RL <richard.lewis.deb...@googlemail.com> writes:

> Russell Coker <russ...@coker.com.au> writes:
>
>> https://wiki.debian.org/ReleaseGoals/SystemdAnalyzeSecurity
>>
>> I think we should make it a release goal to have as many daemons as
>> possible running with systemd security features to aim for a low score
>> from "systmd-analyze security".
>
>
> This repos from Trent Buck has a lot of research -
> https://github.com/cyberitsolutions/prisonpc-systemd-lockdown/tree/main/systemd/system/0-EXAMPLES
>
> (One of the issues for services that send email is that it is very
> easy to break exim)

Hello, I am a nosy person!

I am pleased to see everyone I have pestered about systemd hardening
since 2018 has already commented on this thread :-)

The git repo mentioned above is mostly for Debian 9.
I have later work against Debian 11, but
it's mostly part of a private ansible repo.
I have pushed some into debbugs already.
(SOMEWHERE in "bts show from:trentbuck archive=both"...)

Below is a brain-dump of some new notes I wrote today.


I broadly agree with Marco and Simon sentiments.
Hardening any daemon that can run arbitary hook scripts (e.g. smartd) is going 
to inconvenience at least 1 person.

I think there's room for improvement, though.
I think at least some units can be hardened by packagers in a way that 99% of 
users don't notice, and
debian/NEWS can warn users "if you're an edge case, do X to undo this change".

We've had similar cases where e.g. sshd dropped sha1, or
where X.service gradually dropped backcompat with /etc/default/X, or
where msmtp had apparmor hardening on by default, then downgraded it to an 
opt-in debconf question.

We can also add wiki / hardening-howto documentation to help admins/users opt 
in to hardening (a la aa-genprof), but
based on my experience with aa and selinux, I don't think that will give good 
bang-for-buck.

Since systemd units support dropins, we could also provide a single
"harden-all-the-things" package that simply provides a lot of
/lib/systemd/system/X.service.d/harden-all-the-things.conf
errata.  This would work similar to how apparmor-profiles-extras works 
currently --
if you don't care about security, you just don't install that package at all.
I suspect that will also stagnate, though, so it's better to do hardening in 
each package where possible.



My rules of thumb so far are:

  * Start with the most popular units, i.e. sort by popcon.

  * Start with units with a clear "do one thing, well" mission,
    e.g. e2scrub@, ntpsec-rotate-stats

  * If it runs its own process manager (e.g. postfix's "master"),
    don't bother trying to harden it.

    Start talking to upstream about whether this could be a generator creating 
native socket-activated systemd units?
    If systemd is missing necessary capabilities (e.g. sshd's MaxStartups=), 
talk to systemd about how to add these?

  * If it sends mail via /usr/sbin/sendmail,
    don't bother trying to harden it.

    If it sends mail via smtp://localhost, that's MUCH easier.
    Start encouraging upstreams to do that instead?

    (Sysadmins can bind-mount /usr/sbin/msmtp to /usr/sbin/sendmail within the 
service,
    so that a daemon calling /usr/sbin/sendmail will end up talking to 
exim/postfix/msmtpd on [::1]:25.
    Packagers probably can't get away with that.)

  * If it can run arbitrary admin-configurable hooks,
    don't bother trying to harden it.

    For example, smartd and zfs-zed both *by default* only send email, but
    in theory you can make them flash LEDs on the front panel by running 
/opt/broadcom/LSIctl.
    Or make demons fly out of your nose.

  * If it's sshd or equivalent (used interactively by admin, forks "sudo" &c),
    don't bother trying to harden it.

  * You don't have to get the score down to 2.
    Even getting most scores down from ~9 to ~6 is worthwhile.

    Moving pidfiles from /run/%p.pid to /run/%p/%p.pid and
    letting systemd do the User=%p can help quite a bit.
    Often upstream code needs some minor massaging to make that work cleanly.

    Socket activating can help, e.g. prayer (webmail) had undocumented ability 
to use socket activation,
    which meant you could harden its ability to bind to low ports.

  * MariaDB upstream is a good example of a reasonableperson-test "middle 
ground" level of default hardening.

    https://mariadb.com/kb/en/systemd/#useful-systemd-options

  * If you have to support both Debian N and Debian Nbpo,
    with the same config file,
    some hardening features in bpo are problematic and not worth your time.

    (For example, SystemCallFilter= landed before SystemCallFilter=@foo.
    If you tried to use SystemCallFilter=@foo on the older system,
    it'd get confused and block ALL syscalls.)


Here's my most recent notes (from June 2023) about then-Debian 11 servers at 
work.
They're in production and working OK.
HOWEVER, they include quite a bit of "I know *I* don't need X, therefore I am 
OK with hardening X away."
For example, I know PHP and MariaDB run on the same host, so I can disable 
AF_INET entirely and use AF_UNIX.

    bash5$ for i in light heavy obese delta; do ssh $i systemd-analyze security 
|
           sed s/^/$i\\t/; done | sort -k3,3nr -k2,2 | column -t

    HOST   UNIT                                            EXPOSURE  PREDICATE  
HAPPY  NOTES
    delta  collectd.service                                9.6       UNSAFE     
😨     TODO
    heavy  collectd.service                                9.6       UNSAFE     
😨     TODO
    light  collectd.service                                9.6       UNSAFE     
😨     TODO
    obese  collectd.service                                9.6       UNSAFE     
😨     TODO
    delta  dbus.service                                    9.6       UNSAFE     
😨     IMPOSSIBLE
    heavy  dbus.service                                    9.6       UNSAFE     
😨     IMPOSSIBLE
    light  dbus.service                                    9.6       UNSAFE     
😨     IMPOSSIBLE
    obese  dbus.service                                    9.6       UNSAFE     
😨     IMPOSSIBLE
    heavy  dkimpy-milter.service                           9.6       UNSAFE     
😨     TODO!
    delta  getty@tty1.service                              9.6       UNSAFE     
😨     IMPOSSIBLE
    heavy  getty@tty1.service                              9.6       UNSAFE     
😨     IMPOSSIBLE
    light  getty@tty1.service                              9.6       UNSAFE     
😨     IMPOSSIBLE
    obese  getty@tty1.service                              9.6       UNSAFE     
😨     IMPOSSIBLE
    delta  libvirtd.service                                9.6       UNSAFE     
😨     TODO
    heavy  libvirtd.service                                9.6       UNSAFE     
😨     TODO -- REMOVE THIS?  Alloc never ended up using this.
    light  nut-driver.service                              9.6       UNSAFE     
😨     TODO
    delta  nut-monitor.service                             9.6       UNSAFE     
😨     TODO
    heavy  nut-monitor.service                             9.6       UNSAFE     
😨     TODO
    light  nut-monitor.service                             9.6       UNSAFE     
😨     TODO
    light  nut-server.service                              9.6       UNSAFE     
😨     TODO
    delta  polkit.service                                  9.6       UNSAFE     
😨     IMPOSSIBLE
    heavy  polkit.service                                  9.6       UNSAFE     
😨     IMPOSSIBLE
    light  polkit.service                                  9.6       UNSAFE     
😨     IMPOSSIBLE
    obese  polkit.service                                  9.6       UNSAFE     
😨     IMPOSSIBLE
    delta  rc-local.service                                9.6       UNSAFE     
😨     IMPOSSIBLE
    heavy  rc-local.service                                9.6       UNSAFE     
😨     IMPOSSIBLE
    light  rc-local.service                                9.6       UNSAFE     
😨     IMPOSSIBLE
    obese  rc-local.service                                9.6       UNSAFE     
😨     IMPOSSIBLE
    delta  rsyslog.service                                 9.6       UNSAFE     
😨     TODO
    heavy  rsyslog.service                                 9.6       UNSAFE     
😨     TODO
    light  rsyslog.service                                 9.6       UNSAFE     
😨     TODO
    obese  rsyslog.service                                 9.6       UNSAFE     
😨     TODO
    delta  smartmontools.service                           9.6       UNSAFE     
😨     IMPOSSIBLE?  (on-error hook could be arbitrary, but MOSTLY just emails)
    heavy  smartmontools.service                           9.6       UNSAFE     
😨     IMPOSSIBLE?  (on-error hook could be arbitrary, but MOSTLY just emails)
    light  smartmontools.service                           9.6       UNSAFE     
😨     IMPOSSIBLE?  (on-error hook could be arbitrary, but MOSTLY just emails)
    obese  smartmontools.service                           9.6       UNSAFE     
😨     IMPOSSIBLE?  (on-error hook could be arbitrary, but MOSTLY just emails)
    delta  ssh.service                                     9.6       UNSAFE     
😨     IMPOSSIBLE
    heavy  ssh.service                                     9.6       UNSAFE     
😨     IMPOSSIBLE
    light  ssh.service                                     9.6       UNSAFE     
😨     IMPOSSIBLE
    obese  ssh.service                                     9.6       UNSAFE     
😨     IMPOSSIBLE
    delta  sshguard.service                                9.6       UNSAFE     
😨     TODO
    heavy  sshguard.service                                9.6       UNSAFE     
😨     TODO
    light  sshguard.service                                9.6       UNSAFE     
😨     TODO
    obese  sshguard.service                                9.6       UNSAFE     
😨     TODO
    delta  udisks2.service                                 9.6       UNSAFE     
😨     IMPOSSIBLE
    heavy  udisks2.service                                 9.6       UNSAFE     
😨     IMPOSSIBLE
    light  udisks2.service                                 9.6       UNSAFE     
😨     IMPOSSIBLE
    obese  udisks2.service                                 9.6       UNSAFE     
😨     IMPOSSIBLE
    delta  unattended-upgrades.service                     9.6       UNSAFE     
😨     IMPOSSIBLE
    heavy  unattended-upgrades.service                     9.6       UNSAFE     
😨     IMPOSSIBLE
    light  unattended-upgrades.service                     9.6       UNSAFE     
😨     IMPOSSIBLE
    obese  unattended-upgrades.service                     9.6       UNSAFE     
😨     IMPOSSIBLE
    delta  virtlockd.service                               9.6       UNSAFE     
😨     TODO
    heavy  virtlockd.service                               9.6       UNSAFE     
😨     TODO -- REMOVE THIS? -- alloc never ended up using this.
    delta  virtlogd.service                                9.6       UNSAFE     
😨     TODO
    heavy  virtlogd.service                                9.6       UNSAFE     
😨     TODO -- REMOVE THIS? -- alloc never ended up using this.
    heavy  zfs-zed.service                                 9.6       UNSAFE     
😨     IMPOSSIBLE? (same as smartmontools)
    light  zfs-zed.service                                 9.6       UNSAFE     
😨     IMPOSSIBLE? (same as smartmontools)
    obese  zfs-zed.service                                 9.6       UNSAFE     
😨     IMPOSSIBLE? (same as smartmontools)
    delta  dm-event.service                                9.5       UNSAFE     
😨     IMPOSSIBLE? (same as smartmontools)
    delta  emergency.service                               9.5       UNSAFE     
😨     IMPOSSIBLE
    heavy  emergency.service                               9.5       UNSAFE     
😨     IMPOSSIBLE
    light  emergency.service                               9.5       UNSAFE     
😨     IMPOSSIBLE
    obese  emergency.service                               9.5       UNSAFE     
😨     IMPOSSIBLE
    delta  lvm2-lvmpolld.service                           9.5       UNSAFE     
😨     TODO? (will be replaced by ZFS eventually)
    delta  mdmonitor.service                               9.5       UNSAFE     
😨     TODO? (will be replaced by ZFS eventually)
    delta  rescue.service                                  9.5       UNSAFE     
😨     IMPOSSIBLE
    heavy  rescue.service                                  9.5       UNSAFE     
😨     IMPOSSIBLE
    light  rescue.service                                  9.5       UNSAFE     
😨     IMPOSSIBLE
    obese  rescue.service                                  9.5       UNSAFE     
😨     IMPOSSIBLE
    delta  systemd-fsckd.service                           9.5       UNSAFE     
😨     IMPOSSIBLE
    heavy  systemd-fsckd.service                           9.5       UNSAFE     
😨     IMPOSSIBLE
