Linux system hardening thanks to systemd (& 2018 update)
I gave a talk about Linux system hardening using systemd features at SSTIC 2017 (in French) and at RMLL 2017 (in English, in the security track).
French: slides, article, video, SSTIC 2017 website.
English: slides, video (mp4, webm), RMLL Ubicast page.
Since then, upstream systemd developers added a lot of interesting features, so let’s review some of them.
New @system-service
system call whitelist
With the SystemCallFilter
option, you may now use the @system-service
group to whitelist all common system calls used by system services. I usually like to combine it with a secondary blacklist to further limit the available system calls:
The SystemCallErrorNumber=EPERM
option also makes it much easier to debug filter issues as processes no longer crash on invalid access and thus logs are usually better.
For more details, read the corresponding entry in the systemd.exec man page.
eBPF based alternative to TCP Wrappers
This option provides a functionality similar to TCP Wrappers with two options: IPAddressDeny
and IPAddressAllow
. Restricting a service to localhost is now as simple as :
And restricting a service to the local network:
For more details, read the corresponding entry in the systemd.resource-control man page.
Dynamically created directories
Those options will create directories with specified permissions and user:group ownership. This makes it really easy to duplicate services (using templates for example) and have all directories creation handled automatically:
/etc/systemd/system/mydaemon@.service
:
Comments
You can also contact me directly if you have feedback.