Re: [RFC] locking down rsyslog.service

To: debian-devel@lists.debian.org
Subject: Re: [RFC] locking down rsyslog.service
From: Michael Biebl <biebl@debian.org>
Date: Wed, 11 Oct 2023 13:41:37 +0200
Message-id: <[🔎] b61cbeee-665e-4092-98a1-7c4b25e26521@debian.org>
In-reply-to: <[🔎] 57e9e030-5d16-4ebd-bedc-f6cc18e24f7b@robots.org.uk>
References: <[🔎] 5b8392a7-8c83-42c4-8020-aafbae94331a@debian.org> <[🔎] 57e9e030-5d16-4ebd-bedc-f6cc18e24f7b@robots.org.uk>

Am 11.10.23 um 12:54 schrieb Sam Morris:

On 10/10/2023 19:22, Michael Biebl wrote:
I intend to lock down rsyslog.service in Debian in one of the next
uploads using the following systemd directives
Have you considered NoNewPrivileges=yes?
This is turned in implicitly by some of the other options (e.g,.PrivateDevices=yes) but only if running without CAP_SYS_ADMIN, so for itto be effective you'd have to set it explicitly.


Thanks. Will add it.

ProtectControlGroups=yes
ProtectHostname=yes

are probably safe as well. So will add them too.

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: [RFC] locking down rsyslog.service
  - From: Michael Biebl <biebl@debian.org>

References:
- [RFC] locking down rsyslog.service
  - From: Michael Biebl <biebl@debian.org>
- Re: [RFC] locking down rsyslog.service
  - From: Sam Morris <sam@robots.org.uk>

Prev by Date: Re: [RFC] locking down rsyslog.service
Next by Date: Re: Please test apt-listchanges 4.0 in experimental
Previous by thread: Re: [RFC] locking down rsyslog.service
Next by thread: Re: [RFC] locking down rsyslog.service
Index(es):
- Date
- Thread