Getting rid of the /run/credentials mount

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

the aide (https://github.com/aide/aide) tool builds checksums of files
on the system and sends an alert if things change on the system. In the
Debian package, this is done from cron. I would like to move that to a
systemd timer and in passing use some of systemd's security features.
Here is my service:

[Unit]
Description=dailyaide check
StartLimitIntervalSec=7200
StartLimitBurst=1

[Service]
Type=oneshot
User=root
Group=root
Environment="CREDENTIALS_DIRECTORY=/nonexistent"
ProtectSystem=strict
ProtectClock=yes
ProtectKernelModules=no
ProtectKernelLogs=yes
ProtectControlGroups=yes
PrivateDevices=no
ProtectKernelTunables=yes
ProtectControlGroups=yes
ProtectHome=read-only
ReadWritePaths=/run/aide /var/lib/aide /var/log/aide /var/spool/exim4 /var/log/exim4 /var/tmp /tmp
RestrictRealtime=yes
RestrictSUIDSGID=yes
PrivateTmp=no
ExecStartPre-=/bin/umount /run/credentials
ExecStart=/usr/local/sbin/dailyaidecheck --systemdservice

You might see that I have tried some things to get rid of the mount of
/run/credentials which allows an attacker to hide something in
/run/credentials without aide being able to see it because it gets some
temporary filesystem mounted over that path.

Unfortunately, neither of those tricks have worked, and my
/run/credentials/foo that I created before starting my service remains
undetected.

What do I do to disable the credentials mechanism in my service?

Greetings
Marc


-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux