Hi everyone,
I'd like to make use of some of the systemd hardening features [0] in the Debian rsyslog package. I eventually want those changes to go upstream though, so I'm asking for feedback here. This is what I currently have in mind: [Service] ProtectSystem=full ProtectHome=yes PrivateTmp=yes CapabilityBoundingSet=CAP_SYSLOG CAP_NET_BIND_SERVICE What potentially could cause problems is the limitation of the capabilties via CapabilityBoundingSet [1]. Does anyone know, what capabilities [2] rsyslog needs beyond CAP_SYSLOG and CAP_NET_BIND_SERVICE if you want to make use of all its features? Are other distros interested in shipping such a more restrictive configuration? Regards, Michael [0] http://0pointer.de/blog/projects/security.html [1] http://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet= [2] http://man7.org/linux/man-pages/man7/capabilities.7.html -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
