Jarl Gullberg <[email protected]> writes: > The short summary is that we're looking at improving the usage of > systemd's hardening options for services, sockets, timers, and the > like within the Debian ecosystem. Right now, usage levels are pretty > varied and there aren't any hardening guidelines in place for Debian > packages as it relates to systemd service hardening.
Plenty of (critical) services in Debian have quite comprehensive systemd hardening already, but I would love to see more services utilize them. One example of a package that surprisingly does not have any systemd hardening options – even very basic ones line PrivateTmp – is bind9 (see bug 863841). It is after all a well-known service implemented in C and typically internet facing! > 1. Is there any prior work on similar efforts? If it's been attempted > in the past, or if there's something already out there, I'd love to > learn from it and get involved. Somehow I've assumed Fedora would have this already sorted out, but turns out at least this change proposal was dropped: https://fedoraproject.org/wiki/Changes/SystemdSecurityHardening
