Am 16.01.2018 um 13:52 schrieb Daniel Stirnimann:
Hello all,
Just wondering, if one is already using selinux in enforcing mode, does
systemd hardening provide any additional benefit?
surely - it's about layered security
what are you doing when SELinux makes troubles and you need it so set
2018-01-16 13:52 GMT+01:00 Daniel Stirnimann :
> Hello all,
>
> Just wondering, if one is already using selinux in enforcing mode, does
> systemd hardening provide any additional benefit?
>
Very good question, I'm not sure at all:
To my understanding, it might be
Hello all,
Just wondering, if one is already using selinux in enforcing mode, does
systemd hardening provide any additional benefit?
Daniel
On 16.01.18 12:21, Ludovic Gasc wrote:
> Hi,
>
> I have merged config files from Tony, Robert, and me.
> I have tried to be the most generic, the result
Hi,
I have forgotten to say that I have also removed "-u bind" option in
/etc/default/bind9, because it isn't necessary anymore: The named daemon is
started as bind user directly with this configuration.
I might found 3 new interesting options:
Hi,
I have merged config files from Tony, Robert, and me.
I have tried to be the most generic, the result below.
It seems to work here without regression, except a warning:
managed-keys-zone: Unable to fetch DNSKEY set '.': operation canceled
But only at the first boot, I don't see the message
2018-01-16 11:58 GMT+01:00 Reindl Harald :
>
>
> Am 16.01.2018 um 11:46 schrieb Tony Finch:
>
>> Robert Edmonds wrote:
>>
>>>
>>> I would guess that retaining CAP_NET_BIND_SERVICE and CAP_SYS_RESOURCE
>>> during the process runtime permits open-ended
Am 16.01.2018 um 11:46 schrieb Tony Finch:
Robert Edmonds wrote:
I would guess that retaining CAP_NET_BIND_SERVICE and CAP_SYS_RESOURCE
during the process runtime permits open-ended reloading of the config at
runtime (e.g., binding to a new IP address on port 53 without
Robert Edmonds wrote:
>
> I would guess that retaining CAP_NET_BIND_SERVICE and CAP_SYS_RESOURCE
> during the process runtime permits open-ended reloading of the config at
> runtime (e.g., binding to a new IP address on port 53 without needing to
> restart the daemon).
BIND
2018-01-16 10:22 GMT+01:00 Reindl Harald :
>
>
> Am 16.01.2018 um 10:20 schrieb Ludovic Gasc:
>
>> 2018-01-15 19:11 GMT+01:00 Reindl Harald h.rei...@thelounge.net>>:
>>
>>
>> ReadOnlyDirectories=/etc
>> ReadOnlyDirectories=/usr
>>
>>
>>
Am 16.01.2018 um 10:20 schrieb Ludovic Gasc:
2018-01-15 19:11 GMT+01:00 Reindl Harald >:
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
FYI, you can use ProtectSystem=strict to have more strict rules for the
root
2018-01-15 19:11 GMT+01:00 Reindl Harald :
>
> ReadOnlyDirectories=/etc
> ReadOnlyDirectories=/usr
>
FYI, you can use ProtectSystem=strict to have more strict rules for the
root filesystem:
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=
11 matches
Mail list logo