Enhancing Service Security with Systemd

This page summarizes the projects mentioned and recommended in the original post on dev.to

InfluxDB - Power Real-Time Data Analytics at Scale
Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured

  • systemd-services

    • # /etc/systemd/system/nginx.service # Rootless Nginx service based on https://github.com/stephan13360/systemd-services/blob/master/nginx/nginx.service [Unit] # This is from the default nginx.service Description=nginx (hardened rootless) Documentation=https://nginx.org/en/docs/ Documentation=https://github.com/stephan13360/systemd-services/blob/master/nginx/README.md After=network-online.target remote-fs.target nss-lookup.target Wants=network-online.target [Service] # forking is not necessary as `daemon` is turned off in the nginx config Type=exec User=nginx Group=nginx ## can be used e.g. for accessing directory containing SSL certs #SupplementaryGroups=acme # define runtime directory /run/nginx as rootless services can't access /run RuntimeDirectory=nginx # write logs to /var/log/nginx LogsDirectory=nginx # write cache to /var/cache/nginx CacheDirectory=nginx # configuration is in /etc/nginx ConfigurationDirectory=nginx ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf # PID is not necessary here as the service is not forking ExecReload=/usr/sbin/nginx -s reload Restart=on-failure RestartSec=10s # Hardening # hide the entire filesystem tree from the service and also make it read only, requires systemd >=238 TemporaryFileSystem=/:ro # Remount (bind) necessary paths, based on https://gitlab.com/apparmor/apparmor/blob/master/profiles/apparmor.d/abstractions/base, # https://github.com/jelly/apparmor-profiles/blob/master/usr.bin.nginx, # https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RootDirectory= # # This gives access to (probably) necessary system files, allows journald logging BindReadOnlyPaths=/lib/ /lib64/ /usr/lib/ /usr/lib64/ /etc/ld.so.cache /etc/ld.so.conf /etc/ld.so.conf.d/ /etc/bindresvport.blacklist /usr/share/zoneinfo/ /usr/share/locale/ /etc/localtime /usr/share/common-licenses/ /etc/ssl/certs/ /etc/resolv.conf BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout /run/systemd/notify # Additional access to service-specific directories BindReadOnlyPaths=/usr/sbin/nginx BindReadOnlyPaths=/run/ /usr/share/nginx/ PrivateTmp=true PrivateDevices=true ProtectControlGroups=true ProtectKernelModules=true ProtectKernelTunables=true # Network access RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 # Miscellaneous SystemCallArchitectures=native # also implicit because settings like MemoryDenyWriteExecute are set NoNewPrivileges=true MemoryDenyWriteExecute=true ProtectKernelLogs=true LockPersonality=true ProtectHostname=true RemoveIPC=true RestrictSUIDSGID=true ProtectClock=true # Capabilities to bind low ports (80, 443) AmbientCapabilities=CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target

  • apparmor

    • # /etc/systemd/system/nginx.service # Rootless Nginx service based on https://github.com/stephan13360/systemd-services/blob/master/nginx/nginx.service [Unit] # This is from the default nginx.service Description=nginx (hardened rootless) Documentation=https://nginx.org/en/docs/ Documentation=https://github.com/stephan13360/systemd-services/blob/master/nginx/README.md After=network-online.target remote-fs.target nss-lookup.target Wants=network-online.target [Service] # forking is not necessary as `daemon` is turned off in the nginx config Type=exec User=nginx Group=nginx ## can be used e.g. for accessing directory containing SSL certs #SupplementaryGroups=acme # define runtime directory /run/nginx as rootless services can't access /run RuntimeDirectory=nginx # write logs to /var/log/nginx LogsDirectory=nginx # write cache to /var/cache/nginx CacheDirectory=nginx # configuration is in /etc/nginx ConfigurationDirectory=nginx ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf # PID is not necessary here as the service is not forking ExecReload=/usr/sbin/nginx -s reload Restart=on-failure RestartSec=10s # Hardening # hide the entire filesystem tree from the service and also make it read only, requires systemd >=238 TemporaryFileSystem=/:ro # Remount (bind) necessary paths, based on https://gitlab.com/apparmor/apparmor/blob/master/profiles/apparmor.d/abstractions/base, # https://github.com/jelly/apparmor-profiles/blob/master/usr.bin.nginx, # https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RootDirectory= # # This gives access to (probably) necessary system files, allows journald logging BindReadOnlyPaths=/lib/ /lib64/ /usr/lib/ /usr/lib64/ /etc/ld.so.cache /etc/ld.so.conf /etc/ld.so.conf.d/ /etc/bindresvport.blacklist /usr/share/zoneinfo/ /usr/share/locale/ /etc/localtime /usr/share/common-licenses/ /etc/ssl/certs/ /etc/resolv.conf BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout /run/systemd/notify # Additional access to service-specific directories BindReadOnlyPaths=/usr/sbin/nginx BindReadOnlyPaths=/run/ /usr/share/nginx/ PrivateTmp=true PrivateDevices=true ProtectControlGroups=true ProtectKernelModules=true ProtectKernelTunables=true # Network access RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 # Miscellaneous SystemCallArchitectures=native # also implicit because settings like MemoryDenyWriteExecute are set NoNewPrivileges=true MemoryDenyWriteExecute=true ProtectKernelLogs=true LockPersonality=true ProtectHostname=true RemoveIPC=true RestrictSUIDSGID=true ProtectClock=true # Capabilities to bind low ports (80, 443) AmbientCapabilities=CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • apparmor-profiles

    AppArmor Profiles for Arch Linux (by jelly)

    • # /etc/systemd/system/nginx.service # Rootless Nginx service based on https://github.com/stephan13360/systemd-services/blob/master/nginx/nginx.service [Unit] # This is from the default nginx.service Description=nginx (hardened rootless) Documentation=https://nginx.org/en/docs/ Documentation=https://github.com/stephan13360/systemd-services/blob/master/nginx/README.md After=network-online.target remote-fs.target nss-lookup.target Wants=network-online.target [Service] # forking is not necessary as `daemon` is turned off in the nginx config Type=exec User=nginx Group=nginx ## can be used e.g. for accessing directory containing SSL certs #SupplementaryGroups=acme # define runtime directory /run/nginx as rootless services can't access /run RuntimeDirectory=nginx # write logs to /var/log/nginx LogsDirectory=nginx # write cache to /var/cache/nginx CacheDirectory=nginx # configuration is in /etc/nginx ConfigurationDirectory=nginx ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf # PID is not necessary here as the service is not forking ExecReload=/usr/sbin/nginx -s reload Restart=on-failure RestartSec=10s # Hardening # hide the entire filesystem tree from the service and also make it read only, requires systemd >=238 TemporaryFileSystem=/:ro # Remount (bind) necessary paths, based on https://gitlab.com/apparmor/apparmor/blob/master/profiles/apparmor.d/abstractions/base, # https://github.com/jelly/apparmor-profiles/blob/master/usr.bin.nginx, # https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RootDirectory= # # This gives access to (probably) necessary system files, allows journald logging BindReadOnlyPaths=/lib/ /lib64/ /usr/lib/ /usr/lib64/ /etc/ld.so.cache /etc/ld.so.conf /etc/ld.so.conf.d/ /etc/bindresvport.blacklist /usr/share/zoneinfo/ /usr/share/locale/ /etc/localtime /usr/share/common-licenses/ /etc/ssl/certs/ /etc/resolv.conf BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout /run/systemd/notify # Additional access to service-specific directories BindReadOnlyPaths=/usr/sbin/nginx BindReadOnlyPaths=/run/ /usr/share/nginx/ PrivateTmp=true PrivateDevices=true ProtectControlGroups=true ProtectKernelModules=true ProtectKernelTunables=true # Network access RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 # Miscellaneous SystemCallArchitectures=native # also implicit because settings like MemoryDenyWriteExecute are set NoNewPrivileges=true MemoryDenyWriteExecute=true ProtectKernelLogs=true LockPersonality=true ProtectHostname=true RemoveIPC=true RestrictSUIDSGID=true ProtectClock=true # Capabilities to bind low ports (80, 443) AmbientCapabilities=CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project