Skip to content

Commit

Permalink
modifies existing article
Browse files Browse the repository at this point in the history
  • Loading branch information
@Amrita42
Amrita42 committed Jan 21, 2025
1 parent a2a0700 commit 89f14cc
Show file tree
Hide file tree
Showing 5 changed files with 221 additions and 59 deletions.
9 changes: 5 additions & 4 deletions DC-systemd-securing
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,10 @@ SRC_DIR="articles"
IMG_SRC_DIR="images"

PROFCONDITION="suse-product"
PROFOS="sles"
#PROFCONDITION="suse-product;beta"
#PROFCONDITION="community-project"

## Profiling
PROFOS="PRODUCT"
PROFCONDITION="PRODUCTNUMBER"
PROFARCH="x86_64;zseries;power;aarch64"
DOCBOOK5_RNG_URI="urn:x-suse:rng:v2:geekodoc-flat"
STYLEROOT="/usr/share/xml/docbook/stylesheet/suse2022-ns"
FALLBACK_STYLEROOT="/usr/share/xml/docbook/stylesheet/suse-ns"
43 changes: 21 additions & 22 deletions articles/systemd-securing.asm.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,12 @@
xmlns="http://docbook.org/ns/docbook">
<!-- R E S O U R C E S -->
<resources>
<resource href="../concepts/systemd-securing.xml" xml:id="_systemd-securing"/>
<resource href="../concepts/systemd-securing.xml" xml:id="_systemd-secure-services"/>
<!-- Tasks -->
<resource href="../tasks/systemd-example-secure-service.xml" xml:id="_systemd-example-secure-service"/>
<resource href="../tasks/systemd-analyze-security-service-files.xml" xml:id="_systemd-analyze-security-service-files"/>
<resource href="../references/systemd-securing-techniques.xml" xml:id="_systemd-securing-techniques"/>
<resource href="../glues/systemd-securing-more-info.xml" xml:id="_systemd-securing-more-info"/>
<!-- Glues -->
<resource href="../glues/systemd-securing-more-info.xml" xml:id="_systemd-securing-more-info"/>
<resource href="../common/legal.xml" xml:id="_legal"/>
<resource href="../common/license_gfdl1.2.xml" xml:id="_gfdl"/>
</resources>
Expand All @@ -35,7 +37,7 @@
</revhistory>

<!-- Maintainer-->
<meta name="maintainer" content="tbazant@suse.com" its:translate="no"/>
<meta name="maintainer" content="amrita.sakthivel@suse.com" its:translate="no"/>