    light  systemd-fsckd.service                           9.5       UNSAFE     
😨     IMPOSSIBLE
    obese  systemd-fsckd.service                           9.5       UNSAFE     
😨     IMPOSSIBLE
    delta  systemd-ask-password-console.service            9.4       UNSAFE     
😨     IMPOSSIBLE
    heavy  systemd-ask-password-console.service            9.4       UNSAFE     
😨     IMPOSSIBLE
    light  systemd-ask-password-console.service            9.4       UNSAFE     
😨     IMPOSSIBLE
    obese  systemd-ask-password-onsole.service             9.4       UNSAFE     
😨     IMPOSSIBLE
    delta  systemd-ask-password-wall.service               9.4       UNSAFE     
😨     IMPOSSIBLE
    heavy  systemd-ask-password-wall.service               9.4       UNSAFE     
😨     IMPOSSIBLE
    light  systemd-ask-password-wall.service               9.4       UNSAFE     
😨     IMPOSSIBLE
    obese  systemd-ask-password-wall.service               9.4       UNSAFE     
😨     IMPOSSIBLE
    delta  systemd-initctl.service                         9.4       UNSAFE     
😨     IMPOSSIBLE
    heavy  systemd-initctl.service                         9.4       UNSAFE     
😨     IMPOSSIBLE
    light  systemd-initctl.service                         9.4       UNSAFE     
😨     IMPOSSIBLE
    obese  systemd-initctl.service                         9.4       UNSAFE     
😨     IMPOSSIBLE
    delta  user@1000.service                               9.4       UNSAFE     
😨     IMPOSSIBLE
    light  user@1000.service                               9.4       UNSAFE     
😨     IMPOSSIBLE
    obese  user@1000.service                               9.4       UNSAFE     
😨     IMPOSSIBLE
    heavy  user@1024.service                               9.4       UNSAFE     
😨     IMPOSSIBLE
    heavy  user@1026.service                               9.4       UNSAFE     
😨     IMPOSSIBLE
    heavy  user@1029.service                               9.4       UNSAFE     
😨     IMPOSSIBLE
    heavy  user@1030.service                               9.4       UNSAFE     
😨     IMPOSSIBLE
    heavy  user@1031.service                               9.4       UNSAFE     
😨     IMPOSSIBLE
    heavy  user@1035.service                               9.4       UNSAFE     
😨     IMPOSSIBLE
    heavy  user@1036.service                               9.4       UNSAFE     
😨     IMPOSSIBLE
    heavy  user@1037.service                               9.4       UNSAFE     
😨     IMPOSSIBLE
    heavy  user@1042.service                               9.4       UNSAFE     
😨     IMPOSSIBLE
    heavy  postfix@-.service                               9.2       UNSAFE     
😨     TODO (probably hard, but worth it as directly exposed to internet)
    delta  rsync.service                                   8.5       EXPOSED    
🙁     TODO (not active?)
    heavy  rsync.service                                   8.5       EXPOSED    
🙁     TODO (not active?)
    light  rsync.service                                   8.5       EXPOSED    
🙁     TODO (not active?)
    obese  rsync.service                                   8.5       EXPOSED    
🙁     TODO (not active?)
    heavy  dovecot.service                                 8.3       EXPOSED    
🙁     TODO (probably hard)
    delta  systemd-udevd.service                           8.0       EXPOSED    
🙁     IMPOSSIBLE
    heavy  systemd-udevd.service                           8.0       EXPOSED    
🙁     IMPOSSIBLE
    light  systemd-udevd.service                           8.0       EXPOSED    
🙁     IMPOSSIBLE
    obese  systemd-udevd.service                           8.0       EXPOSED    
🙁     IMPOSSIBLE
    light  arpwatch@dmz.service                            7.5       EXPOSED    
🙁     TODO
    light  arpwatch@lan.service                            7.5       EXPOSED    
🙁     TODO
    heavy  mariadb.service                                 6.5       MEDIUM     
😐     TODO?  (upstream default is "maybe good enough")
    delta  systemd-machined.service                        6.2       MEDIUM     
😐     DONE -- upstream default is good enough.
    heavy  systemd-machined.service                        6.2       MEDIUM     
😐     TODO -- REMOVE THIS? -- alloc never ended up using this.
    delta  msmtpd.service                                  5.8       MEDIUM     
😐     TODO?  (upstream default is "maybe good enough")
