I gave a talk about Linux system hardening using systemd features at SSTIC 2017 (in French) and at RMLL 2017 (in English, in the security track).
Since then, upstream systemd developers added a lot of interesting features, so let’s review some of them.
@system-service system call whitelist
SystemCallFilter option, you may now use the
@system-service group to whitelist all common system calls used by system services. I usually like to combine it with a secondary blacklist to further limit the available system calls:
SystemCallErrorNumber=EPERM option also makes it much easier to debug filter issues as processes no longer crash on invalid access and thus logs are usually better.
For more details, read the corresponding entry in the systemd.exec man page.
eBPF based alternative to TCP Wrappers
This option provides a functionality similar to TCP Wrappers with two options:
IPAddressAllow. Restricting a service to localhost is now as simple as :
And restricting a service to the local network:
For more details, read the corresponding entry in the systemd.resource-control man page.
Dynamically created directories
Those options will create directories with specified permissions and user:group ownership. This makes it really easy to duplicate services (using templates for example) and have all directories creation handled automatically: