* Michael Biebl [Tue Oct 10, 2023 at 08:22:26PM +0200]: > I intend to lock down rsyslog.service in Debian in one of the next > uploads using the following systemd directives That's great to hear, thanks for working on this. > PrivateTmp=yes > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp= > > PrivateDevices=yes > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateDevices= > > ProtectHome=yes > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome= > > ProtectSystem=full > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem= > > ProtectKernelTunables=yes > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelTunables= > > ProtectKernelModules=yes > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelModules= All those work fine for rsyslog within a platform of a customer of mine, for whom I implemented the systemd hardening back in 2020. Same also for: | NoNewPrivileges=yes | ProtectControlGroups=yes which are mentioned elsewhere in this thread. You might also consider enabling the following options: # Service cannot create writable executable memory mappings that are writable and executable at the same time MemoryDenyWriteExecute=yes # Service may execute system calls only with native ABI SystemCallArchitectures=native # Service cannot change ABI personality LockPersonality=true # Restrict access to the various process namespace types the Linux kernel provides RestrictNamespaces=true regards -mika-
Attachment:
signature.asc
Description: PGP signature