Hello NLUG, This past weekend was SELF 2024 in Charlotte. One very interesting presentation was on Securing systemd services. I don't see the videos on YouTube yet, but guessing they should be up soon. The same presenter also gave another talk on proper use of hardware keys.
Systemd is ubiquitous on Linux for managing services. Unfortunately, properly securing these services is much less common despite excellent tooling for assessment, securing, and logging. We'll show a concrete example, using nginx, to properly secure a service. ------------------------------ Most Linux distribution now include systemd as the default init system for booting and service management. Despite this wide adoption, most distribution take little advantage of the systemd utilities and configuration to secure these services. For example, the default configuration of nginx in Debian has an "exposure level" of 9.6 (unsafe) where the scale of 0.0 to 10.0 where higher is worse. Many devops and development teams mistakenly believe that containers will automatically secure their services. Containers are capable in this regard but this is not their primary usage. We will show a step by step process of securing services, using the nginx HTTP server. We will use a number of auditing tools, including systemd-analyze and lynis, to identify which kernel and other system features can be tuned to reduce the security risk exposure. We then discuss the options available in the systemd unit files related to security. We will use service and kernel log files extensively to debug and adjust each of the settings. This is an intermediate level discussion. You should be familiar at a high level with modern Linux kernel security features such as capabilities. <https://speakers.southeastlinuxfest.org/southeast-linux-fest-2024/speaker/8RN87C/> Jean Pierre LeJacq <https://speakers.southeastlinuxfest.org/southeast-linux-fest-2024/speaker/8RN87C/> Jean Pierre has been involved in the open-source community since 1990. He has been a Debian DM for several years and is currently actively involved in Primero, an open-source platform for social welfare. He has started several companies, the latest is Salus CM (https://salus-cm.care/). This speaker also appears in: - Best Practices for Hardware Security Tokens <https://speakers.southeastlinuxfest.org/southeast-linux-fest-2024/talk/E9JKXE/> -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CALdmzXZBe-jEPz%2B1HQdbMLxEKE3DX45YG5ZprMf%2BBffb9wXkow%40mail.gmail.com.
