Enable systemd hardening options for named
Reindl Harald
h.reindl at thelounge.net
Mon Jan 15 18:11:31 UTC 2018
Am 15.01.2018 um 18:58 schrieb Ludovic Gasc:
> Hi,
>
> (Not sure it's the right mailing-list to discuss about this, tell me if
> it's another one)
>
> For your information, systemd offers several options to increase the
> security of each daemon based on cgroups, like Docker or rkt.
> For example:
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Capabilities
>
> This approach permits to keep the classical Linux distribution daemons
> with simple maintenance actions via apt or yum + the same container
> security as a Docker image.
>
> A discussion has already started on Debian tracker:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863841
>
> Based on this proposal, I made a new service override with extra
> security (see below).
>
> But now, I need your help for two parameters of systemd:
> 1. The list of minimal capabilities needed for bind to run correctly:
> http://man7.org/linux/man-pages/man7/capabilities.7.html
> 2. The list of minimal SystemCallFilter:
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=
>
> Where I could find the lists ?
you can not limit syscallfilter that way because every software or glibc
update could change the used ones as well as previously unknown may get
added like random generator recently - blacklisting them is the way to go
[root at srv-rhsoft:~/updateservice/subversion]$ cat
/etc/systemd/system/named.service
[Unit]
Description=DNS Server
After=network.service systemd-networkd.service network-online.target
network-wan-bridge.service network-wlan-bridge.service openvpn.service
[Service]
Type=simple
ExecStartPre=/usr/libexec/setup-named-chroot.sh /var/named/chroot on
ExecStartPre=/usr/sbin/named-checkconf -t /var/named/chroot -z
/etc/named.conf
ExecStart=/usr/sbin/named -4 -f -u named -t /var/named/chroot
ExecReload=/usr/bin/kill -HUP $MAINPID
ExecStop=/usr/bin/kill -TERM $MAINPID
ExecStopPost=/usr/libexec/setup-named-chroot.sh /var/named/chroot off
TimeoutSec=25
Restart=always
RestartSec=1
PrivateTmp=yes
PrivateDevices=yes
CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_SYS_ADMIN
CAP_DAC_OVERRIDE CAP_KILL CAP_NET_ADMIN CAP_NET_BIND_SERVICE
CAP_NET_BROADCAST CAP_NET_RAW CAP_IPC_LOCK CAP_SYS_CHROOT
SystemCallFilter=~acct modify_ldt add_key adjtimex clock_adjtime
delete_module fanotify_init finit_module get_mempolicy init_module
io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp
kexec_load keyctl lookup_dcookie migrate_pages move_pages
open_by_handle_at perf_event_open process_vm_readv process_vm_writev
ptrace remap_file_pages request_key set_mempolicy swapoff swapon uselib
vmsplice
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
More information about the bind-users
mailing list