F40 Change Proposal: Systemd Security Hardening (System-Wide)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://fedoraproject.org/wiki/Changes/SystemdSecurityHardening

This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.

== Summary ==
Improve security by enabling some of the high level systemd security
hardening settings that isolate and sandbox default system services.

== Owner ==

* Name: [[User:Sundaram| Rahul Sundaram]]
* Email: metherid@xxxxxxxxx


== Detailed Description ==

systemd provides a number of settings that can harden security for
services. We are selecting a few high level ones to enable by default
on a service by service basis as suitable for that particular service.

* `PrivateTmp=yes`
* `ProtectSystem=yes/full/strict`
* `ProtectHome=yes/read-only`
* `ProtectClock=yes`
* `ProtectHostname=yes`
* `ProtectControlGroups=yes`
* `ProtectHostname=yes`
* `ProtectKernelLogs=yes`
* `ProtectKernelModules=yes`
* `ProtectKernelTunables=yes`
* `ProtectProc=invisible`
* `PrivateDevices=yes`
* `PrivateNetwork=yes`
* `NoNewPrivileges=yes`
* `User=`

If we want to go further, we could also consider:

* `CapabilityBoundingSet=`
* `DevicePolicy=closed`
* `KeyringMode=private`
* `LockPersonality=yes`
* `MemoryDenyWriteExecute=yes`
* `PrivateUsers=yes`
* `RemoveIPC=yes`
* `RestrictAddressFamilies=`
* `RestrictNamespaces=yes`
* `RestrictRealtime=yes`
* `RestrictSUIDSGID=yes`
* `SystemCallFilter=`
* `SystemCallArchitectures=native`


We will aim to cover all the default system services as well as some
of the high profile services such as Nginx or PostgreSQL. All of these
settings need to be configured on a per service basis instead of using
a global override to facilitate fine tuning the settings based on
service requirements and limit the impact for users on upgrades.
Certain services have a very targeted scope. For instance, a service
that only needs to read or write from only one directory could
leverage more fine grained settings to restrict access even further.
We will enable as many of these as feasible for the services but not
every knob is going to be applicable to every service. For example,
`PrivateNetwork=yes` can only be used for services that does not need
network connectivity by default.  We have to choose between
`DynamicUser=yes` or `User` if either is feasible for the service to
use. As a base starting point, from Fedora 39 workstation, we have the
following system services installed by default which should considered
within the scope of the change (excluding systemd associated ones
which already have a number of these security settings enabled). We
may also consider doing this for some of the high profile services
including say Nginx and PostgreSQL permitting time considerations and
other contributors if any joining this effort. We will prioritize
critical or long running services.

