From 2b8e86f9c383561e11d21d6d2d61523f04593343 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 11 Nov 2020 16:02:30 +0100 Subject: [PATCH 1/5] Update systemd.service --- conf/systemd.service | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/conf/systemd.service b/conf/systemd.service index 76cdf64..803f729 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -9,5 +9,22 @@ Group=__APP__ WorkingDirectory=__FINALPATH__/ ExecStart=__FINALPATH__/script >> /var/log/__APP__/__APP__.log 2>&1 +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +MemoryDenyWriteExecute=yes +LockPersonality=yes + [Install] WantedBy=multi-user.target From fe29c72b12ebdaa97afe1139885a89d504bccc42 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 11 Nov 2020 18:50:52 +0100 Subject: [PATCH 2/5] Remove two options that may in fact cause issues ... and add a bunch of CapabilityBoundingSet instructions that should be somewhat sane defaults ? --- conf/systemd.service | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/conf/systemd.service b/conf/systemd.service index 803f729..27fa8a5 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -22,9 +22,19 @@ ProtectControlGroups=yes ProtectKernelModules=yes ProtectKernelTunables=yes RestrictRealtime=yes -RestrictSUIDSGID=yes -MemoryDenyWriteExecute=yes LockPersonality=yes +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target From 1ac3a1c1f750a2a57f4b8e7abf5ed154611eef28 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 11 Nov 2020 19:15:01 +0100 Subject: [PATCH 3/5] Add RestrictNamespaces=yes --- conf/systemd.service | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/conf/systemd.service b/conf/systemd.service index 27fa8a5..d0ddbf0 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -16,14 +16,16 @@ ExecStart=__FINALPATH__/script >> /var/log/__APP__/__APP__.log 2>&1 NoNewPrivileges=yes PrivateTmp=yes PrivateDevices=yes +RestrictNamespaces=yes +RestrictRealtime=yes DevicePolicy=closed ProtectSystem=full ProtectControlGroups=yes ProtectKernelModules=yes ProtectKernelTunables=yes -RestrictRealtime=yes LockPersonality=yes + # Denying access to capabilities that should not be relevant for webapps # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD From f1ec6a6c85d145d56611ea871a2a50d5168b0b63 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 11 Nov 2020 19:54:27 +0100 Subject: [PATCH 4/5] Add RestrictAddressFamilies and SystemCallFilter --- conf/systemd.service | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/conf/systemd.service b/conf/systemd.service index d0ddbf0..ca2ed1a 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -16,6 +16,7 @@ ExecStart=__FINALPATH__/script >> /var/log/__APP__/__APP__.log 2>&1 NoNewPrivileges=yes PrivateTmp=yes PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes RestrictRealtime=yes DevicePolicy=closed @@ -24,7 +25,7 @@ ProtectControlGroups=yes ProtectKernelModules=yes ProtectKernelTunables=yes LockPersonality=yes - +SystemCallFilter=~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap # Denying access to capabilities that should not be relevant for webapps # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html From 6dd9c3232357321f5c6afa5f9c34f073d7839a00 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 11 Nov 2020 20:00:58 +0100 Subject: [PATCH 5/5] Not sure why but @priviledged is causing issue on some legit services.. --- conf/systemd.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/systemd.service b/conf/systemd.service index ca2ed1a..04d1c0d 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -25,7 +25,7 @@ ProtectControlGroups=yes ProtectKernelModules=yes ProtectKernelTunables=yes LockPersonality=yes -SystemCallFilter=~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap # Denying access to capabilities that should not be relevant for webapps # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html