Re: Systemd service hardening project
Jarl Gullberg <jarl.gullberg@visar-systems.com> writes:
> We want to plan and execute a project to develop, contribute, and
> (ideally where possible) upstream changes to critical systemd services
> to better utilize the available hardening features of systemd.
> 1. Is there any prior work on similar efforts? If it's been attempted
> in the past, or if there's something already out there, I'd love to
> learn from it and get involved.
Have you seen https://lists.debian.org/debian-devel/2023/07/msg00030.html ?
There are various links in that thread including
https://wiki.debian.org/ReleaseGoals/SystemdAnalyzeSecurity
https://github.com/cyberitsolutions/prisonpc-systemd-lockdown/tree/main/systemd/system/0-EXAMPLES
(i also found https://github.com/desbma/shh once, but never tested it)
> 2. Is there an interest from the Debian community for an effort like
> this, and if so, who would like to collaborate to make it happen?
Would love to see this
Related, but I would also love to get a proper solution to: sending
email from shell scripts run via a systemd units tends to fail with exim
and postfix
>
> Something like this would obviously need coordination between package
> maintainers and support from relevant developer teams to be most
> effective, so we want to get out in front of any actual work to make
> sure there's a there there.
(I suspect the main problem is going to be that many "maintainers" are
not active, especially where bugs are wishlist and where enabling the
wrong hardening option can break a script for edge cases, and where
testing is difficult.)
Reply to: