From 61e48c7f86611a9f5290ddb48d7a4e10a9792b23 Mon Sep 17 00:00:00 2001 From: Amrita Date: Tue, 20 May 2025 17:04:55 +0530 Subject: [PATCH] adds securing related topics to article --- articles/systemd-setting-up-service.asm.xml | 12 +- concepts/systemd-securing.xml | 43 +++-- tasks/systemd-example-secure-service.xml | 164 ++++++++++++++++++++ 3 files changed, 200 insertions(+), 19 deletions(-) create mode 100644 tasks/systemd-example-secure-service.xml diff --git a/articles/systemd-setting-up-service.asm.xml b/articles/systemd-setting-up-service.asm.xml index b902ff363..77a73464e 100644 --- a/articles/systemd-setting-up-service.asm.xml +++ b/articles/systemd-setting-up-service.asm.xml @@ -31,6 +31,9 @@ Unit dependencies and order + + Securing &systemd; services + @@ -39,6 +42,9 @@ Creating a Linux service with systemd + + + An example of securing a &systemd; service @@ -134,7 +140,7 @@ &systemd; is used to manage system settings and services. - &systemd; organizes tasks into components called units and groups multiple units into + &systemd; organizes tasks into components called units and groups multiple units into targets. @@ -186,6 +192,8 @@ + + @@ -193,4 +201,4 @@ - + \ No newline at end of file diff --git a/concepts/systemd-securing.xml b/concepts/systemd-securing.xml index 31ec4a133..1c1a0f021 100644 --- a/concepts/systemd-securing.xml +++ b/concepts/systemd-securing.xml @@ -14,7 +14,8 @@ xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:trans="http://docbook.org/ns/transclusion"> - Secure &systemd; services + Securing &systemd; services + Linux increases its security by separating privileges between individual components of the @@ -30,23 +31,31 @@ them from certain privileges that normal users are allowed to use. - - -
- How does securing services with &systemd; work? - - There are several methods to secure processes and applications that you can use - simultaneously. For example, confining with &selnx; or &aa; is - recommended. &systemd; can apply additional restrictions to local services by using - technologies included in the kernel. These restrictions are activated by adding specific - options to the &systemd; service definition and restarting the service. - -
-
- Benefits of securing services + +
+ Why is securing &systemd; services important? Securing &systemd; services increases the security of the whole operating system and protects - sensitive data contained on its file system. + sensitive data contained on its file system. With &systemd;, you can configure your system in many ways. + &systemd; runs as the first process on boot (PID1) which means that it has a lot of power on your Linux environment. + &systemd; can apply additional restrictions to local services by using technologies included in the kernel. + These restrictions are activated by adding specific options to the systemd service definition and restarting the service. + &systemd; has a command-line tool systemd-analyze security. This command analyses the services and checks + if the services are using its security options.
- +
+ What is the <command>systemd-analyze security</command> command? + + The command analyzes the security and sandboxing settings of the specified service units. + A detailed analysis of the security settings is executed and displayed. + If a service unit is not specified, all currently loaded, long-running service units are inspected and the results are displayed in a terse table. + +Upon checking the security settings, the command assigns a numeric value , also known as exposure level. + This value is dependent on how important a setting is. It then calculates an overall exposure level for the whole unit. This value ranges + from 0.0-10.0, which is an indicator of how exposed a service is security wise. + High exposure levels indicate that the service might benefit from additional security settings. + While low exposure levels indicate tight security restrictions. + +
+ \ No newline at end of file diff --git a/tasks/systemd-example-secure-service.xml b/tasks/systemd-example-secure-service.xml new file mode 100644 index 000000000..45e6b29d6 --- /dev/null +++ b/tasks/systemd-example-secure-service.xml @@ -0,0 +1,164 @@ + + + %entities; +]> + + + How to analyze the security of a &systemd; service? + + + + Use the systemd-analyze security command to analyze the security settings of a &systemd; service. + The security option analyzes the security and the sandboxing settings of one or more specified services. + + + + + + + Create a &systemd; service in the /etc/systemd/system. + + Reload the service files to include the new service: + &prompt.sudo; systemctl daemon-reload + + Start,enable, and check the status of the service: +&prompt.sudo; systemctl start SERVICE_NAME +&prompt.sudo;systemctl enable SERVICE_NAME +&prompt.sudo; systemctl status SERVICE_NAME + + + Analyze the security settings of the service: + &prompt.sudo; systemd-analyze security SERVICE_NAME + For example: +&prompt.sudo; systemd-analyze security test.service +NAME DESCRIPTION EXPOSURE +✗ PrivateNetwork= Service has access to the host's network 0.5 +✗ User=/DynamicUser= Service runs as root user 0.4 +✗ DeviceAllow= Service has no device ACL +... +→ Overall exposure level for test.service: 9.6 UNSAFE 😨 + + + + + How to improve the overall exposure + If you get 9.6 UNSAFE, you can use [Section] part of the service definition file to add any of the below options. For example: + +[Service] +NoNewPrivileges=yes +PrivateTmp=yes +PrivateNetwork=yes +InaccessibleDirectories=/home +..... + + + + NoNewPrivileges=yes + + + New privileges are not required. + + + + + PrivateTmp=yes + + + Private directory for temporary files. This option provides the service with a private /tmp isolated from + the host system's /tmp. The shared host /tmp + directory is a major source of security problems, such as symlink attacks and DoS + /tmp temporary files. + + + + + PrivateNetwork=yes + + + This option isolates the service and its processes from networking. This prevents + external network requests from reaching the protected service. Be aware that certain + services require the network to be operational. + + + + + InaccessibleDirectories=/home + + + This option makes the specified directories inaccessible to the service. This option + narrows the range of directories that can be read or modified by the service, for + example, to secure users' private files. + + + + + ReadOnlyDirectories=/var + + + This option makes the specified directories inaccessible for writing to the service. The + example configuration makes the whole tree below /var read-only. + This option prevents the service from damaging the system files. + + + + + CapabilityBoundingSet=CAP_CHOWN CAP_KILL + + + This option restricts the kernel capabilities that a service can retain. In the example + above, only the CAP_CHOWN and CAP_KILL capabilities + are retained by the service, and the service and any processes it creates cannot obtain + any other capabilities, not even via setuid binaries. + + + The <command>pscap</command> command tool + + To easily identify which processes on your system retain which capabilities, use the + pscap command tool from the libcap-ng-utils package. + + + + + The ~ prefix inverts the meaning of the option—. Instead of + listing all capabilities that the service retains, you can list the ones it does not + retain: + +... +[Service] +CapabilityBoundingSet=~CAP_SYS_PTRACE +... + + + + + + LimitNPROC=1, LimitFSIZE=0 + + + You can use resource limits to apply security limits on services. + Two of them can disable specific operating system features: + disables precess forking, while + disables creating non-empty files on the file system. + + + + + DeviceAllow=/dev/null rw + + + This option limits access to /dev/null, disallowing access to any + other device nodes. + + + + +These are some options you can use. + \ No newline at end of file