From 8b3f9d77367aac421b02f67efc794178a1f5a1a2 Mon Sep 17 00:00:00 2001 From: mwiegand Date: Sun, 27 Mar 2022 13:29:58 +0200 Subject: [PATCH] play around with systemd hardening --- doc/test_protect.service | 55 ++++++++++++++++++++++++++++++++++++++ doc/test_protect_2.service | 55 ++++++++++++++++++++++++++++++++++++++ doc/test_temp.service | 54 +++++++++++++++++++++++++++++++++++++ libs/systemd.py | 49 +++++++++++++++++++++++++++++++++ 4 files changed, 213 insertions(+) create mode 100644 doc/test_protect.service create mode 100644 doc/test_protect_2.service create mode 100644 doc/test_temp.service diff --git a/doc/test_protect.service b/doc/test_protect.service new file mode 100644 index 0000000..93865b6 --- /dev/null +++ b/doc/test_protect.service @@ -0,0 +1,55 @@ +[Unit] +Description=TEST + +[Service] +Type=oneshot +ExecStart=/opt/test + +DynamicUser=yes +UMask=077 +ProtectSystem=strict +ProtectHome=yes +PrivateTmp=yes +PrivateDevices=yes # DevicePolicy=closed +PrivateNetwork=yes +IPAddressDeny=any +PrivateUsers=yes +ProtectHostname=yes +ProtectClock=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +RestrictAddressFamilies=none +RestrictFileSystems=ext4 tmpfs zfs +RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +RemoveIPC=yes +PrivateMounts=yes +SystemCallFilter=~@swap +SystemCallFilter=~@resources +SystemCallFilter=~@reboot +SystemCallFilter=~@raw-io +SystemCallFilter=~@privileged +SystemCallFilter=~@obsolete +SystemCallFilter=~@mount +SystemCallFilter=~@module +SystemCallFilter=~@debug +SystemCallFilter=~@cpu-emulation +SystemCallFilter=~@clock +CapabilityBoundingSet= +ProtectProc=invisible +ProcSubset=pid +NoNewPrivileges=yes +SystemCallArchitectures=native + +ReadOnlyPaths=/ + +NoExecPaths=/ +ExecPaths=/opt/test /bin/bash /lib + +[Install] +WantedBy=multi-user.target diff --git a/doc/test_protect_2.service b/doc/test_protect_2.service new file mode 100644 index 0000000..a1c1bef --- /dev/null +++ b/doc/test_protect_2.service @@ -0,0 +1,55 @@ +[Unit] +Description=TEST + +[Service] +Type=oneshot +ExecStart=/opt/test + +# user +UMask=077 +DynamicUser=yes +PrivateUsers=yes +RestrictSUIDSGID=yes +NoNewPrivileges=yes +LockPersonality=yes +RemoveIPC=yes + +# fs +ProtectSystem=strict +ProtectHome=yes +PrivateTmp=yes +PrivateDevices=yes +PrivateNetwork=yes +ProtectProc=invisible +ProcSubset=pid +PrivateMounts=yes +RestrictFileSystems=ext4 tmpfs zfs + +NoExecPaths=/ +ExecPaths=/opt/test /bin /lib /lib64 /usr + +TemporaryFileSystem=/var +TemporaryFileSystem=/var + +# network +IPAddressDeny=any +RestrictAddressFamilies=none + +# syscall +SystemCallArchitectures=native +SystemCallFilter=~@swap ~@resources ~@reboot ~@raw-io ~@privileged ~@obsolete ~@mount ~@module ~@debug ~@cpu-emulation ~@clock + +# else +ProtectHostname=yes +ProtectClock=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +RestrictNamespaces=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +CapabilityBoundingSet= + +[Install] +WantedBy=multi-user.target diff --git a/doc/test_temp.service b/doc/test_temp.service new file mode 100644 index 0000000..9bc0b4b --- /dev/null +++ b/doc/test_temp.service @@ -0,0 +1,54 @@ +[Unit] +Description=TEST + +[Service] +Type=oneshot +ExecStart=/opt/test + +TemporaryFileSystem=/ + +BindReadOnlyPaths=/opt/test /bin /lib /lib64 /usr + + + +UMask=077 +ProtectHome=yes +PrivateTmp=yes +PrivateDevices=yes +PrivateNetwork=yes +IPAddressDeny=any +ProtectHostname=yes +ProtectClock=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +RestrictAddressFamilies=none +RestrictFileSystems=ext4 tmpfs zfs +RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +RemoveIPC=yes +PrivateMounts=yes +SystemCallFilter=~@swap +SystemCallFilter=~@resources +SystemCallFilter=~@reboot +SystemCallFilter=~@raw-io +SystemCallFilter=~@privileged +SystemCallFilter=~@obsolete +SystemCallFilter=~@mount +SystemCallFilter=~@module +SystemCallFilter=~@debug +SystemCallFilter=~@cpu-emulation +SystemCallFilter=~@clock +CapabilityBoundingSet= +ProtectProc=invisible +ProcSubset=pid +NoNewPrivileges=yes +SystemCallArchitectures=native + + +[Install] +WantedBy=multi-user.target diff --git a/libs/systemd.py b/libs/systemd.py index 421dbb0..e72fdcf 100644 --- a/libs/systemd.py +++ b/libs/systemd.py @@ -41,3 +41,52 @@ def generate_unitfile(data): data=dict(sorted(data.items(), key=segment_order)), order=order ).lstrip() + +# wip +def protection(): + return { + # user + 'UMask': '077', + 'DynamicUser': 'yes', + 'PrivateUsers': 'yes', + 'RestrictSUIDSGID': 'yes', + 'NoNewPrivileges': 'yes', + 'LockPersonality': 'yes', + 'RemoveIPC': 'yes', + + # fs + 'ProtectSystem': 'strict', + 'ProtectHome': 'yes', + 'PrivateTmp': 'yes', + 'PrivateDevices': 'yes', + 'ProtectProc': 'invisible', + 'ProcSubset': 'pid', + 'PrivateMounts': 'yes', + 'RestrictFileSystems': {'ext4', 'tmpfs', 'zfs'}, + + 'NoExecPaths': {'/'}, + 'ExecPaths': {'/bin', '/sbin', '/lib', '/lib64', '/usr'}, + + 'TemporaryFileSystem': {'/var'}, + + # network + 'IPAddressDeny': 'any', + 'PrivateNetwork': 'yes', + 'RestrictAddressFamilies': 'none', + + # syscall + 'SystemCallArchitectures': 'native', + 'SystemCallFilter': '~@swap @resources @reboot @raw-io @privileged @obsolete @mount @module @debug @cpu-emulation @clock', + + # else + 'ProtectHostname': 'yes', + 'ProtectClock': 'yes', + 'ProtectKernelTunables': 'yes', + 'ProtectKernelModules': 'yes', + 'ProtectKernelLogs': 'yes', + 'ProtectControlGroups': 'yes', + 'RestrictNamespaces': 'yes', + 'MemoryDenyWriteExecute': 'yes', + 'RestrictRealtime': 'yes', + 'CapabilityBoundingSet': '', + }