Tracker: Harden all our systemd units

coreos / fedora-coreos-tracker

Issue tracker for Fedora CoreOS

260 stars 60 forks source link

Tracker: Harden all our systemd units #1662

Open travier opened 5 months ago

travier commented 5 months ago

For the following Fedora 40 change, we should take a look at all our systemd units and make sure they are as hardened as possible: https://fedoraproject.org/wiki/Changes/SystemdSecurityHardening

List of units to look at:

ostree:
- ostree-boot-complete.service
- ostree-finalize-staged-hold.service
- ostree-finalize-staged.service
- ostree-prepare-root.service
- ostree-remount.service
rpm-ostree:
- ?
zincati:
- ?
ignition:
- ?
?

ruihe774 commented 3 months ago

Hi! FWIW I'm wondering if it is possible to add a global drop-in in ostree-enabled fedara editions to prevent other services that do not operate on ostree from accessing /sysroot. See previous discussions at https://github.com/ostreedev/ostree/issues/3211 and https://discussion.fedoraproject.org/t/f40-change-proposal-systemd-security-hardening-system-wide/96423/31

travier commented 3 months ago

We did not complete this effort for F40 and the global change has been pushed to F41.

Baigle commented 3 months ago

Some users have published their successful systemd unit configs and triage methods during setup since the FESCo announcement. See here, though their efforts are incomplete and its effects and interactions widespread and sensitive on system function.