Hi, * Antoine Beaupre [Wed Feb 05, 2020 at 03:44:05PM -0500]:
[...] > We recently introduced a new feature where the systemd unit file is > hardened. I think it would be a great addition to the Debian package > as well, considering that it seems to work for us. Here's the magic > incantation that was added: > NoNewPrivileges=true > ProtectHome=true > ProtectSystem=full > ProtectHostname=true > ProtectControlGroups=true > ProtectKernelModules=true > ProtectKernelTunables=true > LockPersonality=true > RestrictRealtime=yes > RestrictNamespaces=yes > MemoryDenyWriteExecute=yes > PrivateDevices=yes > CapabilityBoundingSet= > This was brought in from Arch Linux, where those settings are > apparently in place as well: > https://github.com/voxpupuli/puppet-prometheus/pull/415 FTR, the ProtectHome=true setting requires systemd v242 or newer, so this might be something to keep in mind for backports towards buster. The rest is perfectly fine for the systemd version we have in buster (and of course newer). The service might be restricted even further, with: SystemCallArchitectures=native AmbientCapabilities= PrivateTmp=true PrivateUsers=true RemoveIPC=true UMask=0077 LimitMEMLOCK=0 And possibly even: DevicePolicy=strict DeviceAllow=/dev/null rw * Martina Ferrari [Sat Feb 08, 2020 at 03:38:48PM +0000]: > Thanks for the report! This seems indeed useful and a good addition. > Sadly, I don't have the knowledge to evaluate whether these settings can > have unintended side-effects. Have you (or anybody reading this) > evaluated that? If so, I would be happy to apply the "patch". Maybe > adding an one-line explanation to each line would be a good addition too. I'm fairly experienced with systemd hardening and fully support Antoine's request. I'm currently hardening prometheus at a customer of mine, I'd like to get some more testing done, then I could provide a working patch/MR (including one-line descriptions for the settings) for usage with prometheus in Debian. regards -mika-
signature.asc
Description: Digital signature