* `abrtd.service`
* `abrt-journal-core.service`
* `abrt-oops.service`
* `abrt-pstoreoops.service`
* `abrt-vmcore.service`
* `abrt-xorg.service`
* `accounts-daemon.service`
* `alsa-restore.service`
* `alsa-state.service`
* `anaconda-direct.service`
* `anaconda-fips.service`
* `anaconda-nm-config.service`
* `anaconda-nm-disable-autocons.service`
* `anaconda-noshell.service`
* `anaconda-pre.service`
* `anaconda.service`
* `anaconda-sshd.service`
* `arp-ethers.service`
* `auditd.service`
* `auth-rpcgss-module.service`
* `avahi-daemon.service`
* `blivet.service`
* `blk-availability.service`
* `bluetooth.service`
* `bolt.service`
* `brltty.service`
* `canberra-system-bootup.service`
* `canberra-system-shutdown-reboot.service`
* `canberra-system-shutdown.service`
* `chronyd-restricted.service`
* `chronyd.service`
* `chrony-wait.service`
* `colord.service`
* `console-getty.service`
* `cups-browsed.service`
* `cups.service`
* `dbus-broker.service`
* `dbus-daemon.service`
* `dbus-org.freedesktop.hostname1.service`
* `dbus-org.freedesktop.import1.service`
* `dbus-org.freedesktop.locale1.service`
* `dbus-org.freedesktop.login1.service`
* `dbus-org.freedesktop.machine1.service`
* `dbus-org.freedesktop.portable1.service`
* `dbus-org.freedesktop.timedate1.service`
* <strike>`debug-shell.service`</strike> (opens a user shell that must
be able to do arbitrary stuff)
* `dm-event.service`
* `dnf-makecache.service`
* `dnf-system-upgrade-cleanup.service`
* `dnf-system-upgrade.service`
* `dnsmasq.service`
* `dracut-cmdline.service`
* `dracut-initqueue.service`
* `dracut-mount.service`
* `dracut-pre-mount.service`
* `dracut-pre-pivot.service`
* `dracut-pre-trigger.service`
* `dracut-pre-udev.service`
* `dracut-shutdown-onfailure.service`
* `dracut-shutdown.service`
* <strike>`emergency.service`</strike> (opens a user shell that must
be able to do arbitrary stuff)
* `fedora-third-party-refresh.service`
* `firewalld.service`
* `flatpak-add-fedora-repos.service`
* `flatpak-system-helper.service`
* `fprintd.service`
* `fsidd.service`
* `fstrim.service`
* `fwupd-offline-update.service`
* `fwupd-refresh.service`
* `fwupd.service`
* `gdm.service`
* `geoclue.service`
* `grub-boot-indeterminate.service`
* `gssproxy.service`
* `htcacheclean.service`
* `httpd.service`
* `hypervfcopyd.service`
* `hypervkvpd.service`
* `hypervvssd.service`
* `iio-sensor-proxy.service`
* `import-state.service`
* `initrd-cleanup.service`
* `initrd-parse-etc.service`
* `initrd-switch-root.service`
* `initrd-udevadm-cleanup-db.service`
* `instperf.service`
* `ipp-usb.service`
* `iscsid.service`
* `iscsi-init.service`
* `iscsi-onboot.service`
* `iscsi.service`
* `iscsi-shutdown.service`
* `iscsi-starter.service`
* `iscsiuio.service`
* `kdump.service`
* `kmod-static-nodes.service`
* `ldconfig.service`
* `libvirtd.service`
* `libvirt-guests.service`
* `livesys-late.service`
* `livesys.service`
* `loadmodules.service`
* `logrotate.service`
* `low-memory-monitor.service`
* `lvm2-lvmdbusd.service`
* `lvm2-lvmpolld.service`
* `lvm2-monitor.service`
* `man-db-cache-update.service`
* `man-db-restart-cache-update.service`
* `mcelog.service`
* `mdcheck_continue.service`
* `mdcheck_start.service`
* `mdmonitor-oneshot.service`
* `mdmonitor.service`
* `ModemManager.service`
* `ndctl-monitor.service`
* `netavark-dhcp-proxy.service`
* `NetworkManager-dispatcher.service`
* `NetworkManager.service`
* `NetworkManager-wait-online.service`
* `nfs-blkmap.service`
* `nfsdcld.service`
* `nfs-idmapd.service`
* `nfs-mountd.service`
* `nfs-server.service`
* `nfs-utils.service`
* `nftables.service`
* `nis-domainname.service`
* `nm-priv-helper.service`
* `numad.service`
* `nvmefc-boot-connections.service`
* `nvmf-autoconnect.service`
* `ostree-boot-complete.service`
* `ostree-finalize-staged-hold.service`
* `ostree-finalize-staged.service`
* `ostree-prepare-root.service`
* `ostree-remount.service`
* `packagekit-offline-update.service`
* `packagekit.service`
* `pam_namespace.service`
* `pcscd.service`
* `plocate-updatedb.service`
* `plymouth-halt.service`
* `plymouth-kexec.service`
* `plymouth-poweroff.service`
* `plymouth-quit.service`
* `plymouth-quit-wait.service`
* `plymouth-read-write.service`
* `plymouth-reboot.service`
* `plymouth-start.service`
* `plymouth-switch-root-initramfs.service`
* `plymouth-switch-root.service`
* `podman-auto-update.service`
* `podman-clean-transient.service`
* `podman-restart.service`
* `podman.service`
* `polkit.service`
* `power-profiles-daemon.service`
* `psacct.service`
* `qemu-guest-agent.service`
* `qemu-pr-helper.service`
* `quotaon.service`
* `raid-check.service`
* <strike>`rc-local.service`</strike> (this can do arbitrary stuff)
* `realmd.service`
* `rescue.service`
* `rpcbind.service`
* `rpc-gssd.service`
* `rpc-statd-notify.service`
* `rpc-statd.service`
* `rpmdb-migrate.service`
* `rpmdb-rebuild.service`
* `rtkit-daemon.service`
* `saslauthd.service`
* `selinux-autorelabel-mark.service`
* `selinux-autorelabel.service`
* `selinux-check-proper-disable.service`
* `speech-dispatcherd.service`
* `spice-vdagentd.service`
* `spice-webdavd.service`
* `sshd.service`
* `ssh-host-keys-migration.service`
* `sssd-autofs.service`
* `sssd-kcm.service`
* `sssd-nss.service`
* `sssd-pac.service`
* `sssd-pam.service`
* `sssd.service`
* `sssd-ssh.service`
* `sssd-sudo.service`
* `switcheroo-control.service`
* `system-update-cleanup.service`
* `tcsd.service`
* `thermald.service`
* `udisks2.service`
* `unbound-anchor.service`
* `upower.service`
* `uresourced.service`
* `usbmuxd.service`
* `vboxclient.service`
* `vboxservice.service`
* `vgauthd.service`
* `virtinterfaced.service`
* `virtlockd.service`
* `virtlogd.service`
* `virtnetworkd.service`
* `virtnodedevd.service`
* `virtnwfilterd.service`
* `virtproxyd.service`
* `virtqemud.service`
* `virtsecretd.service`
* `virtstoraged.service`
* `vmtoolsd.service`
* `wpa_supplicant.service`
* `zfs-fuse-scrub.service`
* `zfs-fuse.service`
* `zvbid.service`

We will also coordinate with upstream following
https://docs.fedoraproject.org/en-US/packaging-guidelines/PatchUpstreamStatus/
and encourage package maintainers to upstream these changes.  Systemd
will ignore any of these settings it does not understand on older
versions. Hence this should be safe for upstream to merge on any
services.

