No edit summary |
No edit summary |
||
Line 7: | Line 7: | ||
== Summary == | == Summary == | ||
Improve security | Improve security by enabling some of the high level systemd security hardening settings that isolate and sandbox default and high profile services. | ||
== Owner == | == Owner == | ||
Line 16: | Line 16: | ||
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo) | <!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo) | ||
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address> | * FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address> | ||
Line 42: | Line 41: | ||
== Detailed Description == | == Detailed Description == | ||
systemd provides a number of settings that can harden security for services. We are selecting a few high level toggles to enable by default. These need to be configured on a per service basis. | |||
* PrivateTmp=yes | * PrivateTmp=yes | ||
* ProtectSystem=yes/full/strict | * ProtectSystem=yes/full/strict |
Revision as of 02:08, 15 November 2023
Enable systemd service hardening for default and high profile services
Summary
Improve security by enabling some of the high level systemd security hardening settings that isolate and sandbox default and high profile services.
Owner
- Name: Rahul Sundaram
- Email: metherid@gmail.com
-->
- Targeted release: Fedora 40
- Last updated: 2023-11-15
- [<will be assigned by the Wrangler> devel thread]
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
systemd provides a number of settings that can harden security for services. We are selecting a few high level toggles to enable by default. These need to be configured on a per service basis.
- PrivateTmp=yes
- ProtectSystem=yes/full/strict
- ProtectHome=yes
- PrivateDevices=yes
- ProtectKernelTunables=yes
- ProtectKernelModules=yes
- ProtectControlGroups=yes
- NoNewPrivileges=yes
We will enable as many of these as feasible for the services but not every toggle is going to be applicable to every service. For example, ProtectHome=yes wouldn't work for any of the systemd user services but ProtectHome=read-only might and PrivateNetwork can only be used for services that work locally.
Feedback
Benefit to Fedora
Fedora services will get a significant security boost by default by avoiding or mitigatating security vulnerabilities in these services.
Scope
- Proposal owners:
- Other developers:
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Community Initiatives:
Upgrade/compatibility impact
How To Test
User Experience
This should be a fully transparent change for users.
Dependencies
None. We are merely enabling some long supported systemd features by default for default and high profile services.
Contingency Plan
- Contingency mechanism: These settings can be enabled/disabled at a per service level. No wholesale reverts is necessary. If we don't finish the work for all the services, we can follow through in future releases.
- Contingency deadline: N/A
- Blocks release? No
Documentation
- https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html
- https://www.redhat.com/sysadmin/systemd-secure-services
- https://www.redhat.com/sysadmin/mastering-systemd
N/A (not a System Wide Change)
Release Notes
systemd security hardening features are enabled for default services and following high profile services.
- Postgres
- Apache Httpd
- Nginx
- MariaDB
....