Locking Down Your systemd Services - LinuxCon Europe, Berlin
Transcript of Locking Down Your systemd Services - LinuxCon Europe, Berlin
Locking Down Your systemd Services
LinuxCon Europe, Berlin
October 2016
Locking Down Your systemd Services
systemd
Service Management
Security
Locking Down Your systemd Services
systemd
Service Management
Security
Locking Down Your systemd Services
systemd
Service Management
Security
Locking Down Your systemd Services
Unit Files
Service Files
Locking Down Your systemd Services
Unit Files
Service Files
Locking Down Your systemd Services
[Unit]Description=Router Advertisement Daemon for IPv6
[Service]ExecStart=/usr/sbin/radvdType=forkingPIDFile=/var/run/radvd/radvd.pid
[Install]WantedBy=multi-user.target
Locking Down Your systemd Services
[Unit]Description=Router Advertisement Daemon for IPv6
[Service]ExecStart=/usr/sbin/radvdType=forkingPIDFile=/var/run/radvd/radvd.pidPrivateTmp=yesProtectSystem=fullProtectHome=yes
[Install]WantedBy=multi-user.target
Locking Down Your systemd Services
User=
DynamicUser=
Locking Down Your systemd Services
User=
DynamicUser=
Locking Down Your systemd Services
CapabilityBoundingSet=
SecureBits=
Locking Down Your systemd Services
CapabilityBoundingSet=
SecureBits=
Locking Down Your systemd Services
PrivateTmp=
Locking Down Your systemd Services
PrivateDevices=
Locking Down Your systemd Services
PrivateNetwork=
Locking Down Your systemd Services
ProtectSystem=no|yes|full|strict
Locking Down Your systemd Services
ReadWritePaths=
ReadOnlyPaths=
InaccessiblePaths=
Locking Down Your systemd Services
ReadWritePaths=
ReadOnlyPaths=
InaccessiblePaths=
Locking Down Your systemd Services
ReadWritePaths=
ReadOnlyPaths=
InaccessiblePaths=
Locking Down Your systemd Services
PrivateUsers=
Locking Down Your systemd Services
RootDirectory=
Locking Down Your systemd Services
ProtectKernelTunables=
Locking Down Your systemd Services
ProtectControlGroups=
Locking Down Your systemd Services
MountFlags=slave
Locking Down Your systemd Services
NoNewPrivileges=
Locking Down Your systemd Services
SystemCallFilter=
Example: SystemCallFilter=~@clock @ipc
Locking Down Your systemd Services
SystemCallFilter=
Example: SystemCallFilter=~@clock @ipc
Locking Down Your systemd Services
SystemCallArchitecture=
Locking Down Your systemd Services
RestrictAddressFamilies=
Locking Down Your systemd Services
MemoryDenyWriteExecute=
Locking Down Your systemd Services
RestrictRealtime=
Locking Down Your systemd Services
DeviceAllow=
Locking Down Your systemd Services
SELinuxContext=
AppArmorProfile=
SmackProcessLabel=
Locking Down Your systemd Services
SELinuxContext=
AppArmorProfile=
SmackProcessLabel=
Locking Down Your systemd Services
SELinuxContext=
AppArmorProfile=
SmackProcessLabel=
Locking Down Your systemd Services
Future:
ProtectKernelLogs=
ProtectClock=
ProtectKernelModules=
ProtectTracing=
ProtectMount=
RestrictNamespaces=
Locking Down Your systemd Services
Future:
ProtectKernelLogs=
ProtectClock=
ProtectKernelModules=
ProtectTracing=
ProtectMount=
RestrictNamespaces=
Locking Down Your systemd Services
Future:
ProtectKernelLogs=
ProtectClock=
ProtectKernelModules=
ProtectTracing=
ProtectMount=
RestrictNamespaces=
Locking Down Your systemd Services
Future:
ProtectKernelLogs=
ProtectClock=
ProtectKernelModules=
ProtectTracing=
ProtectMount=
RestrictNamespaces=
Locking Down Your systemd Services
Future:
ProtectKernelLogs=
ProtectClock=
ProtectKernelModules=
ProtectTracing=
ProtectMount=
RestrictNamespaces=
Locking Down Your systemd Services
Future:
ProtectKernelLogs=
ProtectClock=
ProtectKernelModules=
ProtectTracing=
ProtectMount=
RestrictNamespaces=
Locking Down Your systemd Services
Future:
ProtectKernelLogs=
ProtectClock=
ProtectKernelModules=
ProtectTracing=
ProtectMount=
RestrictNamespaces=
Locking Down Your systemd Services
That’s all, folks!
Locking Down Your systemd Services