== Feedback ==


== Benefit to Fedora ==

Fedora services will get a significant security boost by default by
avoiding or mitigating any unknown security vulnerabilities in default
system services.

== Scope ==
* Proposal owners: Individual per service pull requests to enable
various security features as applicable.
* Other developers: Review PRs as needed
* Release engineering: https://pagure.io/releng/issue/11785
* Policies and guidelines:
Packaging guidelines will have to be modified to add recommendations
to use more of the systemd security features by default. In
particular, we should add a security settings section in
https://fedoraproject.org/wiki/Packaging:Systemd.  Current the
guidance only recommends a couple of settings for long running
services.  Sample text:

Systemd services included in Fedora are recommended to use as many of
the following security settings as applicable while maintaining the
default functionality of the service.

* `PrivateTmp=yes`
* `ProtectSystem=yes/full/strict`
* `ProtectHome=yes`
* `PrivateDevices=yes`
* `ProtectKernelTunables=yes`
* `ProtectKernelModules=yes`
* `ProtectKernelLogs=yes`
* `ProtectControlGroups=yes`
* `NoNewPrivileges=yes`
* `PrivateNetwork=yes`

The full list of sandboxing features are available in
https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#Sandboxing.
Note that if you are submitting changes to upstream as recommended,
systemd will warn and ignore any of these features it doesn't support.
So it should be safe for upstream to enable as many of these features
as applicable and not worry about distribution support for ones using
older versions of systemd.

* Trademark approval: N/A

== Upgrade/compatibility impact ==
Packages will automatically get additional security features enabled
by default transparently.  In limited circumstances, they may need to
override the defaults.  Refer to user experience section for details.

== How To Test ==

You can use tools like `systemd-analyze security` and `systemctl cat`
to verify that specific security features are enabled by default.
Default services with the default features should have no adverse
impact and users shouldn't have to do anything beyond using the
software as intended and report any regressions.  High profile
services not installed by default that gain these security features
would benefit from more targeting testing to spot any unintended
consequences especially for niche or advanced functionality.  If
advanced non-default functionality requires overrides default
settings, we can document those in the release notes to provide
guidance.

== User Experience ==
This should be largely transparent change for users. The goal is to
have the services work as expected with the default functionality but
to potentially require tweaking the settings if the configuration is
changed by users after installation.  For instance, if we add
`ProtectHome=yes` to Apache httpd.service and the user wishes to serve
files out of their home directory, they will need to override the
systemd setting to `ProtectHome=read-only` to allow for the service to
read from the user home directory in addition to changing the service
specific configuration files to enable this feature.

== Dependencies ==
None.  We are merely enabling some of systemd security features by
default for default system services and potentially some high profile
services.

== Contingency Plan ==

* Contingency mechanism:  These settings can be enabled/disabled at a
per service level.  No wholesale reverts is necessary. If we don't
finish the work for all the services, we can follow up in future
releases.
* Contingency deadline: N/A
* Blocks release? No


== Documentation ==
* https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#Sandboxing
* https://docs.arbitrary.ch/security/systemd.html
* https://www.redhat.com/sysadmin/systemd-secure-services
* https://www.redhat.com/sysadmin/mastering-systemd

== Release Notes ==

systemd security hardening features are enabled for default system
services and following high profile services.

* PostgreSQL
* Apache Httpd
* Nginx
* MariaDB
....

If you wish to turn off any particular settings, you can follow the
standard systemd method of overriding the config.  For example,


`$ cat /etc/systemd/system/httpd.service.d/override.conf

[Service]

ProtectHome=no`

`
$ sudo systemctl daemon-reload

$ sudo systemctl restart httpd.service`


`$ systemctl status httpd.service

● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled;
vendor preset: disabled)
    Drop-In: /etc/systemd/system/httpd.service.d
             └─override.conf
     Active: active (running) since Mon 2023-11-15 18:29:25 EST; 3min 30s ago`




-- 
Aoife Moloney

Fedora Operations Architect

Fedora Project

Matrix: @amoloney:fedora.im

IRC: amoloney
--
_______________________________________________
devel-announce mailing list -- devel-announce@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux