search

NiXium-org / NiXium

Open-Source Infrastructure as Code Management Solution for Multiple Systems designed to be reliable in mission-critical tasks on paranoid and high-security environment.
European Union Public License 1.2
6 stars 2 forks source link

Systemd Security Hardening (System-Wide) #62

Open TanvirOnGH opened 2 weeks ago

TanvirOnGH commented 2 weeks ago

Problem Statement

It is recommended by the security experts (e.g madaidan, ref) to use a distribution with an init system other than systemd.

systemd contains a lot of unnecessary attack surface and inserts a considerable amount of complexity into the most privileged user space component; it attempts to do far more things than necessary and goes beyond what an init system should do. An init system should not need many lines of code to function properly. While a common argument in favour of systemd is its ability to sandbox system services, this can be replicated on other init systems through sandboxing utilities like bubblewrap.

Goal

Enhance the overall security of the system by applying various security measures to systemd service units. This involves restricting their capabilities, limiting resource access, and reducing the potential attack surface through high-level systemd security hardening settings that isolate and sandbox default system services.

Finding candidates for attention

Systemd provides a tool called systemd-analyze that generates a report on the security exposure for each service:

$ systemd-analyze security

For user services, add the --user flag.

image

As you can see, more of the services are actually marked as UNSAFE, this probably because not all applications still apply the features made available by systemd.

Follow this repository for more insights.

Pre-configured Services

My config has some pre-configured options: systemd.nix (Based on this, see this reddit post) [Disclaimer: No promises that it will work fully on your system or with future updates, always have a stable generation.]

Hardening Systemd Services

systemd provides a number of settings that can harden security for services. Selecting a few high level ones to enable by default on a service by service basis as suitable for that particular service.

PrivateTmp=yes
ProtectSystem=yes/full/strict
ProtectHome=yes/read-only
ProtectClock=yes
ProtectHostname=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
PrivateDevices=yes
PrivateNetwork=yes
NoNewPrivileges=yes
User=

If we want to go further, we could also consider these:

CapabilityBoundingSet=
DevicePolicy=closed
KeyringMode=private
LockPersonality=yes
MemoryDenyWriteExecute=yes
PrivateUsers=yes
RemoveIPC=yes
RestrictAddressFamilies=
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallFilter=
SystemCallArchitectures=native

Misc options to reconfigure

Disable systemd coredump that could be exploited later and also slow down the system when something crash. If disabled, core dumps appear in the current directory of the crashing process:

systemd.coredump.enable = false;

This option allows editing the kernel command-line before boot and it's enabled by default for backwards compatibility. Recommended to set this to false, as it allows gaining root access by passing init=/bin/sh as a kernel parameter. Setting it to false prevents editing the kernel parameters at boot.

boot.loader.systemd-boot.editor = false;

Misc note: systemd-boot does not officially support password protecting the kernel parameters editor, but it can be achieved with this systemd-boot-password.

Resources

Pre-RFC: Systemd Hardening

Systemd hardening by Peter's IT docs

Systemd Security Hardening Fedora Wiki - An active effort to harden default systemd services, targeted release: Fedora 41.

Recommended security and hardening options for systemd service units

Tips for systemd services management and hardening in NixOS

Security focused systemd configuration

Systemd Securing Documentation by SUSE

Systemd hardening nixos wiki

Using systemd features to secure services by Redhat

Securing and sandboxing applications and services by Redhat

The full list of sandboxing features are available in systemd.exec

TanvirOnGH commented 2 weeks ago

We will aim to cover all the default system services as well as some of the high profile services. Some of them are:

