examples: harden systemd services
Add various settings to the example chronyd and chrony-wait services to decrease the exposure reported by the "systemd-analyze security" command. The original exposure was high as the analyzer does not check the actual process (e.g. that it dropped the root privileges or that it has its own seccomp filter). Limit read-write access to /run, /var/lib/chrony, and /var/spool. Access to /run (instead of /run/chrony) is needed for the refclock socket expected by gpsd. The mailonchange directive is most likely to break as it executes /usr/sbin/sendmail, which can do unexpected operations depending on the implementation. It should work with a setuid/setgid binary, but it is not expected to write outside of /var/spool and the private /tmp.
This commit is contained in:
Miroslav Lichvar
parent
127826a399
commit
83f96efdfd
2 changed files with 59 additions and 1 deletions
|
|
@ -16,5 +16,32 @@ TimeoutStartSec=180
|
||||||
RemainAfterExit=yes
|
RemainAfterExit=yes
|
||||||
StandardOutput=null
|
StandardOutput=null
|
||||||
|
|
||||||
|
CapabilityBoundingSet=
|
||||||
|
DevicePolicy=closed
|
||||||
|
DynamicUser=yes
|
||||||
|
IPAddressAllow=localhost
|
||||||
|
IPAddressDeny=any
|
||||||
|
LockPersonality=yes
|
||||||
|
MemoryDenyWriteExecute=yes
|
||||||
|
PrivateDevices=yes
|
||||||
|
PrivateUsers=yes
|
||||||
|
ProcSubset=pid
|
||||||
|
ProtectClock=yes
|
||||||
|
ProtectControlGroups=yes
|
||||||
|
ProtectHome=yes
|
||||||
|
ProtectHostname=yes
|
||||||
|
ProtectKernelLogs=yes
|
||||||
|
ProtectKernelModules=yes
|
||||||
|
ProtectKernelTunables=yes
|
||||||
|
ProtectProc=invisible
|
||||||
|
ProtectSystem=strict
|
||||||
|
RestrictAddressFamilies=AF_INET AF_INET6
|
||||||
|
RestrictNamespaces=yes
|
||||||
|
RestrictRealtime=yes
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
SystemCallFilter=@system-service
|
||||||
|
SystemCallFilter=~@privileged @resources
|
||||||
|
UMask=0777
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
|
|
||||||
|
|
@ -10,9 +10,40 @@ Type=forking
|
||||||
PIDFile=/run/chrony/chronyd.pid
|
PIDFile=/run/chrony/chronyd.pid
|
||||||
EnvironmentFile=-/etc/sysconfig/chronyd
|
EnvironmentFile=-/etc/sysconfig/chronyd
|
||||||
ExecStart=/usr/sbin/chronyd $OPTIONS
|
ExecStart=/usr/sbin/chronyd $OPTIONS
|
||||||
|
|
||||||
|
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
|
||||||
|
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
|
||||||
|
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN
|
||||||
|
CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT
|
||||||
|
CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
|
||||||
|
DeviceAllow=char-pps rw
|
||||||
|
DeviceAllow=char-ptp rw
|
||||||
|
DeviceAllow=char-rtc rw
|
||||||
|
DevicePolicy=closed
|
||||||
|
LockPersonality=yes
|
||||||
|
MemoryDenyWriteExecute=yes
|
||||||
|
NoNewPrivileges=yes
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
|
ProcSubset=pid
|
||||||
|
ProtectControlGroups=yes
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
ProtectSystem=full
|
ProtectHostname=yes
|
||||||
|
ProtectKernelLogs=yes
|
||||||
|
ProtectKernelModules=yes
|
||||||
|
ProtectKernelTunables=yes
|
||||||
|
ProtectProc=invisible
|
||||||
|
ProtectSystem=strict
|
||||||
|
ReadWritePaths=/run /var/lib/chrony
|
||||||
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
||||||
|
RestrictNamespaces=yes
|
||||||
|
RestrictSUIDSGID=yes
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap
|
||||||
|
|
||||||
|
# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
|
||||||
|
NoNewPrivileges=no
|
||||||
|
ReadWritePaths=/var/spool
|
||||||
|
RestrictAddressFamilies=AF_NETLINK
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue