Skip to content
Snippets Groups Projects

Draft: Contribute selection of systemd hardening parameters

Open Draft: Contribute selection of systemd hardening parameters
cmueller/apertis-website:wip/mce7rng/systemd-hardening-list into master
All threads resolved!
Open Cedric Müller requested to merge cmueller/apertis-website:wip/mce7rng/systemd-hardening-list into master
All threads resolved!
Compare
and
1 file
+ 12
0
Compare changes
  • Side-by-side
  • Inline
content/guides/hardening.md 100644 → 100755
+ 12
0
@@ -280,6 +280,18 @@ sandboxing:
- systemd provides
[sandboxing functionality](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing)
which can be used to alter the environment in which the process is run.
From the linked set of systemd sandboxing options, the following
are interesting and grouped by complexity to apply:
- Try first: ``ProtectHome``,
``NoNewPrivileges``, ``PrivateTmp``, ``AppArmorProfile``,
``ProtectControlGroups``, ``ProtectKernelLogs``, ``ProtectKernelTunables``,
``ProtectKernelModules``, ``ProtectSystem``
- Better sandboxing, but more testing required: ``InaccessiblePaths``,
``ReadOnlyPaths``, ``PrivateDevices``, ``LockPersonality``
- Hard to apply: ``SystemCallFilter``,
``RestrictSUIDGID``, ``MemoryDenyWriteExecute``
It is always necessary to do properly testing of the sandboxed application.
# Network and firewalls
Apertis Website Terms of Use Privacy Policy