Re: Enable systemd hardening options for named

2018-01-15 Thread Ludovic Gasc
First, thank you a lot everybody, I didn't think to have several detailed e-mails like that. I need now to merge all of your ideas and a propose a new version of the config file. However, I answer first to Tony, because I have a remark below: 2018-01-15 19:15 GMT+01:00 Tony Finch

Re: Enable systemd hardening options for named

2018-01-15 Thread Robert Edmonds
Tony Finch wrote: > Ludovic Gasc wrote: > > > > 1. The list of minimal capabilities needed for bind to run correctly: > > http://man7.org/linux/man-pages/man7/capabilities.7.html > > named already drops capabilities - have a look at the code around here: >

Re: Enable systemd hardening options for named

2018-01-15 Thread Tony Finch
Ludovic Gasc wrote: > > 1. The list of minimal capabilities needed for bind to run correctly: > http://man7.org/linux/man-pages/man7/capabilities.7.html named already drops capabilities - have a look at the code around here:

Re: Enable systemd hardening options for named

2018-01-15 Thread Reindl Harald
Am 15.01.2018 um 18:58 schrieb Ludovic Gasc: Hi, (Not sure it's the right mailing-list to discuss about this, tell me if it's another one) For your information, systemd offers several options to increase the security of each daemon based on cgroups, like Docker or rkt. For example:

Enable systemd hardening options for named

2018-01-15 Thread Ludovic Gasc
Hi, (Not sure it's the right mailing-list to discuss about this, tell me if it's another one) For your information, systemd offers several options to increase the security of each daemon based on cgroups, like Docker or rkt. For example: