Jarl Gullberg <[email protected]> writes: > We want to plan and execute a project to develop, contribute, and > (ideally where possible) upstream changes to critical systemd services > to better utilize the available hardening features of systemd.
> 1. Is there any prior work on similar efforts? If it's been attempted > in the past, or if there's something already out there, I'd love to > learn from it and get involved. Have you seen https://lists.debian.org/debian-devel/2023/07/msg00030.html ? There are various links in that thread including https://wiki.debian.org/ReleaseGoals/SystemdAnalyzeSecurity https://github.com/cyberitsolutions/prisonpc-systemd-lockdown/tree/main/systemd/system/0-EXAMPLES (i also found https://github.com/desbma/shh once, but never tested it) > 2. Is there an interest from the Debian community for an effort like > this, and if so, who would like to collaborate to make it happen? Would love to see this Related, but I would also love to get a proper solution to: sending email from shell scripts run via a systemd units tends to fail with exim and postfix > > Something like this would obviously need coordination between package > maintainers and support from relevant developer teams to be most > effective, so we want to get out in front of any actual work to make > sure there's a there there. (I suspect the main problem is going to be that many "maintainers" are not active, especially where bugs are wishlist and where enabling the wrong hardening option can break a script for edge cases, and where testing is difficult.)
