Re: [RFC] locking down rsyslog.service

To: debian-devel@lists.debian.org
Subject: Re: [RFC] locking down rsyslog.service
From: Sam Morris <sam@robots.org.uk>
Date: Wed, 11 Oct 2023 11:54:03 +0100
Message-id: <[🔎] 57e9e030-5d16-4ebd-bedc-f6cc18e24f7b@robots.org.uk>
In-reply-to: <[🔎] 5b8392a7-8c83-42c4-8020-aafbae94331a@debian.org>
References: <[🔎] 5b8392a7-8c83-42c4-8020-aafbae94331a@debian.org>

On 10/10/2023 19:22, Michael Biebl wrote:

I intend to lock down rsyslog.service in Debian in one of the next
uploads using the following systemd directives


Have you considered NoNewPrivileges=yes?

This is turned in implicitly by some of the other options (e.g,.PrivateDevices=yes) but only if running without CAP_SYS_ADMIN, so for itto be effective you'd have to set it explicitly.


--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9

Reply to:

Follow-Ups:
- Re: [RFC] locking down rsyslog.service
  - From: Michael Biebl <biebl@debian.org>

References:
- [RFC] locking down rsyslog.service
  - From: Michael Biebl <biebl@debian.org>

Prev by Date: Re: [RFC] locking down rsyslog.service
Next by Date: Re: [RFC] locking down rsyslog.service
Previous by thread: Re: [RFC] locking down rsyslog.service
Next by thread: Re: [RFC] locking down rsyslog.service
Index(es):
- Date
- Thread