Systemd sandboxing audit

Some results on the current state of systemd services with respect to hardening

This is the current result of a work-in-progress project with the support of the nlnet foundation.

This table shows, for each systemd service in nixos, the hardening options that are configured.
The items are sorted by decreasing count of configured options, then by name.

The goal of the project is to audit the security of every systemd service in NixOS. For the moment (modulo the power of my static analysis tool, that may miss some parts of nixpkgs), I built a list of all the systemd services that are defined in NixOS and I automatically read the configuration of these services with respect to systemd hardening. The entries in the table are green if the service configures the option, and red otherwise.

Caveats

  • The analysis was performed on this commit.

  • For now, I only target a restricted list of options (boolean options that are “well-behaved”).

  • This shows the options that are configured, but not necessarily secured: for instance,
    transmission configures PrivateNetwork and this options appears in green,
    yet it is configured by default to false. This means there may be false positives.

    There may also be some false negatives: for instance, nginx does not configure PrivateNetwork,
    but this is expected because nginx has no reason to shut itself from the Internet.

6 Likes

Great!

Will you periodically run the analysys on nixpkgs master branch (in the future)?

Yes, it’s something I’d like to do!
I’m just not sure how I’ll do this yet, it depends greatly on how the nixos community feels about these tools :slight_smile:

Cool. I went to look for the status of MySQL/mariadb, but I don’t see it in the list. Any idea why?

That’s because these services are harder to statically analyze: nix-codemod (the tool I wrote to generate this report) expects services to be declared in a simple way, and for instance here, mysql uses mkMerge to declare its serviceConfig which nix-codemod doesn’t support (yet).
It’s a bit frustrating because nix-codemod misses some important parts of nixpkgs. For instance, I know I can’t (yet) target the tests of mysql. I guess that’s because it’s a kind of service that’s complicated to write, and won’t fit right in the requirements of nix-codemod.

I should report the services that I can’t parse, though, so thanks for pointing that out!
And I definitely intend to make nix-codemod able to parse all of nixpkgs eventually, but for the moment I try to see how far I can go with what I got.

1 Like
Hosted by Flying Circus.