Re: unsafe systemd setup in Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Feb 24, 2022 at 04:29:27PM +0100, Marius Schwarz wrote:
> Hi Guys,
> 
> running a hardening tool I stumpled about systemd own security analysis,

systemd-analyze security shows whether units use systemd hardening
features. Those units may well use other features, and may well be
very secure. In general it is a good idea to use at least some of the
systemd features, but not always. Sometimes the unit may need to implement
its own harderning in a very special way, or it may legitimately need
almost full privileges. (For example sshd is like this: it implements
privilege separation and does other things for security, but it needs
full privileges to be able to run things as arbitrary users.)

High exposure scores mean only so much.

It would probably be good to use more of those features, but you need
to understand the service very well to know what systemd security
features can be enabled for it.

> Do those "insecure" units come from upstream projects, or is Fedora lagging
> behind some patches?

Fedora usually uses service files straight from upstream, if upstream
provides them.

> Is there a way to find out, if missing restrictions options are a problem
> for the service and if not, any way to tell that analyse tool about it?

Systemd 250 (coming in F36), has --security-policy switch which can be
used to enable/disable some of the checks. There is no way to tell
systemd-analyze that things about a specific unit though.

Zbyszek
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux