[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFC] locking down rsyslog.service

* Michael Biebl [Tue Oct 10, 2023 at 08:22:26PM +0200]:

> I intend to lock down rsyslog.service in Debian in one of the next
> uploads using the following systemd directives

That's great to hear, thanks for working on this.

> PrivateTmp=yes
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp=
> PrivateDevices=yes
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateDevices=
> ProtectHome=yes
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=
> ProtectSystem=full
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=
> ProtectKernelTunables=yes
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelTunables=
> ProtectKernelModules=yes
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelModules=

All those work fine for rsyslog within a platform of a customer of
mine, for whom I implemented the systemd hardening back in 2020.
Same also for:

| NoNewPrivileges=yes
| ProtectControlGroups=yes

which are mentioned elsewhere in this thread.

You might also consider enabling the following options:

  # Service cannot create writable executable memory mappings that are writable and executable at the same time

  # Service may execute system calls only with native ABI

  # Service cannot change ABI personality

  # Restrict access to the various process namespace types the Linux kernel provides


Attachment: signature.asc
Description: PGP signature

Reply to: