Bug#950759: hardened systemd configuration
Hi, * Antoine Beaupre [Wed Feb 05, 2020 at 03:44:05PM -0500]: [...] > We recently introduced a new feature where the systemd unit file is > hardened. I think it would be a great addition to the Debian package > as well, considering that it seems to work for us. Here's the magic > incantation that was added: > NoNewPrivileges=true > ProtectHome=true > ProtectSystem=full > ProtectHostname=true > ProtectControlGroups=true > ProtectKernelModules=true > ProtectKernelTunables=true > LockPersonality=true > RestrictRealtime=yes > RestrictNamespaces=yes > MemoryDenyWriteExecute=yes > PrivateDevices=yes > CapabilityBoundingSet= > This was brought in from Arch Linux, where those settings are > apparently in place as well: > https://github.com/voxpupuli/puppet-prometheus/pull/415 FTR, the ProtectHome=true setting requires systemd v242 or newer, so this might be something to keep in mind for backports towards buster. The rest is perfectly fine for the systemd version we have in buster (and of course newer). The service might be restricted even further, with: SystemCallArchitectures=native AmbientCapabilities= PrivateTmp=true PrivateUsers=true RemoveIPC=true UMask=0077 LimitMEMLOCK=0 And possibly even: DevicePolicy=strict DeviceAllow=/dev/null rw * Martina Ferrari [Sat Feb 08, 2020 at 03:38:48PM +]: > Thanks for the report! This seems indeed useful and a good addition. > Sadly, I don't have the knowledge to evaluate whether these settings can > have unintended side-effects. Have you (or anybody reading this) > evaluated that? If so, I would be happy to apply the "patch". Maybe > adding an one-line explanation to each line would be a good addition too. I'm fairly experienced with systemd hardening and fully support Antoine's request. I'm currently hardening prometheus at a customer of mine, I'd like to get some more testing done, then I could provide a working patch/MR (including one-line descriptions for the settings) for usage with prometheus in Debian. regards -mika- signature.asc Description: Digital signature
Bug#950759: hardened systemd configuration
On 2020-02-08 15:38:48, Martina Ferrari wrote: > Hi! > > On 05/02/2020 20:44, Antoine Beaupre wrote: >> We recently introduced a new feature where the systemd unit file is >> hardened. I think it would be a great addition to the Debian package >> as well, considering that it seems to work for us. Here's the magic >> incantation that was added: > Thanks for the report! This seems indeed useful and a good addition. > Sadly, I don't have the knowledge to evaluate whether these settings can > have unintended side-effects. Have you (or anybody reading this) > evaluated that? If so, I would be happy to apply the "patch". Maybe > adding an one-line explanation to each line would be a good addition too. The fact that this is running on multiple prometheus deployments feels sufficient for me to assume this will work. There are multiple users of this module and I assume that has been thoroughly tested... a. -- If you have come here to help me, you are wasting our time. But if you have come because your liberation is bound up with mine, then let us work together.- Aboriginal activists group, Queensland, 1970s
Bug#950759: hardened systemd configuration
Hi! On 05/02/2020 20:44, Antoine Beaupre wrote: > We recently introduced a new feature where the systemd unit file is > hardened. I think it would be a great addition to the Debian package > as well, considering that it seems to work for us. Here's the magic > incantation that was added: Thanks for the report! This seems indeed useful and a good addition. Sadly, I don't have the knowledge to evaluate whether these settings can have unintended side-effects. Have you (or anybody reading this) evaluated that? If so, I would be happy to apply the "patch". Maybe adding an one-line explanation to each line would be a good addition too. --
Bug#950759: hardened systemd configuration
Package: prometheus Severity: wishlist I'm working with the Puppet community to maintain a Prometheus Puppet module that's available here: https://github.com/voxpupuli/puppet-prometheus/ We recently introduced a new feature where the systemd unit file is hardened. I think it would be a great addition to the Debian package as well, considering that it seems to work for us. Here's the magic incantation that was added: NoNewPrivileges=true ProtectHome=true ProtectSystem=full ProtectHostname=true ProtectControlGroups=true ProtectKernelModules=true ProtectKernelTunables=true LockPersonality=true RestrictRealtime=yes RestrictNamespaces=yes MemoryDenyWriteExecute=yes PrivateDevices=yes CapabilityBoundingSet= This was brought in from Arch Linux, where those settings are apparently in place as well: https://github.com/voxpupuli/puppet-prometheus/pull/415 -- System Information: Debian Release: 10.2 APT prefers stable-debug APT policy: (500, 'stable-debug'), (500, 'stable'), (1, 'experimental'), (1, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages prometheus depends on: ii adduser 3.118 ii daemon 0.6.4-1+b2 ii debconf [debconf-2.0]1.5.71 ii fonts-glyphicons-halflings 1.009~3.4.1+dfsg-1 ii init-system-helpers 1.56+nmu1 ii libc62.28-10 ii libjs-bootstrap 3.4.1+dfsg-1 pn libjs-bootstrap4 pn libjs-eonasdan-bootstrap-datetimepicker ii libjs-jquery 3.3.1~dfsg-3 ii libjs-jquery-hotkeys 0~20130707+git2d51e3a9+dfsg-2 ii libjs-moment 2.24.0+ds-1 pn libjs-moment-timezone pn libjs-mustache pn libjs-popper.js pn libjs-rickshaw ii systemd-sysv 241-7~deb10u2 Versions of packages prometheus recommends: ii prometheus-node-exporter 0.17.0+ds-3+b11 prometheus suggests no packages.