Hardening systemd services

Solene · June 26, 2022, 8:52pm

I think it’s vague, a network-service class could have programs such as

unbound
nsd
samba

you can’t really have the same hardening for them, unbound could work without persistent data requirement, nsd could use only an user defined configuration, samba would need to access the filesystem.

I don’t think classes of this kind could be used.

Solene · June 26, 2022, 8:53pm

Using systemd-analyze security is the way to see how a service is hardened, so you don’t have to dig in nixpkgs

TLATER · June 26, 2022, 9:44pm

Emphasis on default - nix allows overriding these things really easily for the specific service you need already. This proposal just reduces boilerplate, makes it easier for contributors with less experience to know what they should be setting, and advertises that these things are possible to those who don’t know yet.

Your mixins-alike approach is similar, and probably matches the underlying setting types better, but this one fits better within the existing nixpkgs module system. I think both are good suggestions.

only works if I have the service already installed, which if I’m considering whether I should be using one I probably don’t - and installing it for the sake of checking is about as much effort as looking at its module (perhaps less, considering download times vs my existing local copy of nixpkgs).

But yes, systemd-analyze security is very handy for checking the state of my running system

Solene · June 26, 2022, 9:55pm

Indeed, I didn’t think about the case in which you would want to know about the service without installing it.

juaningan · June 27, 2022, 9:35am

There is a bunch of good practices and code examples about how to
securize systemd services in nix-bitcoin project:

bobvanderlinden · June 27, 2022, 10:15am

Nginx has a bunch of recommended* options around security. These options set the defaults for other options. Maybe such a scheme is applicable to systems services as well?

systemd.services.<name>.recommendedHardening or splitting it up into multiple recommendations. Because this only sets defaults of other options, you can still easily override it for a specific service.

sirphobos · May 16, 2023, 6:13pm

Are there any general hardening guidelines after all? I don’t really like how many services run as root with full privileges…

saw wiki - it’s something, but not much after all.

Also the idea of having to harden all/most services from nixpkgs frustrates me as a beginner

hauleth · February 13, 2024, 9:27am

I had an idea for something similar in form of additional attrset within systemd service specification:

harden = {
  basic = true; # basic setup, like RPC, no SUID, etc. 
  execOnlyNix = true; # allow executing only binaries from `/nix/store`
  protectKernel = true; # disable access to kernel logs, modules and tunables
  proc = true; # limit unit view into `/proc`
  systemCall = true; # limit system calls and allow only native system call facilities (important on x86-64
  onlyLocalhost = true; # allow listening only on localhost
}

I am not 100% sure about the naming of the hardening parts, but the idea is there to discuss.

I have created draft PR with implementation of such options

github.com/NixOS/nixpkgs

ft: add systemd hardening helpers

NixOS:master ← hauleth:ft/add-systemd-hardening-helpers

opened 12:03AM - 13 Feb 24 UTC

hauleth

+108 -0

## Description of changes This module adds `systemd.services.<name>.harden` s…et of options that helps with setting basic systemd units hardening. That should help with making more services hardened and responding with better security analysis grade without too much repetition. Most of the set values are marked with `mkDefault` to allow explicit opt-out for options that aren't needed without resolving to `mkForce` or similar. ## Things done - Built on platform(s) - [x] x86_64-linux - [ ] aarch64-linux - [ ] x86_64-darwin - [ ] aarch64-darwin - For non-Linux: Is sandboxing enabled in `nix.conf`? (See [Nix manual](https://nixos.org/manual/nix/stable/command-ref/conf-file.html)) - [ ] `sandbox = relaxed` - [ ] `sandbox = true` - [ ] Tested, as applicable: - [NixOS test(s)](https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests) (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests)) - and/or [package tests](https://nixos.org/manual/nixpkgs/unstable/#sec-package-tests) - or, for functions and "core" functionality, tests in [lib/tests](https://github.com/NixOS/nixpkgs/blob/master/lib/tests) or [pkgs/test](https://github.com/NixOS/nixpkgs/blob/master/pkgs/test) - made sure NixOS tests are [linked](https://nixos.org/manual/nixpkgs/unstable/#ssec-nixos-tests-linking) to the relevant packages - [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage) - [ ] Tested basic functionality of all binary files (usually in `./result/bin/`) - [24.05 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2405.section.md) (or backporting [23.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2305.section.md) and [23.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2311.section.md) Release notes) - [ ] (Package updates) Added a release notes entry if the change is major or breaking - [ ] (Module updates) Added a release notes entry if the change is significant - [ ] (Module addition) Added a release notes entry if adding a new NixOS module - [ ] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md).  --- Add a :+1: [reaction] to [pull requests you find important]. [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/ [pull requests you find important]: https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+sort%3Areactions-%2B1-desc

Atemu · February 13, 2024, 10:58am

That’s a lot better than my idea. And you even have a prototype!

What I find critical is that it’s opt-in rather than opt-out. I think it should be the other way around. Rather than enumerating the things it shouldn’t do, you should enumerate the things the service depends on for its function and block everything else by default.

Your “basic” set of hardening allows networking and unix sockets for instance but some services shouldn’t even have access to that. It’d be great if I could declare such a service simply by saying harden.enable = true;.

If I had a similarly basic service but it needs network access, I would then be able to say:

{
  ...service.harden = {
    enable = true;
    networking = true;
  };
}

which would set RestrictAddressFamilies = [ AF_INET" "AF_INET6" ];

hauleth · February 13, 2024, 11:06am

Yes, but I wanted to start without breaking everything in this PR, as for example sshd in most cases will require almost all of these options disabled.

EDIT: I got what you meant. I have changed the PR to address that and now it uses harden.enable to enable everything and then you can opt-out of some hardening options.

Yeah, but I am still learning Nixpkgs modules type system and I haven’t yet checked if this accepts sum types like that.

Atemu:

If I had a similarly basic service but it needs network access, I would then be able to say:
{
  ...service.harden = {
    enable = true;
    networking = true;
  };
}
which would set RestrictAddressFamilies = [ AF_INET" "AF_INET6" ];

Yeah, that would be reasonable. And by default we could allow only AF_UNIX sockets or none at all.