<!-- Series-->
<meta name="series" its:translate="no">Smart Docs</meta>
Expand All @@ -53,7 +55,7 @@
<dm:url>https://bugzilla.suse.com/enter_bug.cgi</dm:url>
<dm:component>Documentation</dm:component>
<dm:product>SUSE Linux Enterprise Server 16.0</dm:product>
<dm:assignee>tbazant@suse.com</dm:assignee>
<dm:assignee>amrita.sakthivel@suse.com</dm:assignee>
</dm:bugtracker>
<dm:translation>yes</dm:translation>
</dm:docmanager>
Expand Down Expand Up @@ -84,28 +86,26 @@
<term>WHAT?</term>
<listitem>
<para>
&systemd; service files are most often used to operate one or more &systemd;
services, such as starting, stopping or viewing the status of the service. Besides
this, the service files can limit the privileges of the service they control.
&systemd; service files are a powerful tool for managing services in a Linux environment.
These service files are used to operate one or more &systemd; services such as starting,enabling,stopping or viewing the
status of the service. Additionally, the service files can limit the privileges of the service they control.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>WHY?</term>
<listitem>
<para>
Using security options of &systemd; service files increases the security of the
service they control. This adds another security layer of the whole operating
system.
Using the security options of &systemd; service files increases the security of the
service they control. This adds another security layer to the operating system.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>EFFORT</term>
<listitem>
<para>
It takes less than 15 minutes to understand how &systemd; can control the security
level of &systemd; services.
20 minutes of reading time.
</para>
</listitem>
</varlistentry>
Expand All @@ -115,12 +115,12 @@
<itemizedlist>
<listitem>
<para>
Good knowledge of the &systemd; environment
Basic understanding of Linux commands
</para>
</listitem>
<listitem>
<para>
&rootuser; privileges
Basic understanding of Linux processes, daemons, and control groups
</para>
</listitem>
</itemizedlist>
Expand All @@ -129,19 +129,18 @@
</variablelist>
</abstract>
</merge>
<module resourceref="_systemd-securing"/>
<module resourceref="_systemd-analyze-security-service-files">
<module resourceref="_systemd-secure-services"/>
<module resourceref="_systemd-example-secure-service">
<merge>
<title>Analyzing the security level</title>
<title>How to analyze the security of a &systemd; service</title>
</merge>
</module>
<module resourceref="_systemd-securing-techniques">
<module resourceref="_systemd-securing-more-info">
<merge>
<title>Techniques of securing</title>
<title>For more information</title>
</merge>
</module>
<module resourceref="_systemd-securing-more-info"/>
<module resourceref="_legal"/>
<module resourceref="_legal"/>
<module resourceref="_gfdl">
<output renderas="appendix"/>
</module>
Expand Down
41 changes: 25 additions & 16 deletions concepts/systemd-securing.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,8 @@
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:trans="http://docbook.org/ns/transclusion">
<info>
<title>Secure &systemd; services</title>
<title>Introduction to securing &systemd; services</title>
<meta name="maintainer" content="[email protected]" its:translate="no"/>
<abstract>
<para>
Linux increases its security by separating privileges between individual components of the
Expand All @@ -30,23 +31,31 @@
them from certain privileges that normal users are allowed to use.
</para>
</abstract>
<meta name="maintainer" content="[email protected]" its:translate="no"/>
</info>
<section xml:id="how-it-works-securing-with-systemd">
<title>How does securing services with &systemd; work?</title>
<para>
There are several methods to secure processes and applications that you can use
simultaneously. For example, confining with &selnx; <phrase os="sles">or &aa; </phrase>is
recommended. &systemd; can apply additional restrictions to local services by using
technologies included in the kernel. These restrictions are activated by adding specific
options to the &systemd; service definition and restarting the service.
</para>
</section>
<section xml:id="benefits-securing-with-systemd">
<title>Benefits of securing services</title>
</info>
<section xml:id="benefits-securing-with-systemd">
<title>Why is securing &systemd; services important?</title>
<para>
Securing &systemd; services increases the security of the whole operating system and protects
sensitive data contained on its file system.
sensitive data contained on its file system. With &systemd;, you can configure your system in many ways.
&systemd; runs as the first process on boot (PID1) which means that it has a lot of power on your Linux environment.
</para>
<para>&systemd; can apply additional restrictions to local services by using technologies included in the kernel.
These restrictions are activated by adding specific options to the systemd service definition and restarting the service.
&systemd; has a command-line tool <command>systemd-analyze security</command>. This command analyses the services and checks
if the services are using its security options.</para>
</section>
<section xml:id="what-is-systemd-aalyze-security-command">
<title>What is the <command>systemd-analyze security</command> command?</title>
<para>
The command analyzes the security and sandboxing settings of the specified service units.
A detailed analysis of the security settings is executed and displayed.
If a service unit is not specified, all currently loaded, long-running service units are inspected and the results are displayed in a terse table.
</para>
<para>Upon checking the security settings, the command assigns a numeric value , also known as <emphasis>exposure level</emphasis>.
This value is dependent on how important a setting is. It then calculates an overall exposure level for the whole unit. This value ranges
from 0.0-10.0, which is an indicator of how exposed a service is security wise.
High exposure levels indicate that the service might benefit from additional security settings.
While low exposure levels indicate tight security restrictions.
</para>
</section>
</topic>
23 changes: 6 additions & 17 deletions glues/systemd-securing-more-info.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,38 +18,27 @@
<itemizedlist>
<listitem>
<para>
All security options are described in &systemd;'s man pages. Refer to <command>man 5
systemd.exec</command>.
<command>man 5 systemd.exec</command>
</para>
</listitem>
<listitem>
<para>
The list of currently defined kernel capabilities is available in <command>man 7
capabilities</command>.
<command>man 7 capabilities</command>
</para>
</listitem>
<listitem>
<para>
Enabling and disabling &systemd; services is described in
<link xlink:href="https://documentation.suse.com/smart/linux/html/reference-systemctl-enable-disable-services/reference-systemctl-enable-disable-services.html"/>.
Introduction to &systemd; basics <link xlink:href="https://documentation.suse.com/smart/systems-management/html/systemd-basics/index.html"> </link>
</para>
</listitem>
<listitem>
<para>
Managing &systemd; targets with <command>systemctl</command> is described in
<link xlink:href="https://documentation.suse.com/smart/linux/html/reference-managing-systemd-targets-systemctl/reference-systemctl-managing-targets.html"/>.
Managing &systemd; services <link xlink:href="https://documentation.suse.com/smart/systems-management/html/systemd-management/index.html"/>
</para>
</listitem>
<listitem>
<para>
Sending termination signals to &systemd; services is described in
<link xlink:href="https://documentation.suse.com/smart/linux/html/task-send-termination-signals-systemd/task-send-termination-signals-systemd.html"/>.
</para>
</listitem>
<listitem>
<listitem>
<para>
Starting and stopping &systemd; services is described in
<link xlink:href="https://documentation.suse.com/smart/linux/html/reference-systemctl-start-stop-services/reference-systemctl-start-stop-services.html"/>.
System and Service Manager <link xlink:href="https://systemd.io/"> </link>
</para>
</listitem>
</itemizedlist>
Expand Down
164 changes: 164 additions & 0 deletions tasks/systemd-example-secure-service.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,164 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE topic
[
<!ENTITY % entities SYSTEM "../common/generic-entities.ent">
%entities;
]>
<topic xml:id="systemd-example-secure-service"
role="task" xml:lang="en"
xmlns="http://docbook.org/ns/docbook" version="5.2"
xmlns:its="http://www.w3.org/2005/11/its"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:trans="http://docbook.org/ns/transclusion">
<info>
<title>How to analyze the security of a &systemd; service?</title>
<meta name="maintainer" content="[email protected]" its:translate="no"/>
<abstract>
<para>
Use the <command>systemd-analyze security</command> command to analyze the security settings of a &systemd; service.
The <literal>security</literal> option analyzes the security and the sandboxing settings of one or more specified services.
</para>

