Re: Enable systemd hardening options for named

2018-01-16 Thread Ludovic Gasc
2018-01-15 19:11 GMT+01:00 Reindl Harald : > > ReadOnlyDirectories=/etc > ReadOnlyDirectories=/usr > FYI, you can use ProtectSystem=strict to have more strict rules for the root filesystem: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem= _

Re: Enable systemd hardening options for named

2018-01-16 Thread Reindl Harald
Am 16.01.2018 um 10:20 schrieb Ludovic Gasc: 2018-01-15 19:11 GMT+01:00 Reindl Harald >: ReadOnlyDirectories=/etc ReadOnlyDirectories=/usr FYI, you can use ProtectSystem=strict to have more strict rules for the root filesystem: https://www.freedeskto

Re: Enable systemd hardening options for named

2018-01-16 Thread Ludovic Gasc
2018-01-16 10:22 GMT+01:00 Reindl Harald : > > > Am 16.01.2018 um 10:20 schrieb Ludovic Gasc: > >> 2018-01-15 19:11 GMT+01:00 Reindl Harald > h.rei...@thelounge.net>>: >> >> >> ReadOnlyDirectories=/etc >> ReadOnlyDirectories=/usr >> >> >> FYI, you can use ProtectSystem=strict to have more

Re: Enable systemd hardening options for named

2018-01-16 Thread Tony Finch
Robert Edmonds wrote: > > I would guess that retaining CAP_NET_BIND_SERVICE and CAP_SYS_RESOURCE > during the process runtime permits open-ended reloading of the config at > runtime (e.g., binding to a new IP address on port 53 without needing to > restart the daemon). BIND since 9.10 listens on

Re: Enable systemd hardening options for named

2018-01-16 Thread Reindl Harald
Am 16.01.2018 um 11:46 schrieb Tony Finch: Robert Edmonds wrote: I would guess that retaining CAP_NET_BIND_SERVICE and CAP_SYS_RESOURCE during the process runtime permits open-ended reloading of the config at runtime (e.g., binding to a new IP address on port 53 without needing to restart th

Re: Enable systemd hardening options for named

2018-01-16 Thread Ludovic Gasc
2018-01-16 11:58 GMT+01:00 Reindl Harald : > > > Am 16.01.2018 um 11:46 schrieb Tony Finch: > >> Robert Edmonds wrote: >> >>> >>> I would guess that retaining CAP_NET_BIND_SERVICE and CAP_SYS_RESOURCE >>> during the process runtime permits open-ended reloading of the config at >>> runtime (e.g.,

Re: Enable systemd hardening options for named

2018-01-16 Thread Ludovic Gasc
Hi, I have merged config files from Tony, Robert, and me. I have tried to be the most generic, the result below. It seems to work here without regression, except a warning: managed-keys-zone: Unable to fetch DNSKEY set '.': operation canceled But only at the first boot, I don't see the message a

Re: Enable systemd hardening options for named

2018-01-16 Thread Ludovic Gasc
Hi, I have forgotten to say that I have also removed "-u bind" option in /etc/default/bind9, because it isn't necessary anymore: The named daemon is started as bind user directly with this configuration. I might found 3 new interesting options: https://gist.github.com/ageis/f5595e59b1cddb1513d1b4

Re: Enable systemd hardening options for named

2018-01-16 Thread Daniel Stirnimann
Hello all, Just wondering, if one is already using selinux in enforcing mode, does systemd hardening provide any additional benefit? Daniel On 16.01.18 12:21, Ludovic Gasc wrote: > Hi, > > I have merged config files from Tony, Robert, and me. > I have tried to be the most generic, the result be

Re: Enable systemd hardening options for named

2018-01-16 Thread Ludovic Gasc
2018-01-16 13:52 GMT+01:00 Daniel Stirnimann : > Hello all, > > Just wondering, if one is already using selinux in enforcing mode, does > systemd hardening provide any additional benefit? > Very good question, I'm not sure at all: To my understanding, it might be complementary, at least it's poss

Re: Enable systemd hardening options for named

2018-01-16 Thread Reindl Harald
Am 16.01.2018 um 13:52 schrieb Daniel Stirnimann: Hello all, Just wondering, if one is already using selinux in enforcing mode, does systemd hardening provide any additional benefit? surely - it's about layered security what are you doing when SELinux makes troubles and you need it so set i