One way to do this is to use tmux to create a session inside the service, and attaching to it outside of the service.

</div>

Простой пример:

Line 41:

Line 39:

Example with a <code>RootDirectory</code> specified:

</div>

~~<div lang="en" dir="ltr" class="mw-content-ltr">~~

{ pkgs }:

Line 50:

Line 47:

ExecStop = "${pkgs.tmux}/bin/tmux -S /run/myService/tmux.socket kill-session -t my-session";

Type = "forking";

~~</div>~~

Line 58:

Line 54:

</div>

~~<div lang="en" dir="ltr" class="mw-content-ltr">~~

BindReadOnlyPaths = [

"/nix/store"

~~</div>~~

@@ Line 1: / Line 1: @@
 {{Systemd/breadcrumb}}
-<div lang="en" dir="ltr" class="mw-content-ltr">
+Опции служб Systemd по умолчанию довольно слабые по защищённости, поэтому часто бывает желательно рассмотреть способы усиления безопасности служб Systemd.
-Systemd's service options are quite lax by default, and so it is often desirable to look at ways to harden systemd services.
-</div>
 <div lang="en" dir="ltr" class="mw-content-ltr">
 A good way to get started on a given service is to look at the output of the command <code>systemd-analyze security myService</code>. From there, you can look at the documentation for the options you see in the output, often in <code>man systemd.exec</code> or <code>man systemd.resource-control</code>, and set the appropriate options for your service.
@@ Line 20: / Line 18: @@
 </div>
 <div lang="en" dir="ltr" class="mw-content-ltr">
-While hardening a service, it often happens that you want a shell inside a hardened systemd unit, for exemple to check access to files, or check the network connectivity. One way to do this is to use tmux to create a session inside the service, and attaching to it outside of the service.
+While hardening a service, it often happens that you want a shell inside a hardened systemd unit, for example to check access to files, or check the network connectivity. One way to do this is to use tmux to create a session inside the service, and attaching to it outside of the service.
 </div>
 Простой пример:
@@ Line 41: / Line 39: @@
 Example with a <code>RootDirectory</code> specified:
 </div>
-<div lang="en" dir="ltr" class="mw-content-ltr">
 <syntaxhighlight lang="nix">
 { pkgs }:
@@ Line 50: / Line 47: @@
        ExecStop = "${pkgs.tmux}/bin/tmux -S /run/myService/tmux.socket kill-session -t my-session";
        Type = "forking";
-</div>
        <div lang="en" dir="ltr" class="mw-content-ltr">
@@ Line 58: / Line 54: @@
 </div>
-       <div lang="en" dir="ltr" class="mw-content-ltr">
+       BindReadOnlyPaths = [
-BindReadOnlyPaths = [
          "/nix/store"
-</div>
          <div lang="en" dir="ltr" class="mw-content-ltr">