Re: Systemd service hardening project

To: debian-devel@lists.debian.org
Subject: Re: Systemd service hardening project
From: Henrik Ahlgren <pablo@seestieto.com>
Date: Sat, 29 Nov 2025 13:18:15 +0200
Message-id: <[🔎] 87345xnl3c.fsf@noux.seestieto.com>
In-reply-to: <[🔎] 20251129095354.Horde.5I4gVXa8khuTPUvgtRyqeTr@nextcloud1.intra.algiz.nu> (Jarl Gullberg's message of "Sat, 29 Nov 2025 09:53:54 +0000")
References: <[🔎] 20251129095354.Horde.5I4gVXa8khuTPUvgtRyqeTr@nextcloud1.intra.algiz.nu>

Jarl Gullberg <jarl.gullberg@visar-systems.com> writes:

> The short summary is that we're looking at improving the usage of
> systemd's hardening options for services, sockets, timers, and the
> like within the Debian ecosystem. Right now, usage levels are pretty
> varied and there aren't any hardening guidelines in place for Debian
> packages as it relates to systemd service hardening. 

Plenty of (critical) services in Debian have quite comprehensive systemd
hardening already, but I would love to see more services utilize them.
One example of a package that surprisingly does not have any systemd
hardening options – even very basic ones line PrivateTmp – is bind9 (see
bug 863841). It is after all a well-known service implemented in C and
typically internet facing!

> 1. Is there any prior work on similar efforts? If it's been attempted
> in the past, or if there's something already out there, I'd love to
> learn from it and get involved.

Somehow I've assumed Fedora would have this already sorted out, but
turns out at least this change proposal was dropped:

https://fedoraproject.org/wiki/Changes/SystemdSecurityHardening

Reply to:

References:
- Systemd service hardening project
  - From: Jarl Gullberg <jarl.gullberg@visar-systems.com>

Prev by Date: source uploads are no problem (but binNMUs are)
Next by Date: Re: Systemd service hardening project
Previous by thread: Systemd service hardening project
Next by thread: Re: Systemd service hardening project
Index(es):
- Date
- Thread