abrtd.service
abrt-journal-core.service
abrt-oops.service
abrt-pstoreoops.service
abrt-vmcore.service
abrt-xorg.service
accounts-daemon.service
alsa-restore.service
alsa-state.service
anaconda-direct.service
anaconda-fips.service
anaconda-nm-config.service
anaconda-nm-disable-autocons.service
anaconda-noshell.service
anaconda-pre.service
anaconda.service
anaconda-sshd.service
arp-ethers.service
auditd.service
auth-rpcgss-module.service
avahi-daemon.service
blivet.service
blk-availability.service
bluetooth.service
bolt.service
brltty.service
canberra-system-bootup.service
canberra-system-shutdown-reboot.service
canberra-system-shutdown.service
chronyd-restricted.service
chronyd.service
chrony-wait.service
colord.service
console-getty.service
cups-browsed.service
cups.service
dbus-broker.service
dbus-daemon.service
dbus-org.freedesktop.hostname1.service
dbus-org.freedesktop.import1.service
dbus-org.freedesktop.locale1.service
dbus-org.freedesktop.login1.service
dbus-org.freedesktop.machine1.service
dbus-org.freedesktop.portable1.service
dbus-org.freedesktop.timedate1.service
debug-shell.service (opens a user shell that must be able to do arbitrary stuff)
dm-event.service
dnf-makecache.service
dnf-system-upgrade-cleanup.service
dnf-system-upgrade.service
dnsmasq.service
dracut-cmdline.service
dracut-initqueue.service
dracut-mount.service
dracut-pre-mount.service
dracut-pre-pivot.service
dracut-pre-trigger.service
dracut-pre-udev.service
dracut-shutdown-onfailure.service
dracut-shutdown.service
emergency.service (opens a user shell that must be able to do arbitrary stuff)
fedora-third-party-refresh.service
firewalld.service
flatpak-add-fedora-repos.service
flatpak-system-helper.service
fprintd.service
fsidd.service
fstrim.service
fwupd-offline-update.service
fwupd-refresh.service
fwupd.service
gdm.service
geoclue.service
grub-boot-indeterminate.service
gssproxy.service
htcacheclean.service
httpd.service
hypervfcopyd.service
hypervkvpd.service
hypervvssd.service
iio-sensor-proxy.service
import-state.service
initrd-cleanup.service
initrd-parse-etc.service
initrd-switch-root.service
initrd-udevadm-cleanup-db.service
instperf.service
ipp-usb.service
iscsid.service
iscsi-init.service
iscsi-onboot.service
iscsi.service
iscsi-shutdown.service
iscsi-starter.service
iscsiuio.service
kdump.service
kmod-static-nodes.service
ldconfig.service
libvirtd.service
libvirt-guests.service
livesys-late.service (adhoc live env config)
livesys.service (adhoc live env config)
loadmodules.service
logrotate.service
low-memory-monitor.service
lvm2-lvmdbusd.service
lvm2-lvmpolld.service
lvm2-monitor.service
man-db-cache-update.service
man-db-restart-cache-update.service
mcelog.service
mdcheck_continue.service
mdcheck_start.service
mdmonitor-oneshot.service
mdmonitor.service
ModemManager.service
ndctl-monitor.service
netavark-dhcp-proxy.service
NetworkManager-dispatcher.service
NetworkManager.service
NetworkManager-wait-online.service
nfs-blkmap.service
nfsdcld.service
nfs-idmapd.service
nfs-mountd.service
nfs-server.service
nfs-utils.service
nftables.service
nis-domainname.service
nm-priv-helper.service
numad.service
nvmefc-boot-connections.service
nvmf-autoconnect.service
ostree-boot-complete.service
ostree-finalize-staged-hold.service
ostree-finalize-staged.service
ostree-prepare-root.service
ostree-remount.service
packagekit-offline-update.service
packagekit.service
pam_namespace.service
pcscd.service
plocate-updatedb.service
plymouth-halt.service
plymouth-kexec.service
plymouth-poweroff.service
plymouth-quit.service
plymouth-quit-wait.service
plymouth-read-write.service
plymouth-reboot.service
plymouth-start.service
plymouth-switch-root-initramfs.service
plymouth-switch-root.service
podman-auto-update.service
podman-clean-transient.service
podman-restart.service
podman.service
polkit.service
power-profiles-daemon.service
psacct.service
qemu-guest-agent.service
qemu-pr-helper.service
quotaon.service
raid-check.service
rc-local.service (this can do arbitrary stuff)
realmd.service
rescue.service
rpcbind.service
rpc-gssd.service
rpc-statd-notify.service
rpc-statd.service
rpmdb-migrate.service
rpmdb-rebuild.service
rtkit-daemon.service
saslauthd.service
selinux-autorelabel-mark.service
selinux-autorelabel.service
selinux-check-proper-disable.service
speech-dispatcherd.service
spice-vdagentd.service
spice-webdavd.service
sshd.service
ssh-host-keys-migration.service
sssd-autofs.service
sssd-kcm.service
sssd-nss.service
sssd-pac.service
sssd-pam.service
sssd.service
sssd-ssh.service
sssd-sudo.service
switcheroo-control.service
system-update-cleanup.service
tcsd.service
thermald.service
udisks2.service
unbound-anchor.service
upower.service
uresourced.service
usbmuxd.service
vboxclient.service
vboxservice.service
vgauthd.service
virtinterfaced.service
virtlockd.service
virtlogd.service
virtnetworkd.service
virtnodedevd.service
virtnwfilterd.service
virtproxyd.service
virtqemud.service
virtsecretd.service
virtstoraged.service
vmtoolsd.service
wpa_supplicant.service
zfs-fuse-scrub.service
zfs-fuse.service
zvbid.service
TanvirOnGH commented 2 weeks ago

Pre-RFC: Systemd Hardening

@Kreyren