Enable systemd hardening options for named
Ludovic Gasc
gmludo at gmail.com
Mon Jan 15 17:58:49 UTC 2018
Hi,
(Not sure it's the right mailing-list to discuss about this, tell me if
it's another one)
For your information, systemd offers several options to increase the
security of each daemon based on cgroups, like Docker or rkt.
For example:
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Capabilities
This approach permits to keep the classical Linux distribution daemons with
simple maintenance actions via apt or yum + the same container security as
a Docker image.
A discussion has already started on Debian tracker:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863841
Based on this proposal, I made a new service override with extra security
(see below).
But now, I need your help for two parameters of systemd:
1. The list of minimal capabilities needed for bind to run correctly:
http://man7.org/linux/man-pages/man7/capabilities.7.html
2. The list of minimal SystemCallFilter:
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=
Where I could find the lists ?
If you have other ideas to increase the security, I'm interested in:
My objective is to propose this service file to be integrated in Debian and
Fedora.
Thanks for your feedback.
The service override:
[Service]
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_SETGID
CAP_SETUID
SystemCallFilter=~@mount @debug
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectSystem=strict
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
InaccessiblePaths=/home
InaccessiblePaths=/opt
InaccessiblePaths=/root
ReadWritePaths=/run/named
ReadWritePaths=/var/cache/bind
ReadWritePaths=/var/lib/bind
--
Ludovic Gasc (GMLudo)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180115/283a54e1/attachment.html>
More information about the bind-users
mailing list