On Thu, Mar 03, 2022 at 03:51:19PM +0100, Lennart Poettering wrote: > Adding security into a system that didn't have it but is widely > deployed and developed for is *hard*. It makes opt-out security really > hard to do, which is why we went for opt-in. Tools like > "systemd-analyze security" exist primarily as a vehicle to pressure > people to actually do the opt-in then, i.e. to "shame" them into > looking into these knobs. That's very nice too. Looking at what systemd-analyze security reports for libvirt related services, it nicely highlights to me a significant number of useful systemd constraints that we can likely enable. Several of these systemd settings I didn't even realize existed & docs about them are spread across many man pages. So it is good to have this tool inform us about the existance of all the security relevant settings in one place and make suggestions. This reported info really is best looked at the upstream maintainers, rather distro maintainers. Many of the requirements from services are non-obvious, especially when consuming or interacting with many external dependancies. It is especially challenging when you consider that there can be PAM or TLS library plugins that are configured systemwide and dynamically loaded into your app without your knowledge. So even as an upstream maintainer intimately familiar with the code, it will be easy to mess up and accidentally break something. A distro maintainer with less in depth knowledge of the code is at even greater risk of messing it up by accident. What would be useful for distro maintainers to do though is to highlight to the upstream maintainers that this 'systemd-analyze security' feature exists, as I suspect most people don't know about it. Distro maintainers can also usefully identify high priority services that would bring most benefit to the distro by adding lockdown, and work with upstreams to coordinate it. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
