Hasty Briefsbeta

SystemD Service Hardening

6 days ago
https://roguesecurity.dev/blog/systemd-hardening
Copy Link
  • #systemd
  • #security
  • #hardening
  • Systemd provides robust service control but defaults to usability over security.
  • Use `systemd-analyze security` to assess service security and identify vulnerabilities.
  • Security settings can be adjusted in the `[Service]` section of unit files or via override files.
  • Key security options include `ProtectSystem`, `PrivateTmp`, `ProtectHome`, and `MemoryDenyWriteExecute`.
  • `SystemCallFilter` restricts syscalls but requires careful tuning to avoid breaking services.
  • Audit logs (`ausearch`) help troubleshoot syscall restrictions.
  • Prioritize hardening externally facing services like SSH, web servers, and custom scripts.
  • Example configurations provided for Traefik with security tunings.
  • Dynamic users (`DynamicUser=yes`) and non-root users enhance security.
  • Security tuning is a balance; apply changes incrementally and monitor logs.
AboutLogin