On 25.8.2022 22.42, Marc Haber wrote:
Hi,
the aide (https://github.com/aide/aide) tool builds checksums of files
on the system and sends an alert if things change on the system. In the
Debian package, this is done from cron. I would like to move that to a
systemd timer and in passing use some of systemd's security features.
Here is my service:
[Unit]
Description=dailyaide check
StartLimitIntervalSec=7200
StartLimitBurst=1
[Service]
Type=oneshot
User=root
Group=root
Environment="CREDENTIALS_DIRECTORY=/nonexistent"
ProtectSystem=strict
ProtectClock=yes
ProtectKernelModules=no
ProtectKernelLogs=yes
ProtectControlGroups=yes
PrivateDevices=no
ProtectKernelTunables=yes
ProtectControlGroups=yes
ProtectHome=read-only
ReadWritePaths=/run/aide /var/lib/aide /var/log/aide /var/spool/exim4 /var/log/exim4 /var/tmp /tmp
RestrictRealtime=yes
RestrictSUIDSGID=yes
PrivateTmp=no
ExecStartPre-=/bin/umount /run/credentials
ExecStart=/usr/local/sbin/dailyaidecheck --systemdservice
You might see that I have tried some things to get rid of the mount of
/run/credentials which allows an attacker to hide something in
/run/credentials without aide being able to see it because it gets some
temporary filesystem mounted over that path.
Unfortunately, neither of those tricks have worked, and my
/run/credentials/foo that I created before starting my service remains
undetected.
What do I do to disable the credentials mechanism in my service?
You could use TemporaryFileSystem=/run together with a few BindPaths=
for the required directories. For example, on my setup the user doesn't
see all cruft in global /run:
$ ls /run
dbus/ firejail/ systemd/ udev/ user/
See also
https://github.com/systemd/systemd/pull/21748
for some thoughts on tentative new directive PrivateRun= or something
similar.
-Topi
Greetings
Marc
