Portada

Este es el blog del buscador temático sobre el open source Via Alternativa, basado en la API de Google.

En este espacio encontrarás noticias de varias fuentes RSS relacionadas con el mundo del código abierto y comunidades gnu-linux.

Todo el contenido de las anotaciones es responsabilidad de aquellos que las escriben y sus respectivas webs. Si administras una web enlazada por RSS y no estás de acuerdo con la redistribución de tus contenidos contacta con nosotros.

¡A divertirse!

El hombre que ha cometido un error y no lo corrige comete otro error mayor.

— Confucio

Logo Via Alternativa

Entradas recientes

Systemd Service Strengthening

Posted on por
Responder
Systemd Service Strengthening
by Alessio Greggi

Introduction

In an age where hacker attacks are a daily occurrence, it is of fundamental importance to minimize the attack surface. Containerization is probably the best way to isolate a service provided for the public, but this is not always possible for several reasons. For example, think of a legacy system application developed on systemd. This could make the most of the capabilities provided by a systemd-based operative system and it could be managed via a systemd unit, or it could automatically pull updates using a systemd timer, and so on.

For this reason, we are going to explain how to improve the security of a systemd service. But first, we need to step back for a moment.  With the latest releases systemd has implemented some interesting features relating to security, especially sandboxing. In this article we are going to show step-by-step how to strengthen services using specific directives, and how to check them with the provided systemd suite.

Debugging

Systemd provided an interesting tool named systemd-analyze. This command analyzes the security and the sandboxing settings of one or more specified services. The command checks for various security-related service settings, assigning each a numeric "exposure level" value, depending on how important the setting is. It then calculates an overall exposure level for the whole unit through an estimation in the range 0.0…10.0, which tells us how exposed a service is security-wise.

Systemd Analyze

 

This allows us to check the improvements applied to our systemd service step-by-step. As you can see, several services are now marked as UNSAFE, this is probably due to the fact that not all of the applications are applying the features provided by systemd.

Getting Started

Let's start from a basic example. We want to create a systemd unit to start the command python3 -m http.server as a service:

[Unit]
Description=Simple Http Server
Documentation=https://docs.python.org/3/library/http.server.html

[Service]
Type=simple
ExecStart=/usr/bin/python3 -m http.server
ExecStop=/bin/kill -9 $MAINPID

[Install]
WantedBy=multi-user.target

Save the file and place it under the specific systemd directory of yor distribution.

By checking the security exposure through systemd-analyze security we get the following result:

Go to Full Article
  1. eBPF for Advanced Linux Infrastructure Monitoring Deja un comentario
  2. How to set up a CrowdSec multi-server installation Comentarios desactivados en How to set up a CrowdSec multi-server installation
  3. Develop a Linux command-line Tool to Track and Plot Covid-19 Stats Comentarios desactivados en Develop a Linux command-line Tool to Track and Plot Covid-19 Stats
  4. FSF’s LibrePlanet 2021 Free Software Conference Is This Weekend, Online Only Comentarios desactivados en FSF’s LibrePlanet 2021 Free Software Conference Is This Weekend, Online Only
  5. Review: The New weLees Visual LVM, a new style of LVM management, has been released Comentarios desactivados en Review: The New weLees Visual LVM, a new style of LVM management, has been released
  6. Nvidia Linux drivers causing random hard crashes and now a major security risk still not fixed after 5+ months Comentarios desactivados en Nvidia Linux drivers causing random hard crashes and now a major security risk still not fixed after 5+ months
  7. Parallel shells with xargs: Utilize all your cpu cores on UNIX and Windows Comentarios desactivados en Parallel shells with xargs: Utilize all your cpu cores on UNIX and Windows
  8. Bypassing Deep Packet Inspection: Tunneling Traffic Over TLS VPN Comentarios desactivados en Bypassing Deep Packet Inspection: Tunneling Traffic Over TLS VPN
  9. How to Save Time Running Automated Tests with Parallel CI Machines Comentarios desactivados en How to Save Time Running Automated Tests with Parallel CI Machines
  10. The KISS Web Development Framework Comentarios desactivados en The KISS Web Development Framework
  11. Linux in Healthcare – Cutting Costs & Adding Safety Comentarios desactivados en Linux in Healthcare – Cutting Costs & Adding Safety
  12. MuseScore Created New Font in Memory of Original SCORE Program Creator Comentarios desactivados en MuseScore Created New Font in Memory of Original SCORE Program Creator
  13. MuseScore Created New Font in Memory of Original SCORE Program Creator Comentarios desactivados en MuseScore Created New Font in Memory of Original SCORE Program Creator
  14. Virtual Machine Startup Shells Closes the Digital Divide One Cloud Computer at a Time Comentarios desactivados en Virtual Machine Startup Shells Closes the Digital Divide One Cloud Computer at a Time
  15. An Introduction to Linux Gaming thanks to ProtonDB Comentarios desactivados en An Introduction to Linux Gaming thanks to ProtonDB
  16. The Review of GUI LVM Tools Comentarios desactivados en The Review of GUI LVM Tools
  17. Boost Up Productivity in Bash – Tips and Tricks Comentarios desactivados en Boost Up Productivity in Bash – Tips and Tricks
  18. Case Study: Success of Pardus GNU/Linux Migration Comentarios desactivados en Case Study: Success of Pardus GNU/Linux Migration
  19. BPF For Observability: Getting Started Quickly Comentarios desactivados en BPF For Observability: Getting Started Quickly