Locking Down Your systemd Services - LinuxCon Europe, Berlin

Post on 07-Jan-2017

226 views 2 download

Preview:

Click to see full reader
Report this document
SHARE

transcript

Locking Down Your systemd Services

LinuxCon Europe, Berlin

October 2016

Locking Down Your systemd Services

systemd

Service Management

Security

Locking Down Your systemd Services

systemd

Service Management

Security

Locking Down Your systemd Services

systemd

Service Management

Security

Locking Down Your systemd Services

Unit Files

Service Files

Locking Down Your systemd Services

Unit Files

Service Files

Locking Down Your systemd Services

[Unit]Description=Router Advertisement Daemon for IPv6

[Service]ExecStart=/usr/sbin/radvdType=forkingPIDFile=/var/run/radvd/radvd.pid

[Install]WantedBy=multi-user.target

Locking Down Your systemd Services

[Unit]Description=Router Advertisement Daemon for IPv6

[Service]ExecStart=/usr/sbin/radvdType=forkingPIDFile=/var/run/radvd/radvd.pidPrivateTmp=yesProtectSystem=fullProtectHome=yes

[Install]WantedBy=multi-user.target

Locking Down Your systemd Services

User=

DynamicUser=

Locking Down Your systemd Services

User=

DynamicUser=

Locking Down Your systemd Services

CapabilityBoundingSet=

SecureBits=

Locking Down Your systemd Services

CapabilityBoundingSet=

SecureBits=

Locking Down Your systemd Services

PrivateTmp=

Locking Down Your systemd Services

PrivateDevices=

Locking Down Your systemd Services

PrivateNetwork=

Locking Down Your systemd Services

ProtectSystem=no|yes|full|strict

Locking Down Your systemd Services

ReadWritePaths=

ReadOnlyPaths=

InaccessiblePaths=

Locking Down Your systemd Services

ReadWritePaths=

ReadOnlyPaths=

InaccessiblePaths=

Locking Down Your systemd Services

ReadWritePaths=

ReadOnlyPaths=

InaccessiblePaths=

Locking Down Your systemd Services

PrivateUsers=

Locking Down Your systemd Services

RootDirectory=

Locking Down Your systemd Services

ProtectKernelTunables=

Locking Down Your systemd Services

ProtectControlGroups=

Locking Down Your systemd Services

MountFlags=slave

Locking Down Your systemd Services

NoNewPrivileges=

Locking Down Your systemd Services

SystemCallFilter=

Example: SystemCallFilter=~@clock @ipc

Locking Down Your systemd Services

SystemCallFilter=

Example: SystemCallFilter=~@clock @ipc

Locking Down Your systemd Services

SystemCallArchitecture=

Locking Down Your systemd Services

RestrictAddressFamilies=

Locking Down Your systemd Services

MemoryDenyWriteExecute=

Locking Down Your systemd Services

RestrictRealtime=

Locking Down Your systemd Services

DeviceAllow=

Locking Down Your systemd Services

SELinuxContext=

AppArmorProfile=

SmackProcessLabel=

Locking Down Your systemd Services

SELinuxContext=

AppArmorProfile=

SmackProcessLabel=

Locking Down Your systemd Services

SELinuxContext=

AppArmorProfile=

SmackProcessLabel=

Locking Down Your systemd Services

Future:

ProtectKernelLogs=

ProtectClock=

ProtectKernelModules=

ProtectTracing=

ProtectMount=

RestrictNamespaces=

Locking Down Your systemd Services

Future:

ProtectKernelLogs=

ProtectClock=

ProtectKernelModules=

ProtectTracing=

ProtectMount=

RestrictNamespaces=

Locking Down Your systemd Services

Future:

ProtectKernelLogs=

ProtectClock=

ProtectKernelModules=

ProtectTracing=

ProtectMount=

RestrictNamespaces=

Locking Down Your systemd Services

Future:

ProtectKernelLogs=

ProtectClock=

ProtectKernelModules=

ProtectTracing=

ProtectMount=

RestrictNamespaces=

Locking Down Your systemd Services

Future:

ProtectKernelLogs=

ProtectClock=

ProtectKernelModules=

ProtectTracing=

ProtectMount=

RestrictNamespaces=

Locking Down Your systemd Services

Future:

ProtectKernelLogs=

ProtectClock=

ProtectKernelModules=

ProtectTracing=

ProtectMount=

RestrictNamespaces=

Locking Down Your systemd Services

Future:

ProtectKernelLogs=

ProtectClock=

ProtectKernelModules=

ProtectTracing=

ProtectMount=

RestrictNamespaces=

Locking Down Your systemd Services

That’s all, folks!

Locking Down Your systemd Services

Top related

Automotive Grade Linux and systemd
Engineering
Dream product LinuxCon Europe Europe
Education
Systemd mlug-20140614
Software
Basic of Systemd
Software
systemd @ Facebook -- a year later
Engineering
Apache CloudStack at LinuxCon Japan
Technology
LinuxCon Introduction to CloudStack
Documents
Tuning systemd for embedded
Engineering
Systemd evolution revolution_regression
Documents
Understanding systemd
Documents
ODP Presentation LinuxCon NA 2014
Documents
Resource Management with systemd - LinuxCon North America 2013
Documents
CoreOS Overview @ LinuxCon US 2014
Documents
LinuxCon Japan 2010 suzaki
Technology
Containers with systemd-nspawn
Software
systemd - A very short introduction Prof. Rossano Pablo ...rossano.pro.br/fatec/cursos/admsorede/pdfs/aulas-systemd-archlinux... · Rossano Pablo Pinto - systemd - A very short introduction
Documents
Beyond Init: systemd - Linux Kongress · \systemd is a system and session manager for Linux, compatible with SysV and LSB init scripts. systemd provides aggressive parallelization
Documents
Your first dive into systemd!
Technology
Systemd eBook Psankar
Documents
Demystifying systemd
Documents

Copyright © 2018 DOCUMENTS