    light  nsd.service                                     4.8       OK         
🙂     TODO?  (upstream default is "maybe good enough")
    delta  systemd-journald.service                        4.3       OK         
🙂
    heavy  systemd-journald.service                        4.3       OK         
🙂
    light  systemd-journald.service                        4.3       OK         
🙂
    obese  systemd-journald.service                        4.3       OK         
🙂
    heavy  cyber-apt-ftparchive-generate@PrisonPC.service  3.2       OK         
🙂     TODO
    heavy  cyber-apt-ftparchive-generate@cyber.service     3.2       OK         
🙂     TODO
    heavy  nginx.service                                   3.2       OK         
🙂
    light  nginx.service                                   3.2       OK         
🙂
    delta  systemd-networkd.service                        2.9       OK         
🙂
    heavy  systemd-networkd.service                        2.9       OK         
🙂
    light  systemd-networkd.service                        2.9       OK         
🙂
    obese  systemd-networkd.service                        2.9       OK         
🙂
    delta  systemd-logind.service                          2.6       OK         
🙂
    heavy  systemd-logind.service                          2.6       OK         
🙂
    light  systemd-logind.service                          2.6       OK         
🙂
    obese  systemd-logind.service                          2.6       OK         
🙂
    light  dnsmasq.service                                 2.5       OK         
🙂
    heavy  cyber-zfs-backup.service                        2.2       OK         
🙂
    light  cyber-zfs-backup.service                        2.2       OK         
🙂
    obese  cyber-zfs-backup.service                        2.2       OK         
🙂
    delta  systemd-resolved.service                        2.1       OK         
🙂
    heavy  systemd-resolved.service                        2.1       OK         
🙂
    light  systemd-resolved.service                        2.1       OK         
🙂
    obese  systemd-resolved.service                        2.1       OK         
🙂
    delta  systemd-timesyncd.service                       2.1       OK         
🙂
    heavy  systemd-timesyncd.service                       2.1       OK         
🙂
    light  systemd-timesyncd.service                       2.1       OK         
🙂
    obese  systemd-timesyncd.service                       2.1       OK         
🙂
    heavy  alloc.service                                   1.4       OK         
🙂     <-- This is a PHP5 web app talking to nginx & mariadb via AF_UNIX
    heavy  cyber-irc-bot.service                           1.4       OK         
🙂     <-- This is limnoria (supybot)
    heavy  cyber-mariadb-zfs-snapshot.service              1.3       OK         
🙂
    heavy  ircd-irc2.service                               1.3       OK         
🙂
    heavy  monit.service                                   1.3       OK         
🙂
    heavy  alloc-imap-biff.service                         1.2       OK         
🙂
    heavy  pyspf-milter.service                            1.2       OK         
🙂
    light  upslog@upset.service                            1.2       OK         
🙂
    heavy  apt-cacher-ng.service                           1.1       OK         
🙂
    heavy  motion.service                                  1.1       OK         
🙂
    heavy  opendkim.service                                1.1       OK         
🙂     TODO -- REMOVE THIS -- replaced by dkimpy-milter
    heavy  gitit.service                                   1.0       OK         
🙂
    heavy  klaus.service                                   0.4       SAFE       
😀
    heavy  collection4.service                             0.2       SAFE       
😀     <-- This is a fastCGI web app talking to nginx via AF_UNIX

Looking at the same systems now they're Debian 12, I see that:

    * fwupd's Recommends caused modemmanager to be installed, ugh.

    * systemd

      * logind 2.6 -> 2.8 [WORSE]
      * networkd 2.9 -> 2.6
      * rfkill added
      * udevd 8.0 -> 7.1

    * motion 1.1 -> 1.2 [WORSE, but this is with my hardening]

    * nothing else changed, e.g. rsync.service has exactly the same score as 
before.

Reply via email to