Linux system hardening thanks to systemd (& 2018 update)

1 minute read

I gave a talk about Linux system hardening using systemd features at SSTIC 2017 (in French) and at RMLL 2017 (in English, in the security track).

French: slides, article, video, SSTIC 2017 website.

English: slides, video (mp4, webm), RMLL Ubicast page.

Since then, upstream systemd developers added a lot of interesting features, so let’s review some of them.

New @system-service system call whitelist

With the SystemCallFilter option, you may now use the @system-service group to whitelist all common system calls used by system services. I usually like to combine it with a secondary blacklist to further limit the available system calls:

[Service]
SystemCallFilter=@system-service
SystemCallFilter=~@aio @keyring
SystemCallErrorNumber=EPERM

The SystemCallErrorNumber=EPERM option also makes it much easier to debug filter issues as processes no longer crash on invalid access and thus logs are usually better.

For more details, read the corresponding entry in the systemd.exec man page.

eBPF based alternative to TCP Wrappers

This option provides a functionality similar to TCP Wrappers with two options: IPAddressDeny and IPAddressAllow. Restricting a service to localhost is now as simple as :

[Service]
IPAddressAllow=localhost
IPAddressDeny=any

And restricting a service to the local network:

[Service]
IPAddressAllow=192.168.0.0/24
IPAddressDeny=any

For more details, read the corresponding entry in the systemd.resource-control man page.

Dynamically created directories

Those options will create directories with specified permissions and user:group ownership. This makes it really easy to duplicate services (using templates for example) and have all directories creation handled automatically:

/etc/systemd/system/mydaemon@.service:

[Service]
User=mydaemon
Group=mydaemon

RuntimeDirectory=mydaemon-%i
StateDirectory=mydaemon-%i
CacheDirectory=mydaemon-%i

RuntimeDirectoryMode=750
StateDirectoryMode=750
CacheDirectoryMode=750

RuntimeDirectoryPreserve=yes

References

Updated:

Comments