Systemd/Hardening: Difference between revisions

From NixOS Wiki
imported>Nix
m add security category
imported>Erdnaxe
Add links to hardening examples
Line 63: Line 63:


To attach to the shell, simply execute <code>tmux -S /path/to/tmux.socket attach</code>.
To attach to the shell, simply execute <code>tmux -S /path/to/tmux.socket attach</code>.
== Hardening examples ==
This list contains proposed hardening options that are not yet upstreamed. Please use with caution, and please notify the author of the change if something breaks:
* Chrony: https://github.com/NixOS/nixpkgs/pull/104944/files
* Galène: https://github.com/NixOS/nixpkgs/pull/156163/files
* Isso: https://github.com/NixOS/nixpkgs/pull/140840/files
* Libreddit: https://github.com/NixOS/nixpkgs/pull/133771/files
* Mautrix-based bridge: https://github.com/mautrix/docs/pull/18/files
* Postfix: https://github.com/NixOS/nixpkgs/pull/93305/files


[[Category:NixOS]]
[[Category:NixOS]]
[[Category:Cookbook]]
[[Category:Cookbook]]
[[Category:Security]]
[[Category:Security]]

Revision as of 10:00, 28 January 2022

Systemd's service options are quite lax by default, and so it is often desirable to look at ways to harden systemd services.

A good way to get started on a given service is to look at the output of the command systemd-analyze security myService. From there, you can look at the documentation for the options you see in the output, often in man systemd.exec or man systemd.resource-control, and set the appropriate options for your service.

Accessing the network with a different RootDirectory

To be able to access the network while having a RootDirectory specified, you need to give access to /etc/ssl, /etc/static/ssl and /etc/resolv.conf. The simplest way of doing this is by simply putting /etc in the BindReadOnlyPaths option.

A more granular way, would be to put these 3 paths into BindReadOnlyPaths, and wait for the creation of /etc/resolv.conf through a systemd.path unit.

Dropping a shell inside a systemd service

While hardening a service, it often happens that you want a shell inside a hardened systemd unit, for exemple to check access to files, or check the network connectivity. One way to do this is to use tmux to create a session inside the service, and attaching to it outside of the service.

Simple example:

{ pkgs, ... }:
{
  systemd.services.myService = {
    serviceConfig = {
      ExecStart = "${pkgs.tmux}/bin/tmux -S /tmp/tmux.socket new-session -s my-session -d";
      ExecStop = "${pkgs.tmux}/bin/tmux -S /tmp/tmux.socket kill-session -t my-session";
      Type = "forking";

      # ...
    };
  };
}

Example with a RootDirectory specified:

{ pkgs }:
{
  systemd.services.myService = {
    serviceConfig = {
      ExecStart = "${pkgs.tmux}/bin/tmux -S /run/myService/tmux.socket new-session -s my-session -d";
      ExecStop = "${pkgs.tmux}/bin/tmux -S /run/myService/tmux.socket kill-session -t my-session";
      Type = "forking";

      # Used as root directory
      RuntimeDirectory = "myService";
      RootDirectory = "/run/myService";

      BindReadOnlyPaths = [
        "/nix/store"

        # So tmux uses /bin/sh as shell
        "/bin"
      ];

      # This sets up a private /dev/tty
      # The tmux server would crash without this
      # since there would be nothing in /dev
      PrivateDevices = true;
    };
  };
}

To attach to the shell, simply execute tmux -S /path/to/tmux.socket attach.

Hardening examples

This list contains proposed hardening options that are not yet upstreamed. Please use with caution, and please notify the author of the change if something breaks: