User Tools

Site Tools


linux:systemd:security_overview_of_systemd_services

Linux - systemd - Security overview of systemd services

systemd enable services to run with a whole suite of hardening and sandboxing features from the Linux kernel.

The Linux kernel can filter and limit access to file systems, networks, devices, kernel capabilities and system calls (syscalls), and more.


Check current security

systemd-analyze security

returns:

UNIT                                  EXPOSURE PREDICATE HAPPY
ModemManager.service                       5.8 MEDIUM    😐
NetworkManager.service                     7.8 ^[[0;1;38;5;185mEXPOSED   πŸ™
accounts-daemon.service                    9.6 UNSAFE    😨
acpid.service                              9.6 UNSAFE    😨
alsa-state.service                         9.6 UNSAFE    😨
anacron.service                            9.6 UNSAFE    😨
apache2.service                            9.2 UNSAFE    😨
apport.service                             9.6 UNSAFE    😨
avahi-daemon.service                       9.6 UNSAFE    😨
bluetooth.service                          6.8 MEDIUM    😐
colord.service                             8.8 ^[[0;1;38;5;185mEXPOSED   πŸ™
cron.service                               9.6 UNSAFE    😨
cups-browsed.service                       9.6 UNSAFE    😨
cups.service                               9.6 UNSAFE    😨
dbus.service                               9.6 UNSAFE    😨
dm-event.service                           9.5 UNSAFE    😨
dmesg.service                              9.6 UNSAFE    😨
emergency.service                          9.5 UNSAFE    😨
expressvpn.service                         9.6 UNSAFE    😨
gdm.service                                9.8 UNSAFE    😨
geoclue.service                            7.4 MEDIUM    😐
getty@tty1.service                         9.6 UNSAFE    😨
grub-common.service                        9.6 UNSAFE    😨
hddtemp.service                            9.6 UNSAFE    😨
irqbalance.service                         6.1 MEDIUM    😐
kerneloops.service                         9.2 UNSAFE    😨
libvirtd.service                           9.6 UNSAFE    😨
lvm2-lvmpolld.service                      9.5 UNSAFE    😨
lxcfs.service                              9.6 UNSAFE    😨
networkd-dispatcher.service                9.6 UNSAFE    😨
nvidia-persistenced.service                9.6 UNSAFE    😨
ondemand.service                           9.6 UNSAFE    😨
php7.4-fpm.service                         9.6 UNSAFE    😨
plymouth-start.service                     9.5 UNSAFE    😨
polkit.service                             9.6 UNSAFE    😨
rc-local.service                           9.6 UNSAFE    😨
rescue.service                             9.5 UNSAFE    😨
resolvconf.service                         9.5 UNSAFE    😨
rsync.service                              9.6 UNSAFE    😨
rsyslog.service                            9.6 UNSAFE    😨
rtkit-daemon.service                       7.1 MEDIUM    😐
snap.lxd.daemon.service                    9.6 UNSAFE    😨
snapd.service                              9.6 UNSAFE    😨
switcheroo-control.service                 7.5 ^[[0;1;38;5;185mEXPOSED   πŸ™
systemd-ask-password-console.service       9.3 UNSAFE    😨
systemd-ask-password-plymouth.service      9.5 UNSAFE    😨
systemd-ask-password-wall.service          9.4 UNSAFE    😨
systemd-fsckd.service                      9.5 UNSAFE    😨
systemd-initctl.service                    9.3 UNSAFE    😨
systemd-journald.service                   4.4 OK        πŸ™‚
systemd-logind.service                     2.8 OK        πŸ™‚
systemd-machined.service                   6.1 MEDIUM    😐
systemd-networkd.service                   3.1 OK        πŸ™‚
systemd-resolved.service                   2.2 OK        πŸ™‚
systemd-rfkill.service                     9.3 UNSAFE    😨
systemd-timesyncd.service                  2.1 OK        πŸ™‚
systemd-udevd.service                      8.4 ^[[0;1;38;5;185mEXPOSED   πŸ™
thermald.service                           9.6 UNSAFE    😨
udisks2.service                            9.6 UNSAFE    😨
unattended-upgrades.service                9.6 UNSAFE    😨
upower.service                             2.3 OK        πŸ™‚
user@1000.service                          9.4 UNSAFE    😨
user@125.service                           9.4 UNSAFE    😨
uuidd.service                              4.5 OK        πŸ™‚
virtlockd.service                          9.6 UNSAFE    😨
virtlogd.service                           9.6 UNSAFE    😨
whoopsie.service                           9.6 UNSAFE    😨
wpa_supplicant.service                     9.6 UNSAFE    😨

NOTE:

  • Exposure score: is entirely based on a service’s utilization of security features provided by systemd.
    • It doesn’t consider security features built-in to the program or enforced by access control policies like Security-Enhanced Linux (SELinux) or AppArmor.
    • Nor does the score in any way evaluate the risk factors of a program or its configuration.

Notice that many daemons, such as crond, are considered to be unsafe.

  • That’s an accurate assessment as these services are designed to allow unrestricted execution of arbitrary commands.
  • You may want to disable these services entirely unless you need them.

Analyze security of a specific service

Using Apache2 as an example:

systemd-analyze security apache2.service

returns:

  NAME                                                        DESCRIPTION                                                             EXPOSURE
βœ— PrivateNetwork=                                             Service has access to the host's network                                     0.5
βœ— User=/DynamicUser=                                          Service runs as root user                                                    0.4
βœ— CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP)                Service may change UID/GID identities/capabilities                           0.3
βœ— CapabilityBoundingSet=~CAP_SYS_ADMIN                        Service has administrator privileges                                         0.3
βœ— CapabilityBoundingSet=~CAP_SYS_PTRACE                       Service has ptrace() debugging abilities                                     0.3
βœ— RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                        0.3
βœ— RestrictNamespaces=~CLONE_NEWUSER                           Service may create user namespaces                                           0.3
βœ— RestrictAddressFamilies=~…                                  Service may allocate exotic sockets                                          0.3
βœ— CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP)           Service may change file ownership/access mode/capabilities unrestricted      0.2
βœ— CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER)         Service may override UNIX file/IPC permission checks                         0.2
βœ— CapabilityBoundingSet=~CAP_NET_ADMIN                        Service has network configuration privileges                                 0.2
βœ— CapabilityBoundingSet=~CAP_RAWIO                            Service has raw I/O access                                                   0.2
βœ— CapabilityBoundingSet=~CAP_SYS_MODULE                       Service may load kernel modules                                              0.2
βœ— CapabilityBoundingSet=~CAP_SYS_TIME                         Service processes may change the system clock                                0.2
βœ— DeviceAllow=                                                Service has no device ACL                                                    0.2
βœ— IPAddressDeny=                                              Service does not define an IP address whitelist                              0.2
βœ“ KeyringMode=                                                Service doesn't share key material with other services                  ^[[0;38;5;245m
βœ— NoNewPrivileges=                                            Service processes may acquire new privileges                                 0.2
βœ“ NotifyAccess=                                               Service child processes cannot alter service state                      ^[[0;38;5;245m
βœ— PrivateDevices=                                             Service potentially has access to hardware devices                           0.2
βœ“ PrivateMounts=                                              Service cannot install system mounts                                    ^[[0;38;5;245m
βœ“ PrivateTmp=                                                 Service has no access to other software's temporary files               ^[[0;38;5;245m
βœ— PrivateUsers=                                               Service has access to other users                                            0.2
βœ— ProtectClock=                                               Service may write to the hardware clock or system clock                      0.2
βœ— ProtectControlGroups=                                       Service may modify the control group file system                             0.2
βœ— ProtectHome=                                                Service has full access to home directories                                  0.2
βœ— ProtectKernelLogs=                                          Service may read from or write to the kernel log ring buffer                 0.2
βœ— ProtectKernelModules=                                       Service may load or read kernel modules                                      0.2
βœ— ProtectKernelTunables=                                      Service may alter kernel tunables                                            0.2
βœ— ProtectSystem=                                              Service has full access to the OS file hierarchy                             0.2
βœ— RestrictAddressFamilies=~AF_PACKET                          Service may allocate packet sockets                                          0.2
βœ— RestrictSUIDSGID=                                           Service may create SUID/SGID files                                           0.2
βœ— SystemCallArchitectures=                                    Service may execute system calls with all ABIs                               0.2
βœ— SystemCallFilter=~@clock                                    Service does not filter system calls                                         0.2
βœ— SystemCallFilter=~@debug                                    Service does not filter system calls                                         0.2
βœ— SystemCallFilter=~@module                                   Service does not filter system calls                                         0.2
βœ— SystemCallFilter=~@mount                                    Service does not filter system calls                                         0.2
βœ— SystemCallFilter=~@raw-io                                   Service does not filter system calls                                         0.2
βœ— SystemCallFilter=~@reboot                                   Service does not filter system calls                                         0.2
βœ— SystemCallFilter=~@swap                                     Service does not filter system calls                                         0.2
βœ— SystemCallFilter=~@privileged                               Service does not filter system calls                                         0.2
βœ— SystemCallFilter=~@resources                                Service does not filter system calls                                         0.2
βœ“ AmbientCapabilities=                                        Service process does not receive ambient capabilities                   ^[[0;38;5;245m
βœ— CapabilityBoundingSet=~CAP_AUDIT_*                          Service has audit subsystem access                                           0.1
βœ— CapabilityBoundingSet=~CAP_KILL                             Service may send UNIX signals to arbitrary processes                         0.1
βœ— CapabilityBoundingSet=~CAP_MKNOD                            Service may create device nodes                                              0.1
βœ— CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has elevated networking privileges                                   0.1
βœ— CapabilityBoundingSet=~CAP_SYSLOG                           Service has access to kernel logging                                         0.1
βœ— CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE)              Service has privileges to change resource use parameters                     0.1
βœ— RestrictNamespaces=~CLONE_NEWCGROUP                         Service may create cgroup namespaces                                         0.1
βœ— RestrictNamespaces=~CLONE_NEWIPC                            Service may create IPC namespaces                                            0.1
βœ— RestrictNamespaces=~CLONE_NEWNET                            Service may create network namespaces                                        0.1
βœ— RestrictNamespaces=~CLONE_NEWNS                             Service may create file system namespaces                                    0.1
βœ— RestrictNamespaces=~CLONE_NEWPID                            Service may create process namespaces                                        0.1
βœ— RestrictRealtime=                                           Service may acquire realtime scheduling                                      0.1
βœ— SystemCallFilter=~@cpu-emulation                            Service does not filter system calls                                         0.1
βœ— SystemCallFilter=~@obsolete                                 Service does not filter system calls                                         0.1
βœ— RestrictAddressFamilies=~AF_NETLINK                         Service may allocate netlink sockets                                         0.1
βœ— RootDirectory=/RootImage=                                   Service runs within the host's root directory                                0.1
  SupplementaryGroups=                                        Service runs as root, option does not matter                            ^[[0;38;5;245m
βœ— CapabilityBoundingSet=~CAP_MAC_*                            Service may adjust SMACK MAC                                                 0.1
βœ— CapabilityBoundingSet=~CAP_SYS_BOOT                         Service may issue reboot()                                                   0.1
βœ“ Delegate=                                                   Service does not maintain its own delegated control group subtree       ^[[0;38;5;245m
βœ— LockPersonality=                                            Service may change ABI personality                                           0.1
βœ— MemoryDenyWriteExecute=                                     Service may create writable executable memory mappings                       0.1
  RemoveIPC=                                                  Service runs as root, option does not apply                             ^[[0;38;5;245m
βœ— RestrictNamespaces=~CLONE_NEWUTS                            Service may create hostname namespaces                                       0.1
βœ— UMask=                                                      Files created by service are world-readable by default                       0.1
βœ— CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE                  Service may mark files immutable                                             0.1
βœ— CapabilityBoundingSet=~CAP_IPC_LOCK                         Service may lock memory into RAM                                             0.1
βœ— CapabilityBoundingSet=~CAP_SYS_CHROOT                       Service may issue chroot()                                                   0.1
βœ— ProtectHostname=                                            Service may change system host/domainname                                    0.1
...

NOTE: There are many tests in the security review.

This example shows βœ“ PrivateTmp=; which means this is restricted to its own sandboxed temp directory and that it doesn’t have access to the system /tmp directory.

There are however many places where this could be configured to be more secure.


Service unit security hardening

Your web server probably doesn’t need write-access to most locations in your file hierarchy. It probably doesn’t even need read-access.

sudo systemctl edit apache2.service

NOTE: This will open a text editor where any change you make will override the service’s default directives.

It will use your default text editor as specified in the EDITOR environmental variable.

and add:

[Service]
PrivateDevices=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelTunables=true
ProtectSystem=full
RestrictSUIDSGID=true

Save the file.

NOTE: See systemd.exec man page for extensive documentation on each directive.

Other hardening can be done, for example:

  • Specific directories can be blocked by adding them to the InaccessiblePaths.
    • Example: InaccessiblePaths=-/etc/letsencrypt.
      • The minus in front of the path tells systemd not to raise an error if the path doesn’t exist at runtime.
    • Multiple paths separated by space characters.

Reload the systemctl daemon

sudo systemctl daemon-reload

NOTE: This makes systemd aware of the changes.


Restart httpd

sudo systemctl restart httpd.service

Recheck the security

systemd-analyze security

NOTE: This should show some point improvements.


References

linux/systemd/security_overview_of_systemd_services.txt Β· Last modified: 2023/07/17 14:21 by peter

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki