Richard Laager wrote:
> As a side note that has nothing to do with you, it's too bad that
> systemd-analyze security does not work on a unit _file_, but only
> installed units. Otherwise, this would be a great thing for someone to
> hook into Lintian.
I 100% agree, and I mentioned that in #systemd, but they didn't seem terribly
interested.
Also note that by default "systemd-analyze security" (with no argument) will
not mention disabled/masked units (cf. "systemctl list-units -t service").
Lintian does have a basic systemd lockdown check currently, but it's looking
for *any one* of a set of ~5 lockdown options. Adding any of them is enough to
silence lintian.
Another thing I haven't considered is what happens if you lock down a unit with
Foo=bar, and then try to backport the unit to a systemd that *doesn't have*
that option.
I *think* it will just trigger a warning message from PID 1 ("unknown key Foo
in Service section"), but I have not tested this extensively.
> 3) Why do we want /var/log/ntpsec/temps.YYYY-MM-DD.gz to be
> world-readable? Is it just that, or everything that needs to be
> world-readable? Would this get better if the ntpviz services ran as the
> user ntpsec (i.e. could we then avoid them being world-readable)?
I don't know.
I found that those files were world-readable before I started, and
I figured that was probably intentional.
ntpviz may need them and may run as www-data/httpd user.
It makes sense to add a comment to this effect.
> 4) I re-ran systemd-analyze after adding these options. Do we really
> need local sockets? I see that systemd.exec's documentation suggests
> keeping it, e.g. for syslog, but is it actually used here?
I don't know.
For now I've been leaving AF_UNIX enabled in all my unit lockdowns, because
* I'm just starting out,
* AF_UNIX is classed as low-priority (0.1), and
* it MIGHT be needed to report errors (syslog).
It makes sense to add a comment to this effect.
PS: IIRC I tried doing "RestrictAddressFamilies=" (i.e. allow *NO* families)
early on, and
systemd interpreted it as "allow all families", but
I may have been confused.
> 5) Unless the order is critical (for humans; I realize it does not
> matter to systemd in most cases), I'd prefer to sort these.
The order in my paste was roughly the order in "systemd-analyze security".
I have no problem with sorting them lexicographically.
FYI, the order WITHIN a set of the the SAME key can matter to systemd:
Foo=bar
Foo=
Foo=baz
is different from
Foo=
Foo=bar
Foo=baz
> 6) I will have to wait until after the Buster release to accept and
> merge this, because of the code freeze.
No worries.
> So with them sorted, and making UMask explicit, here's what I have:
>
> [Unit]
> Description=Rotate ntpd stats
> Requisite=ntpsec.service
>
> [Service]
I just noticed, should this be Type=oneshot?
I'm never really sure when to use one or the other.
> Type=simple
> ExecStart=/usr/lib/ntp/rotate-stats
>
> # These lock down this service to minimal privileges.
+# See also "systemd-analyze security".
> CapabilityBoundingSet=
> IPAddressDeny=any
> LockPersonality=yes
> MemoryDenyWriteExecute=yes
> NoNewPrivileges=yes
> PrivateDevices=yes
Remove duplicate record:
> PrivateNetwork=yes
> PrivateNetwork=yes
> PrivateTmp=yes
> PrivateUsers=yes
> ProtectControlGroups=yes
> ProtectHome=yes
> ProtectKernelModules=yes
> ProtectKernelTunables=yes
> ProtectSystem=strict
> ReadWritePaths=-/var/log/ntpsec/
> RemoveIPC=yes
+# FIXME (minor): is AF_UNIX really needed?
> RestrictAddressFamilies=AF_UNIX
> RestrictNamespaces=yes
> RestrictRealtime=yes
> SystemCallArchitectures=native
Note that @system-service is broader than strictly necessary here.
First-party systemd units use it as a "good enough" list.
> # Order is important here:
> SystemCallFilter=@system-service
> SystemCallFilter=~@privileged @resources
> # We want /var/log/ntpsec/temps.YYYY-MM-DD.gz to be world-readable.
NOTE: it's UMask= not Umask=. My original post had a typo.
+# With safer UMask=077, /var/log/ntpsec/temps.YYYY-MM-DD.gz aren't group- or
world-readable.
+# FIXME: Do they need to be? Use a permissive UMask= for now.
+# FIXME: patch the script itself to "loosen" the umask only where needed?
> Umask=022
> User=ntpsec
> WorkingDirectory=/var/log/ntpsec
