Hardening systemd services

This would be fine but depending on the service itself the hardening strategy will be different. That’s why I think using set of “profiles” that will define some knobs would be useful.

As someone maintaining a systemd unit, you would have to ask some questions:

  • does it run as root? no, use profile run-as-user that will turn on: NoNewPrivileges / ProtectKernelLogs / ProtectKernelModules / ProtectKernelTunables / ProtectProc / RestrictSUIDSGID …
  • does it do network? no, use profile no-network that will turn on: PrivateNetwork
  • does it need to read all FS files? no? then enable PrivateUsers / PrivateTmp / ProtectSystem / ProtectProc …

then, define harden = [ run-as-user no-network no-fs ];

6 Likes