See the links for ProtectHome and ProtectSystem
Am Di., 10. Okt. 2023 um 20:35 Uhr schrieb David Lang <[email protected]>: > > what directories will rsyslog be able to access (both read and write) with > this > config? > > David Lang > > On Tue, 10 Oct 2023, Michael Biebl via rsyslog wrote: > > > Date: Tue, 10 Oct 2023 20:20:14 +0200 > > From: Michael Biebl via rsyslog <[email protected]> > > To: rsyslog-users <[email protected]> > > Cc: Michael Biebl <[email protected]> > > Subject: [rsyslog] [RFC] locking down rsyslog.service on Debian > > > > Hi, > > > > Debian maintainer of rsyslog speaking. > > > > I intend to lock down rsyslog.service in Debian in one of the next > > uploads using the following systemd directives > > > > PrivateTmp=yes > > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp= > > > > PrivateDevices=yes > > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateDevices= > > > > ProtectHome=yes > > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome= > > > > ProtectSystem=full > > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem= > > > > ProtectKernelTunables=yes > > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelTunables= > > > > ProtectKernelModules=yes > > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelModules= > > > > ProtectClock=yes > > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectClock= > > > > SystemCallFilter=@system-service > > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter= > > > > CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_CHOWN CAP_LEASE > > CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_ADMIN CAP_SYS_RESOURCE > > CAP_SYSLOG > > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet= > > > > The full rsyslog.service looks like this, in case you want to test it: > > ``` > > [Unit] > > Description=System Logging Service > > Requires=syslog.socket > > Documentation=man:rsyslogd(8) > > Documentation=man:rsyslog.conf(5) > > Documentation=https://www.rsyslog.com/doc/ > > > > [Service] > > Type=notify > > ExecStart=/usr/sbin/rsyslogd -n -iNONE > > StandardOutput=null > > Restart=on-failure > > > > # Increase the default a bit in order to allow many simultaneous > > # files to be monitored, we might need a lot of fds. > > LimitNOFILE=16384 > > > > PrivateTmp=yes > > PrivateDevices=yes > > ProtectHome=yes > > ProtectSystem=full > > ProtectKernelTunables=yes > > ProtectKernelModules=yes > > ProtectClock=yes > > SystemCallFilter=@system-service > > CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_CHOWN CAP_LEASE > > CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_ADMIN CAP_SYS_RESOURCE > > CAP_SYSLOG > > > > [Install] > > WantedBy=multi-user.target > > Alias=syslog.service > > ``` > > > > While the attempt is to secure the default configuration of rsyslog, I > > do not want to restrict it so much that it becomes unusable. > > If you think, that one of those directives could cause issues with > > commonly used setups, please let me know, so I can adjust the > > configuration. > > > > Looking forward to your feedback. > > > > Michael > > _______________________________________________ > > rsyslog mailing list > > https://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > > _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
