Systemd service hardening project
Hey folks,
I'm currently looking at running a security improvement project targeted towards Debian at our company, and would like to gauge interest and search for any prior work within the Debian community.
The short summary is that we're looking at improving the usage of systemd's hardening options for services, sockets, timers, and the like within the Debian ecosystem. Right now, usage levels are pretty varied and there aren't any hardening guidelines in place for Debian packages as it relates to systemd service hardening.
We want to plan and execute a project to develop, contribute, and (ideally where possible) upstream changes to critical systemd services to better utilize the available hardening features of systemd.
We've been talking to Alpha-Omega (an open-source security fund associated with the OpenSSF, https://alpha-omega.dev/) about the idea, and they've indicated willingness to fund the effort provided the money goes to the Debian project and there's a greenlit plan in place.
With that background, I have two main questions and topics of discussion.
1. Is there any prior work on similar efforts? If it's been attempted in the past, or if there's something already out there, I'd love to learn from it and get involved.
2. Is there an interest from the Debian community for an effort like this, and if so, who would like to collaborate to make it happen?
Something like this would obviously need coordination between package maintainers and support from relevant developer teams to be most effective, so we want to get out in front of any actual work to make sure there's a there there.
Looking forward to hearing your thoughts!
--
Jarl Gullberg
CEO & CTO
Visar Systems AB
+46 73 644 96 64
jarl.gullberg@visar-systems.com
https://visar-systems.com
Reply to: