https://fedoraproject.org/wiki/Changes/SystemdSecurityHardening
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == Improve security by enabling some of the high level systemd security hardening settings that isolate and sandbox default system services. == Owner == * Name: [[User:Sundaram| Rahul Sundaram]] * Email: methe...@gmail.com == Detailed Description == systemd provides a number of settings that can harden security for services. We are selecting a few high level ones to enable by default on a service by service basis as suitable for that particular service. * `PrivateTmp=yes` * `ProtectSystem=yes/full/strict` * `ProtectHome=yes/read-only` * `ProtectClock=yes` * `ProtectHostname=yes` * `ProtectControlGroups=yes` * `ProtectHostname=yes` * `ProtectKernelLogs=yes` * `ProtectKernelModules=yes` * `ProtectKernelTunables=yes` * `ProtectProc=invisible` * `PrivateDevices=yes` * `PrivateNetwork=yes` * `NoNewPrivileges=yes` * `User=` If we want to go further, we could also consider: * `CapabilityBoundingSet=` * `DevicePolicy=closed` * `KeyringMode=private` * `LockPersonality=yes` * `MemoryDenyWriteExecute=yes` * `PrivateUsers=yes` * `RemoveIPC=yes` * `RestrictAddressFamilies=` * `RestrictNamespaces=yes` * `RestrictRealtime=yes` * `RestrictSUIDSGID=yes` * `SystemCallFilter=` * `SystemCallArchitectures=native` We will aim to cover all the default system services as well as some of the high profile services such as Nginx or PostgreSQL. All of these settings need to be configured on a per service basis instead of using a global override to facilitate fine tuning the settings based on service requirements and limit the impact for users on upgrades. Certain services have a very targeted scope. For instance, a service that only needs to read or write from only one directory could leverage more fine grained settings to restrict access even further. We will enable as many of these as feasible for the services but not every knob is going to be applicable to every service. For example, `PrivateNetwork=yes` can only be used for services that does not need network connectivity by default. We have to choose between `DynamicUser=yes` or `User` if either is feasible for the service to use. As a base starting point, from Fedora 39 workstation, we have the following system services installed by default which should considered within the scope of the change (excluding systemd associated ones which already have a number of these security settings enabled). We may also consider doing this for some of the high profile services including say Nginx and PostgreSQL permitting time considerations and other contributors if any joining this effort. We will prioritize critical or long running services. * `abrtd.service` * `abrt-journal-core.service` * `abrt-oops.service` * `abrt-pstoreoops.service` * `abrt-vmcore.service` * `abrt-xorg.service` * `accounts-daemon.service` * `alsa-restore.service` * `alsa-state.service` * `anaconda-direct.service` * `anaconda-fips.service` * `anaconda-nm-config.service` * `anaconda-nm-disable-autocons.service` * `anaconda-noshell.service` * `anaconda-pre.service` * `anaconda.service` * `anaconda-sshd.service` * `arp-ethers.service` * `auditd.service` * `auth-rpcgss-module.service` * `avahi-daemon.service` * `blivet.service` * `blk-availability.service` * `bluetooth.service` * `bolt.service` * `brltty.service` * `canberra-system-bootup.service` * `canberra-system-shutdown-reboot.service` * `canberra-system-shutdown.service` * `chronyd-restricted.service` * `chronyd.service` * `chrony-wait.service` * `colord.service` * `console-getty.service` * `cups-browsed.service` * `cups.service` * `dbus-broker.service` * `dbus-daemon.service` * `dbus-org.freedesktop.hostname1.service` * `dbus-org.freedesktop.import1.service` * `dbus-org.freedesktop.locale1.service` * `dbus-org.freedesktop.login1.service` * `dbus-org.freedesktop.machine1.service` * `dbus-org.freedesktop.portable1.service` * `dbus-org.freedesktop.timedate1.service` * <strike>`debug-shell.service`</strike> (opens a user shell that must be able to do arbitrary stuff) * `dm-event.service` * `dnf-makecache.service` * `dnf-system-upgrade-cleanup.service` * `dnf-system-upgrade.service` * `dnsmasq.service` * `dracut-cmdline.service` * `dracut-initqueue.service` * `dracut-mount.service` * `dracut-pre-mount.service` * `dracut-pre-pivot.service` * `dracut-pre-trigger.service` * `dracut-pre-udev.service` * `dracut-shutdown-onfailure.service` * `dracut-shutdown.service` * <strike>`emergency.service`</strike> (opens a user shell that must be able to do arbitrary stuff) * `fedora-third-party-refresh.service` * `firewalld.service` * `flatpak-add-fedora-repos.service` * `flatpak-system-helper.service` * `fprintd.service` * `fsidd.service` * `fstrim.service` * `fwupd-offline-update.service` * `fwupd-refresh.service` * `fwupd.service` * `gdm.service` * `geoclue.service` * `grub-boot-indeterminate.service` * `gssproxy.service` * `htcacheclean.service` * `httpd.service` * `hypervfcopyd.service` * `hypervkvpd.service` * `hypervvssd.service` * `iio-sensor-proxy.service` * `import-state.service` * `initrd-cleanup.service` * `initrd-parse-etc.service` * `initrd-switch-root.service` * `initrd-udevadm-cleanup-db.service` * `instperf.service` * `ipp-usb.service` * `iscsid.service` * `iscsi-init.service` * `iscsi-onboot.service` * `iscsi.service` * `iscsi-shutdown.service` * `iscsi-starter.service` * `iscsiuio.service` * `kdump.service` * `kmod-static-nodes.service` * `ldconfig.service` * `libvirtd.service` * `libvirt-guests.service` * `livesys-late.service` * `livesys.service` * `loadmodules.service` * `logrotate.service` * `low-memory-monitor.service` * `lvm2-lvmdbusd.service` * `lvm2-lvmpolld.service` * `lvm2-monitor.service` * `man-db-cache-update.service` * `man-db-restart-cache-update.service` * `mcelog.service` * `mdcheck_continue.service` * `mdcheck_start.service` * `mdmonitor-oneshot.service` * `mdmonitor.service` * `ModemManager.service` * `ndctl-monitor.service` * `netavark-dhcp-proxy.service` * `NetworkManager-dispatcher.service` * `NetworkManager.service` * `NetworkManager-wait-online.service` * `nfs-blkmap.service` * `nfsdcld.service` * `nfs-idmapd.service` * `nfs-mountd.service` * `nfs-server.service` * `nfs-utils.service` * `nftables.service` * `nis-domainname.service` * `nm-priv-helper.service` * `numad.service` * `nvmefc-boot-connections.service` * `nvmf-autoconnect.service` * `ostree-boot-complete.service` * `ostree-finalize-staged-hold.service` * `ostree-finalize-staged.service` * `ostree-prepare-root.service` * `ostree-remount.service` * `packagekit-offline-update.service` * `packagekit.service` * `pam_namespace.service` * `pcscd.service` * `plocate-updatedb.service` * `plymouth-halt.service` * `plymouth-kexec.service` * `plymouth-poweroff.service` * `plymouth-quit.service` * `plymouth-quit-wait.service` * `plymouth-read-write.service` * `plymouth-reboot.service` * `plymouth-start.service` * `plymouth-switch-root-initramfs.service` * `plymouth-switch-root.service` * `podman-auto-update.service` * `podman-clean-transient.service` * `podman-restart.service` * `podman.service` * `polkit.service` * `power-profiles-daemon.service` * `psacct.service` * `qemu-guest-agent.service` * `qemu-pr-helper.service` * `quotaon.service` * `raid-check.service` * <strike>`rc-local.service`</strike> (this can do arbitrary stuff) * `realmd.service` * `rescue.service` * `rpcbind.service` * `rpc-gssd.service` * `rpc-statd-notify.service` * `rpc-statd.service` * `rpmdb-migrate.service` * `rpmdb-rebuild.service` * `rtkit-daemon.service` * `saslauthd.service` * `selinux-autorelabel-mark.service` * `selinux-autorelabel.service` * `selinux-check-proper-disable.service` * `speech-dispatcherd.service` * `spice-vdagentd.service` * `spice-webdavd.service` * `sshd.service` * `ssh-host-keys-migration.service` * `sssd-autofs.service` * `sssd-kcm.service` * `sssd-nss.service` * `sssd-pac.service` * `sssd-pam.service` * `sssd.service` * `sssd-ssh.service` * `sssd-sudo.service` * `switcheroo-control.service` * `system-update-cleanup.service` * `tcsd.service` * `thermald.service` * `udisks2.service` * `unbound-anchor.service` * `upower.service` * `uresourced.service` * `usbmuxd.service` * `vboxclient.service` * `vboxservice.service` * `vgauthd.service` * `virtinterfaced.service` * `virtlockd.service` * `virtlogd.service` * `virtnetworkd.service` * `virtnodedevd.service` * `virtnwfilterd.service` * `virtproxyd.service` * `virtqemud.service` * `virtsecretd.service` * `virtstoraged.service` * `vmtoolsd.service` * `wpa_supplicant.service` * `zfs-fuse-scrub.service` * `zfs-fuse.service` * `zvbid.service` We will also coordinate with upstream following https://docs.fedoraproject.org/en-US/packaging-guidelines/PatchUpstreamStatus/ and encourage package maintainers to upstream these changes. Systemd will ignore any of these settings it does not understand on older versions. Hence this should be safe for upstream to merge on any services. == Feedback == == Benefit to Fedora == Fedora services will get a significant security boost by default by avoiding or mitigating any unknown security vulnerabilities in default system services. == Scope == * Proposal owners: Individual per service pull requests to enable various security features as applicable. * Other developers: Review PRs as needed * Release engineering: https://pagure.io/releng/issue/11785 * Policies and guidelines: Packaging guidelines will have to be modified to add recommendations to use more of the systemd security features by default. In particular, we should add a security settings section in https://fedoraproject.org/wiki/Packaging:Systemd. Current the guidance only recommends a couple of settings for long running services. Sample text: Systemd services included in Fedora are recommended to use as many of the following security settings as applicable while maintaining the default functionality of the service. * `PrivateTmp=yes` * `ProtectSystem=yes/full/strict` * `ProtectHome=yes` * `PrivateDevices=yes` * `ProtectKernelTunables=yes` * `ProtectKernelModules=yes` * `ProtectKernelLogs=yes` * `ProtectControlGroups=yes` * `NoNewPrivileges=yes` * `PrivateNetwork=yes` The full list of sandboxing features are available in https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#Sandboxing. Note that if you are submitting changes to upstream as recommended, systemd will warn and ignore any of these features it doesn't support. So it should be safe for upstream to enable as many of these features as applicable and not worry about distribution support for ones using older versions of systemd. * Trademark approval: N/A == Upgrade/compatibility impact == Packages will automatically get additional security features enabled by default transparently. In limited circumstances, they may need to override the defaults. Refer to user experience section for details. == How To Test == You can use tools like `systemd-analyze security` and `systemctl cat` to verify that specific security features are enabled by default. Default services with the default features should have no adverse impact and users shouldn't have to do anything beyond using the software as intended and report any regressions. High profile services not installed by default that gain these security features would benefit from more targeting testing to spot any unintended consequences especially for niche or advanced functionality. If advanced non-default functionality requires overrides default settings, we can document those in the release notes to provide guidance. == User Experience == This should be largely transparent change for users. The goal is to have the services work as expected with the default functionality but to potentially require tweaking the settings if the configuration is changed by users after installation. For instance, if we add `ProtectHome=yes` to Apache httpd.service and the user wishes to serve files out of their home directory, they will need to override the systemd setting to `ProtectHome=read-only` to allow for the service to read from the user home directory in addition to changing the service specific configuration files to enable this feature. == Dependencies == None. We are merely enabling some of systemd security features by default for default system services and potentially some high profile services. == Contingency Plan == * Contingency mechanism: These settings can be enabled/disabled at a per service level. No wholesale reverts is necessary. If we don't finish the work for all the services, we can follow up in future releases. * Contingency deadline: N/A * Blocks release? No == Documentation == * https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#Sandboxing * https://docs.arbitrary.ch/security/systemd.html * https://www.redhat.com/sysadmin/systemd-secure-services * https://www.redhat.com/sysadmin/mastering-systemd == Release Notes == systemd security hardening features are enabled for default system services and following high profile services. * PostgreSQL * Apache Httpd * Nginx * MariaDB .... If you wish to turn off any particular settings, you can follow the standard systemd method of overriding the config. For example, `$ cat /etc/systemd/system/httpd.service.d/override.conf [Service] ProtectHome=no` ` $ sudo systemctl daemon-reload $ sudo systemctl restart httpd.service` `$ systemctl status httpd.service ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) Drop-In: /etc/systemd/system/httpd.service.d └─override.conf Active: active (running) since Mon 2023-11-15 18:29:25 EST; 3min 30s ago` -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