</abstract>

</info>
<procedure>
<step><para>Create a &systemd; service in the <filename>/etc/systemd/system</filename>. </para>
</step>
<step><para>Reload the service files to include the new service:</para>
<screen>&prompt.sudo; systemctl daemon-reload</screen>
</step>
<step><para>Start,enable, and check the status of the service:</para>
<screen>&prompt.sudo; systemctl start <replaceable>SERVICE_NAME</replaceable></screen>
<screen>&prompt.sudo;systemctl enable <replaceable>SERVICE_NAME</replaceable></screen>
<screen>&prompt.sudo; systemctl status <replaceable>SERVICE_NAME</replaceable></screen>

</step>
<step><para>Analyze the security settings of the service:</para>
<screen>&prompt.sudo; systemd-analyze security <replaceable>SERVICE_NAME</replaceable></screen>
<para>For example:</para>
<screen>&prompt.sudo; systemd-analyze security test.service
NAME DESCRIPTION EXPOSURE
✗ PrivateNetwork= Service has access to the host's network 0.5
✗ User=/DynamicUser= Service runs as root user 0.4
✗ DeviceAllow= Service has no device ACL
...
→ Overall exposure level for test.service: 9.6 UNSAFE 😨
</screen>
</step>
</procedure>

<para><emphasis>How to improve the overall exposure</emphasis></para>
<para>If you get <emphasis>9.6 UNSAFE</emphasis>, you can use <literal>[Section]</literal> part of the service definition file to add any of the below options. For example:</para>
<screen>
[Service]
NoNewPrivileges=yes
PrivateTmp=yes
PrivateNetwork=yes
InaccessibleDirectories=/home
.....
</screen>
<variablelist>
<varlistentry>
<term>NoNewPrivileges=yes</term>
<listitem>
<para>
New privileges are not required.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PrivateTmp=yes</term>
<listitem>
<para>
Private directory for temporary files. This option provides the service with a private <filename>/tmp</filename> isolated from
the host system's <filename>/tmp</filename>. The shared host <filename>/tmp</filename>
directory is a major source of security problems, such as symlink attacks and DoS
<filename>/tmp</filename> temporary files.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PrivateNetwork=yes</term>
<listitem>
<para>
This option isolates the service and its processes from networking. This prevents
external network requests from reaching the protected service. Be aware that certain
services require the network to be operational.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>InaccessibleDirectories=/home</term>
<listitem>
<para>
This option makes the specified directories inaccessible to the service. This option
narrows the range of directories that can be read or modified by the service, for
example, to secure users' private files.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ReadOnlyDirectories=/var</term>
<listitem>
<para>
This option makes the specified directories inaccessible for writing to the service. The
example configuration makes the whole tree below <filename>/var</filename> read-only.
This option prevents the service from damaging the system files.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>CapabilityBoundingSet=CAP_CHOWN CAP_KILL</term>
<listitem>
<para>
This option restricts the kernel capabilities that a service can retain. In the example
above, only the <literal>CAP_CHOWN</literal> and <literal>CAP_KILL</literal> capabilities
are retained by the service, and the service and any processes it creates cannot obtain
any other capabilities, not even via setuid binaries.
</para>
<tip>
<title>The <command>pscap</command> command tool</title>
<para>
To easily identify which processes on your system retain which capabilities, use the
<command>pscap</command> command tool from the <package>libcap-ng-utils</package> package.
</para>
</tip>

<para>
The <literal>~</literal> prefix inverts the meaning of the option&mdash;. Instead of
listing all capabilities that the service retains, you can list the ones it does not
retain:
</para>
<screen>...
[Service]
CapabilityBoundingSet=~CAP_SYS_PTRACE
...</screen>

</listitem>

</varlistentry>
<varlistentry>
<term>LimitNPROC=1, LimitFSIZE=0</term>
<listitem>
<para>
You can use <emphasis>resource limits</emphasis> to apply security limits on services.
Two of them can disable specific operating system features:
<option>RLIMIT_NPROC=1</option> disables precess forking, while
<option>RLIMIT_FSIZE=0</option> disables creating non-empty files on the file system.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>DeviceAllow=/dev/null rw</term>
<listitem>
<para>
This option limits access to <filename>/dev/null</filename>, disallowing access to any
other device nodes.
</para>
</listitem>
</varlistentry>
</variablelist>
<para>These are some options you can use.</para>
</topic>

0 comments on commit 89f14cc

Please sign in to comment.