On Wed, 26 Sep 2012 16:57:10 +0000 Rainer Gerhards <[email protected]> wrote:
> That's an excellent idea. V7 fully supports privilege dropping and > has the necessary design to do it cleanly. With v6, that's also the > case, but v6 is more or less meant for folks who want a (basically) > v5 engine plus the new config language. I am working hard to mature > v7, which will also include all the structured logging support that > will become important. Some big users help with testing to get it > stable quickly. Picking up this old bug report: I consider making use of some of the systemd hardening features: http://0pointer.de/blog/projects/security.html Some of the flags might be suitable shipping upstream, i.e. [Service] ProtectSystem=full ProtectHome=yes PrivateTmp=yes CapabilityBoundingSet=CAP_SYSLOG The last one is tricky though, we might need more capabilities [1], e.g. for binding interfaces. Would CAP_NET_BIND_SERVICE be sufficient or do we need CAP_NET_ADMIN? Rainer, do you know which capabilities [2] rsyslog needs, when it makes use of all features? Michael [1] http://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet= [2] http://man7.org/linux/man-pages/man7/capabilities.7.html -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature

